]>
git.proxmox.com Git - pve-firewall.git/blob - src/pve-firewall
8 use Time
:: HiRes qw
( gettimeofday
);
9 use PVE
:: Tools
qw(dir_glob_foreach file_read_firstline) ;
12 use PVE
:: Cluster
qw(cfs_read_file) ;
13 use PVE
:: RPCEnvironment
;
16 use PVE
:: FirewallSimulator
;
19 use base
qw(PVE::Daemon) ;
21 my $cmdline = [ $0, @ARGV ];
23 my %daemon_options = ( restart_on_error
=> 5 , stop_wait_time
=> 5 );
25 my $daemon = __PACKAGE__-
> new ( 'pve-firewall' , $cmdline, %daemon_options );
27 my $rpcenv = PVE
:: RPCEnvironment-
> init ( 'cli' );
29 $rpcenv -> init_request ();
30 $rpcenv -> set_language ( $ENV { LANG
});
31 $rpcenv -> set_user ( 'root @pam ' );
33 my $nodename = PVE
:: INotify
:: nodename
();
37 PVE
:: Cluster
:: cfs_update
();
39 PVE
:: Firewall
:: init
();
42 my $restart_request = 0 ;
48 my $initial_memory_usage ;
53 syslog
( 'info' , "server closing" );
56 1 while ( waitpid (- 1 , POSIX
:: WNOHANG
()) > 0 );
58 syslog
( 'info' , "clear firewall rules" );
60 eval { PVE
:: Firewall
:: remove_pvefw_chains
(); };
63 $self -> exit_daemon ( 0 );
69 syslog
( 'info' , "received signal HUP" );
77 local $SIG { '__WARN__' } = 'IGNORE' ; # do not fill up logs
81 $next_update = time () + $updatetime ;
83 my ( $ccsec, $cusec ) = gettimeofday
();
85 PVE
:: Cluster
:: cfs_update
();
86 PVE
:: Firewall
:: update
();
91 syslog
( 'err' , "status update error: $err " );
94 my ( $ccsec_end, $cusec_end ) = gettimeofday
();
95 my $cptime = ( $ccsec_end - $ccsec ) + ( $cusec_end - $cusec )/ 1000000 ;
97 syslog
( 'info' , sprintf ( "firewall update time (%.3f seconds)" , $cptime ))
102 my $mem = PVE
:: ProcFSTools
:: read_memory_usage
();
104 if (! defined ( $initial_memory_usage ) || ( $cycle < 10 )) {
105 $initial_memory_usage = $mem ->{ resident
};
107 my $diff = $mem ->{ resident
} - $initial_memory_usage ;
108 if ( $diff > 5 * 1024 * 1024 ) {
109 syslog
( 'info' , "restarting server after $cycle cycles to " .
110 "reduce memory usage (free $mem ->{resident} ( $diff ) bytes)" );
111 $self -> restart_daemon ();
116 while (( time () < $next_update ) &&
117 ( $wcount < $updatetime ) && # protect against time wrap
118 ! $restart_request ) { $wcount++ ; sleep ( 1 ); };
120 $self -> restart_daemon () if $restart_request ;
124 $daemon -> register_start_command ( __PACKAGE__
,
125 "Start the Proxmox VE firewall service." );
126 $daemon -> register_restart_command ( __PACKAGE__
,
127 "Restart the Proxmox VE firewall service." );
128 $daemon -> register_stop_command ( __PACKAGE__
,
129 "Stop firewall. This removes all Proxmox VE " .
130 "related iptable rules. " .
131 "The host is unprotected afterwards." );
133 __PACKAGE__-
> register_method ({
137 description
=> "Get firewall status." ,
139 additionalProperties
=> 0 ,
144 additionalProperties
=> 0 ,
148 enum
=> [ 'unknown' , 'stopped' , 'running' ],
151 description
=> "Firewall is enabled (in 'cluster.fw')" ,
155 description
=> "Set when there are pending changes." ,
164 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
168 my $status = $daemon -> running () ?
'running' : 'stopped' ;
170 my $res = { status
=> $status };
172 my $verbose = 1 ; # show syntax errors
173 my $cluster_conf = PVE
:: Firewall
:: load_clusterfw_conf
( undef , $verbose );
174 $res ->{ enable
} = $cluster_conf ->{ options
}->{ enable
} ?
1 : 0 ;
176 if ( $status eq 'running' ) {
178 my ( $ruleset, $ipset_ruleset, $rulesetv6 ) = PVE
:: Firewall
:: compile
( $cluster_conf, undef , undef , $verbose );
180 $verbose = 0 ; # do not show iptables details
181 my ( undef , undef , $ipset_changes ) = PVE
:: Firewall
:: get_ipset_cmdlist
( $ipset_ruleset, $verbose );
182 my ( $test, $ruleset_changes ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $ruleset, $verbose );
183 my ( undef , $ruleset_changesv6 ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $rulesetv6, $verbose, "ip6tables" );
185 $res ->{ changes
} = ( $ipset_changes || $ruleset_changes || $ruleset_changesv6 ) ?
