use warnings;
use strict;
use Data::Dumper;
-use Digest::MD5;
+use Digest::SHA;
use PVE::Tools;
use PVE::QemuServer;
use File::Path;
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
-my $macros;
+# todo: define more MACROS
+# inspired by: /usr/share/shorewall/macro.*
+my $pve_fw_macros = {
+ BitTorrent => [
+ { action => 'PARAM', proto => 'tcp', dport => '6881:6889' },
+ { action => 'PARAM', proto => 'udp', dport => '6881' }
+ ],
+ HTTP => [
+ { action => 'PARAM', proto => 'tcp', dport => '80' },
+ ],
+ HTTPS => [
+ { action => 'PARAM', proto => 'tcp', dport => '443' },
+ ],
+};
+
+my $pve_fw_parsed_macros;
+my $pve_fw_preferred_macro_names = {};
-# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
sub get_firewall_macros {
- return $macros if $macros;
+ return $pve_fw_parsed_macros if $pve_fw_parsed_macros;
+
+ $pve_fw_parsed_macros = {};
- #foreach my $path (</usr/share/shorewall/macro.*>) {
- # if ($path =~ m|/macro\.(\S+)$|) {
- # $macros->{$1} = 1;
- # }
- #}
+ foreach my $k (keys %$pve_fw_macros) {
+ my $name = lc($k);
- $macros = {}; # fixme: implemet me
+ my $macro = $pve_fw_macros->{$k};
+ $pve_fw_preferred_macro_names->{$name} = $k;
+ $pve_fw_parsed_macros->{$name} = $macro;
+ }
- return $macros;
+ return $pve_fw_parsed_macros;
}
my $etc_services;
my $chain = $1;
return if !&$is_pvefw_chain($chain);
$res->{$chain} = "unknown";
- } elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
+ } elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) {
my ($chain, $sig) = ($1, $2);
return if !&$is_pvefw_chain($chain);
$res->{$chain} = $sig;
}
sub ruleset_generate_rule {
- my ($ruleset, $chain, $rule) = @_;
+ my ($ruleset, $chain, $rule, $goto) = @_;
my $cmd = '';
$cmd .= " --dport $rule->{dport}" if $rule->{dport};
$cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
$cmd .= " --sport $rule->{sport}" if $rule->{sport};
- $cmd .= " -j $rule->{action}" if $rule->{action};
+
+ if (my $action = $rule->{action}) {
+ $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
+ $cmd .= $goto ? " -g $action" : " -j $action";
+ };
ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
}
sub ruleset_create_chain {
my ($ruleset, $chain) = @_;
+ die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28;
+
die "chain '$chain' already exists\n" if $ruleset->{$chain};
$ruleset->{$chain} = [];
}
sub generate_tap_rules_direction {
- my ($ruleset, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
+ my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
my $tapchain = "$iface-$direction";
if ($rules) {
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
+ # we go to $bridge-IN if accept in out rules
if($rule->{action} =~ m/^(GROUP-(\S+))$/){
$rule->{action} .= "-$direction";
# generate empty group rule if don't exist
if(!ruleset_chain_exist($ruleset, $rule->{action})){
- generate_group_rules($ruleset, $2);
+ generate_group_rules($ruleset, $group_rules, $2);
}
+ ruleset_generate_rule($ruleset, $tapchain, $rule);
+ ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN")
+ if $direction eq 'OUT';
+ } else {
+ $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
+ ruleset_generate_rule($ruleset, $tapchain, $rule);
}
- # we go to vmbr-IN if accept in out rules
- $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
- ruleset_generate_rule($ruleset, $tapchain, $rule);
- }
+ }
}
ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
}
sub enablehostfw {
- my ($ruleset) = @_;
+ my ($ruleset, $rules, $group_rules) = @_;
