+ my $rules;
+ eval { $rules = parse_fw_rule($line, 1, 1); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
+ next;
+ }
+
+ push @{$res->{$section}}, @$rules;
+ }
+
+ return $res;
+}
+
+sub parse_host_fw_rules {
+ my ($filename, $fh) = @_;
+
+ my $res = { in => [], out => [] };
+
+ my $section;
+
+ while (defined(my $line = <$fh>)) {
+ next if $line =~ m/^#/;
+ next if $line =~ m/^\s*$/;
+
+ my $linenr = $fh->input_line_number();
+ my $prefix = "$filename (line $linenr)";
+
+ if ($line =~ m/^\[(in|out)\]\s*$/i) {
+ $section = lc($1);
+ next;
+ }
+ if (!$section) {
+ warn "$prefix: skip line - no section";
+ next;
+ }
+
+ my $rules;
+ eval { $rules = parse_fw_rule($line, 1, 1); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
+ next;
+ }
+
+ push @{$res->{$section}}, @$rules;
+ }
+
+ return $res;
+}
+
+sub parse_group_fw_rules {
+ my ($filename, $fh) = @_;
+
+ my $section;
+ my $group;
+
+ my $res = { in => [], out => [] };
+
+ while (defined(my $line = <$fh>)) {
+ next if $line =~ m/^#/;
+ next if $line =~ m/^\s*$/;
+
+ my $linenr = $fh->input_line_number();
+ my $prefix = "$filename (line $linenr)";
+
+ if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) {
+ $section = lc($1);
+ $group = lc($2);
+ next;
+ }
+ if (!$section || !$group) {
+ warn "$prefix: skip line - no section";
+ next;
+ }
+
+ my $rules;
+ eval { $rules = parse_fw_rule($line, 0, 0); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
+ next;
+ }
+
+ push @{$res->{$group}->{$section}}, @$rules;
+ }
+
+ return $res;
+}
+
+sub run_locked {
+ my ($code, @param) = @_;
+
+ my $timeout = 10;
+
+ my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);
+
+ die $@ if $@;
+
+ return $res;
+}
+
+sub read_local_vm_config {
+
+ my $openvz = {};
+
+ my $qemu = {};
+
+ my $list = PVE::QemuServer::config_list();
+
+ foreach my $vmid (keys %$list) {
+ my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
+ if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
+ $qemu->{$vmid} = $conf;
+ }
+ }
+
+ my $vmdata = { openvz => $openvz, qemu => $qemu };
+
+ return $vmdata;
+};
+
+sub read_vm_firewall_rules {
+ my ($vmdata) = @_;
+ my $rules = {};
+ foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
+ my $filename = "/etc/pve/firewall/$vmid.fw";
+ my $fh = IO::File->new($filename, O_RDONLY);
+ next if !$fh;
+
+ $rules->{$vmid} = parse_vm_fw_rules($filename, $fh);
+ }
+
+ return $rules;
+}
+
+sub compile {
+ my $vmdata = read_local_vm_config();
+ my $rules = read_vm_firewall_rules($vmdata);
+
+ my $group_rules = {};
+ my $filename = "/etc/pve/firewall/groups.fw";
+ if (my $fh = IO::File->new($filename, O_RDONLY)) {
+ $group_rules = parse_group_fw_rules($filename, $fh);
+ }
+
+ #print Dumper($rules);
+
+ my $ruleset = {};
+
+ # setup host firewall rules
+ ruleset_create_chain($ruleset, "PVEFW-INPUT");
+ ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
+
+ ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK");
+ ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
+
+ $filename = "/etc/pve/local/host.fw";
+ if (my $fh = IO::File->new($filename, O_RDONLY)) {
+ my $host_rules = parse_host_fw_rules($filename, $fh);
+ enablehostfw($ruleset, $host_rules, $group_rules);
+ }
+
+ # generate firewall rules for QEMU VMs
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ next if !$rules->{$vmid};
+
+ foreach my $netid (keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net;
+ my $iface = "tap${vmid}i$1";
+
+ my $bridge = $net->{bridge};
+ next if !$bridge; # fixme: ?
+
+ $bridge .= "v$net->{tag}" if $net->{tag};
+
+ generate_bridge_chains($ruleset, $bridge);
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
+ }
+ }
+ return $ruleset;
+}
+
+sub get_ruleset_status {
+ my ($ruleset, $verbose) = @_;
+
+ my $active_chains = iptables_get_chains();
+
+ my $statushash = {};
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $digest->add("$cmd\n");
+ }
+ my $sig = $digest->b64digest;
+ $statushash->{$chain}->{sig} = $sig;
+
+ my $oldsig = $active_chains->{$chain};
+ if (!defined($oldsig)) {
+ $statushash->{$chain}->{action} = 'create';
+ } else {
+ if ($oldsig eq $sig) {
+ $statushash->{$chain}->{action} = 'exists';
+ } else {
+ $statushash->{$chain}->{action} = 'update';