1 : 0 ;
191 return PVE
:: Firewall
:: run_locked
( $code );
194 __PACKAGE__-
> register_method ({
198 description
=> "Compile and print firewall rules. This is useful for testing." ,
200 additionalProperties
=> 0 ,
203 returns
=> { type
=> 'null' },
208 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
214 my $cluster_conf = PVE
:: Firewall
:: load_clusterfw_conf
( undef , $verbose );
215 my ( $ruleset, $ipset_ruleset, $rulesetv6 ) = PVE
:: Firewall
:: compile
( $cluster_conf, undef , undef , $verbose );
217 print "ipset cmdlist: \n " ;
218 my ( undef , undef , $ipset_changes ) = PVE
:: Firewall
:: get_ipset_cmdlist
( $ipset_ruleset, $verbose );
220 print " \n iptables cmdlist: \n " ;
221 my ( undef , $ruleset_changes ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $ruleset, $verbose );
223 print " \n ip6tables cmdlist: \n " ;
224 my ( undef , $ruleset_changesv6 ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $rulesetv6, $verbose, "ip6tables" );
226 if ( $ipset_changes || $ruleset_changes || $ruleset_changesv6 ) {
227 print "detected changes \n " ;
229 print "no changes \n " ;
231 if (! $cluster_conf ->{ options
}->{ enable
}) {
232 print "firewall disabled \n " ;
237 PVE
:: Firewall
:: run_locked
( $code );
242 __PACKAGE__-
> register_method ({
246 description
=> "Print information about local network." ,
248 additionalProperties
=> 0 ,
251 returns
=> { type
=> 'null' },
255 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
257 my $nodename = PVE
:: INotify
:: nodename
();
258 print "local hostname: $nodename\n " ;
260 my $ip = PVE
:: Cluster
:: remote_node_ip
( $nodename );
261 print "local IP address: $ip\n " ;
263 my $cluster_conf = PVE
:: Firewall
:: load_clusterfw_conf
();
265 my $localnet = PVE
:: Firewall
:: local_network
() || '127.0.0.0/8' ;
266 print "network auto detect: $localnet\n " ;
267 if ( $cluster_conf ->{ aliases
}->{ local_network
}) {
268 print "using user defined local_network: $cluster_conf ->{aliases}->{local_network}->{cidr} \n " ;
270 print "using detected local_network: $localnet\n " ;
276 __PACKAGE__-
> register_method ({
280 description
=> "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible." ,
282 additionalProperties
=> 0 ,
285 description
=> "Verbose output." ,
291 description
=> "Source zone." ,
293 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)' ,
295 default => 'outside' ,
298 description
=> "Destination zone." ,
300 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)' ,
305 description
=> "Protocol." ,
307 pattern
=> '(tcp|udp)' ,
312 description
=> "Destination port." ,
319 description
=> "Source port." ,
326 description
=> "Source IP address." ,
327 type
=> 'string' , format
=> 'ipv4' ,
331 description
=> "Destination IP address." ,
332 type
=> 'string' , format
=> 'ipv4' ,
337 returns
=> { type
=> 'null' },
341 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
343 my ( $ruleset, $ipset_ruleset, $rulesetv6 ) = PVE
:: Firewall
:: compile
( undef , undef , undef , $param ->{ verbose
});
345 PVE
:: FirewallSimulator
:: debug
( $param ->{ verbose
} || 0 );
347 my $host_ip = PVE
:: Cluster
:: remote_node_ip
( $nodename );
349 PVE
:: FirewallSimulator
:: reset_trace
();
350 print Dumper
( $ruleset ) if $param ->{ verbose
};
353 from
=> $param ->{ from
},
355 proto
=> $param ->{ protocol
} || 'tcp' ,
356 source
=> $param ->{ source
},
357 dest
=> $param ->{ dest
},
358 dport
=> $param ->{ dport
},
359 sport
=> $param ->{ sport
},
362 if (! defined ( $test ->{ to
})) {
363 $test ->{ to
} = 'host' ;
364 PVE
:: FirewallSimulator
:: add_trace
( "Set Zone: to => ' $test ->{to}' \n " );
366 if (! defined ( $test ->{ from
})) {
367 $test ->{ from
} = 'outside' ,
368 PVE
:: FirewallSimulator
:: add_trace
( "Set Zone: from => ' $test ->{from}' \n " );
371 my $vmdata = PVE
:: Firewall
:: read_local_vm_config
();
373 print "Test packet: \n " ;
375 foreach my $k ( qw(from to proto source dest dport sport) ) {
376 printf ( " %-8s: %s\n " , $k, $test ->{ $k }) if defined ( $test ->{ $k });
379 $test ->{ action
} = 'QUERY' ;
381 my $res = PVE
:: FirewallSimulator
:: simulate_firewall
( $ruleset, $ipset_ruleset,
382 $host_ip, $vmdata, $test );
384 print "ACTION: $res\n " ;
390 start
=> [ __PACKAGE__
, 'start' , []],
391 restart
=> [ __PACKAGE__
, 'restart' , []],
392 stop
=> [ __PACKAGE__
, 'stop' , []],
393 compile
=> [ __PACKAGE__
, 'compile' , []],
394 simulate
=> [ __PACKAGE__
, 'simulate' , []],
395 localnet
=> [ __PACKAGE__
, 'localnet' , []],
396 status
=> [ __PACKAGE__
, 'status' , [], undef , sub {
398 my $status = ( $res ->{ enable
} ?
"enabled" : "disabled" ) . '/' . $res ->{ status
};
400 if ( $res ->{ changes
}) {
401 print "Status: $status (pending changes) \n " ;
403 print "Status: $status\n " ;
410 PVE
:: CLIHandler
:: handle_cmd
( $cmddef, $0, $cmd, \
@ARGV, undef , $0 );
418 pve-firewall - PVE Firewall Daemon
426 This service updates iptables rules periodically.
428 =include pve_copyright