- my $filename = "/etc/pve/local/host.fw";
- my $fh = IO::File->new($filename, O_RDONLY);
- return if !$fh;
-
- my $rules = parse_fw_rules($filename, $fh);
+ # fixme: allow security groups
# host inbound firewall
my $chain = "PVEFW-HOST-IN";
}
sub generate_group_rules {
- my ($ruleset, $group) = @_;
+ my ($ruleset, $group_rules, $group) = @_;
- my $filename = "/etc/pve/firewall/groups.fw";
- my $fh = IO::File->new($filename, O_RDONLY);
- return if !$fh;
-
- my $rules = parse_fw_rules($filename, $fh, $group);
+ my $rules = $group_rules->{$group};
+ die "no such security group '$group'\n" if !$rules;
+
my $chain = "GROUP-${group}-IN";
ruleset_create_chain($ruleset, $chain);
$chain = "GROUP-${group}-OUT";
ruleset_create_chain($ruleset, $chain);
+ ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
if ($rules->{out}) {
foreach my $rule (@{$rules->{out}}) {
- # we go the PVEFW-BRIDGE-IN because we need to check also other tap rules
- # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
- $rule->{action} = 'PVEFW-BRIDGE-IN' if $rule->{action} eq 'ACCEPT';
- ruleset_generate_rule($rule, $chain, $rule);
+ # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to
+ # check also other tap rules (and group rules can be set on any bridge,
+ # so we can't go to VMBRXX-IN)
+ $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT';
+ ruleset_generate_rule($ruleset, $chain, $rule);
}
}
}
-sub parse_fw_rules {
- my ($filename, $fh, $group) = @_;
+my $MAX_NETS = 32;
+my $valid_netdev_names = {};
+for (my $i = 0; $i < $MAX_NETS; $i++) {
+ $valid_netdev_names->{"net$i"} = 1;
+}
- my $section;
- my $securitygroup;
- my $securitygroupexist;
-
- my $res = { in => [], out => [] };
+sub parse_fw_rule {
+ my ($line, $need_iface, $allow_groups) = @_;
my $macros = get_firewall_macros();
my $protocols = get_etc_protocols();
-
+
+ my ($action, $iface, $source, $dest, $proto, $dport, $sport);
+
+ $line =~ s/#.*$//;
+
+ my @data = split(/\s+/, $line);
+ my $expected_elements = $need_iface ? 7 : 6;
+
+ die "wrong number of rule elements\n" if scalar(@data) > $expected_elements;
+
+ if ($need_iface) {
+ ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data
+ } else {
+ ($action, $source, $dest, $proto, $dport, $sport) = @data;
+ }
+
+ die "incomplete rule\n" if !$action;
+
+ my $macro;
+ my $macro_name;
+
+ if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
+ # OK
+ } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) {
+ # OK
+ } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
+ ($macro_name, $action) = ($1, $2);
+ my $lc_macro_name = lc($macro_name);
+ my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name};
+ $macro_name = $preferred_name if $preferred_name;
+ $macro = $macros->{$lc_macro_name};
+ die "unknown macro '$macro_name'\n" if !$macro;
+ } else {
+ die "unknown action '$action'\n";
+ }
+
+ if ($need_iface) {
+ $iface = undef if $iface && $iface eq '-';
+ die "unknown interface '$iface'\n"
+ if defined($iface) && !$valid_netdev_names->{$iface};
+ }
+
+ $proto = undef if $proto && $proto eq '-';
+ die "unknown protokol '$proto'\n" if $proto &&
+ !(defined($protocols->{byname}->{$proto}) ||
+ defined($protocols->{byid}->{$proto}));
+
+ $source = undef if $source && $source eq '-';
+ $dest = undef if $dest && $dest eq '-';
+
+ $dport = undef if $dport && $dport eq '-';
+ $sport = undef if $sport && $sport eq '-';
+
+ my $nbsource = undef;
+ my $nbdest = undef;
+
+ $nbsource = parse_address_list($source) if $source;
+ $nbdest = parse_address_list($dest) if $dest;
+
+ my $rules = [];
+
+ my $param = {
+ action => $action,
+ iface => $iface,
+ source => $source,
+ dest => $dest,
+ nbsource => $nbsource,
+ nbdest => $nbdest,
+ proto => $proto,
+ dport => $dport,
+ sport => $sport,
+ };
+
+ if ($macro) {
+ foreach my $templ (@$macro) {
+ my $rule = {};
+ foreach my $k (keys %$templ) {
+ my $v = $templ->{$k};
+ $v = $param->{$k} if $v eq 'PARAM';
+ die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v);
+ $rule->{$k} = $v;
+ }
+ push @$rules, $rule;
+ }
+ } else {
+ push @$rules, $param;
+ }
+
+ foreach my $rule (@$rules) {
+ $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport})
+ if defined($rule->{dport});
+ $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport})
+ if defined($rule->{sport});
+ }
+
+ return $rules;
+}
+
+sub parse_vm_fw_rules {
+ my ($filename, $fh) = @_;
+
+ my $res = { in => [], out => [] };
+
+ my $section;
+
while (defined(my $line = <$fh>)) {
next if $line =~ m/^#/;
next if $line =~ m/^\s*$/;
- if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) {
+ my $linenr = $fh->input_line_number();
+ my $prefix = "$filename (line $linenr)";
+
+ if ($line =~ m/^\[(in|out)\]\s*$/i) {
$section = lc($1);
- $securitygroup = lc($3) if $3;
- $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group;
next;
}
- next if !$section;
- next if $group && $securitygroup ne $group;
-
- my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
- split(/\s+/, $line);
-
- if (!$action) {
- warn "skip incomplete line\n";
+ if (!$section) {
+ warn "$prefix: skip line - no section";
next;
}
- my $service;
- if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) {
- # OK
- } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
- ($service, $action) = ($1, $2);
- if (!$macros->{$service}) {
- warn "unknown service '$service'\n";
- next;
- }
- } else {
- warn "unknown action '$action'\n";
+ my $rules;
+ eval { $rules = parse_fw_rule($line, 1, 1); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
next;
}
- $iface = undef if $iface && $iface eq '-';
- if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
- warn "unknown interface '$iface'\n";
+ push @{$res->{$section}}, @$rules;
+ }
+
+ return $res;
+}
+
+sub parse_host_fw_rules {
+ my ($filename, $fh) = @_;
+
+ my $res = { in => [], out => [] };
+
+ my $section;
+
+ while (defined(my $line = <$fh>)) {
+ next if $line =~ m/^#/;
+ next if $line =~ m/^\s*$/;
+
+ my $linenr = $fh->input_line_number();
+ my $prefix = "$filename (line $linenr)";
+
+ if ($line =~ m/^\[(in|out)\]\s*$/i) {
+ $section = lc($1);
next;
}
-
- $proto = undef if $proto && $proto eq '-';
- if ($proto && !(defined($protocols->{byname}->{$proto}) ||
- defined($protocols->{byid}->{$proto}))) {
- warn "unknown protokol '$proto'\n";
+ if (!$section) {
+ warn "$prefix: skip line - no section";
next;
}
- $source = undef if $source && $source eq '-';
- $dest = undef if $dest && $dest eq '-';
-
- $dport = undef if $dport && $dport eq '-';
- $sport = undef if $sport && $sport eq '-';
- my $nbdport = undef;
- my $nbsport = undef;
- my $nbsource = undef;
- my $nbdest = undef;
-
- eval {
- $nbsource = parse_address_list($source) if $source;
- $nbdest = parse_address_list($dest) if $dest;
- $nbdport = parse_port_name_number_or_range($dport) if $dport;
- $nbsport = parse_port_name_number_or_range($sport) if $sport;
- };
+ my $rules;
+ eval { $rules = parse_fw_rule($line, 1, 1); };
if (my $err = $@) {
- warn $err;
+ warn "$prefix: $err";
next;
-
}
+ push @{$res->{$section}}, @$rules;
+ }
- my $rule = {
- action => $action,
- service => $service,
- iface => $iface,
- source => $source,
- dest => $dest,
- nbsource => $nbsource,
- nbdest => $nbdest,
- proto => $proto,
- dport => $dport,
- sport => $sport,
- nbdport => $nbdport,
- nbsport => $nbsport,
+ return $res;
+}
- };
+sub parse_group_fw_rules {
+ my ($filename, $fh) = @_;
- push @{$res->{$section}}, $rule;
+ my $section;
+ my $group;
+
+ my $res = { in => [], out => [] };
+
+ while (defined(my $line = <$fh>)) {
+ next if $line =~ m/^#/;
+ next if $line =~ m/^\s*$/;
+
+ my $linenr = $fh->input_line_number();
+ my $prefix = "$filename (line $linenr)";
+
+ if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) {
+ $section = lc($1);
+ $group = lc($2);
+ next;
+ }
+ if (!$section || !$group) {
+ warn "$prefix: skip line - no section";
+ next;
+ }
+
+ my $rules;
+ eval { $rules = parse_fw_rule($line, 0, 0); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
+ next;
+ }
+
+ push @{$res->{$group}->{$section}}, @$rules;
}
- die "security group $group don't exist" if $group && !$securitygroupexist;
return $res;
}
my $fh = IO::File->new($filename, O_RDONLY);
next if !$fh;
- $rules->{$vmid} = parse_fw_rules($filename, $fh);
+ $rules->{$vmid} = parse_vm_fw_rules($filename, $fh);
}
return $rules;
sub compile {
my $vmdata = read_local_vm_config();
my $rules = read_vm_firewall_rules($vmdata);
+
+ my $group_rules = {};
+ my $filename = "/etc/pve/firewall/groups.fw";
+ if (my $fh = IO::File->new($filename, O_RDONLY)) {
+ $group_rules = parse_group_fw_rules($filename, $fh);
+ }
#print Dumper($rules);
ruleset_create_chain($ruleset, "PVEFW-INPUT");
ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
- enablehostfw($ruleset);
+ ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK");
+ ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
+
+ $filename = "/etc/pve/local/host.fw";
+ if (my $fh = IO::File->new($filename, O_RDONLY)) {
+ my $host_rules = parse_host_fw_rules($filename, $fh);
+ enablehostfw($ruleset, $host_rules, $group_rules);
+ }
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
generate_bridge_chains($ruleset, $bridge);
my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
- generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
}
}
return $ruleset;
my $statushash = {};
foreach my $chain (sort keys %$ruleset) {
- my $digest = Digest::MD5->new();
+ my $digest = Digest::SHA->new('sha1');
foreach my $cmd (@{$ruleset->{$chain}}) {
$digest->add("$cmd\n");
}
sub print_sig_rule {
my ($chain, $sig) = @_;
- # Note: This rule should never match! We just use this hack to store a SHA1 checksum
- # used to detect changes
- return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n";
+ # We just use this to store a SHA1 checksum used to detect changes
+ return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
}
sub apply_ruleset {
}
$cmdlist .= print_sig_rule($chain, $stat->{sig});
} elsif ($stat->{action} eq 'delete') {
- $cmdlist .= "-F $chain\n";
- $cmdlist .= "-X $chain\n";
+ die "internal error"; # this should not happen
} elsif ($stat->{action} eq 'exists') {
# do nothing
} else {
}
}
+ foreach my $chain (keys %$statushash) {
+ next if $statushash->{$chain}->{action} ne 'delete';
+ $cmdlist .= "-F $chain\n";
+ }
+ foreach my $chain (keys %$statushash) {
+ next if $statushash->{$chain}->{action} ne 'delete';
+ $cmdlist .= "-X $chain\n";
+ }
+
$cmdlist .= "COMMIT\n";
print $cmdlist if $verbose;