if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
$services->{byid}->{$2}->{name} = $1;
+ $services->{byid}->{$2}->{port} = $2;
$services->{byid}->{$2}->{$3} = 1;
$services->{byname}->{$1} = $services->{byid}->{$2};
}
my $nbports = 0;
foreach my $item (split(/,/, $str)) {
my $portlist = "";
+ my $oldpon = undef;
foreach my $pon (split(':', $item, 2)) {
+ $pon = $services->{byname}->{$pon}->{port} if $services->{byname}->{$pon}->{port};
if ($pon =~ m/^\d+$/){
die "invalid port '$pon'\n" if $pon < 0 && $pon > 65535;
+ die "port '$pon' must be bigger than port '$oldpon' \n" if $oldpon && ($pon < $oldpon);
+ $oldpon = $pon;
}else{
die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
}
return 1 if $name =~ m/^PVEFW-\S+$/;
return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
- return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
+ return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/;
return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
return undef;
sub generate_bridge_chains {
my ($ruleset, $bridge) = @_;
- if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){
- ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN");
- }
-
- if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){
- ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT");
- }
-
if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
}
- if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
- ruleset_create_chain($ruleset, "$bridge-IN");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
- ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
+ if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
+ ruleset_create_chain($ruleset, "$bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
}
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
ruleset_create_chain($ruleset, "$bridge-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ }
+
+ if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
+ ruleset_create_chain($ruleset, "$bridge-IN");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
}
}
sub generate_tap_rules_direction {
- my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
+ my ($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_;
+
+ my $rules = $vmfw_conf->{lc($direction)};
+ my $options = $vmfw_conf->{options};
my $tapchain = "$iface-$direction";
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
my $conf = $vmdata->{qemu}->{$vmid};
-
- next if !$rules->{$vmid};
- my $options = $rules->{$vmid}->{options};
- next if defined($options->{enable}) && ($options->{enable} == 0);
+ my $vmfw_conf = $rules->{$vmid};
+ next if !$vmfw_conf;
+ next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
generate_bridge_chains($ruleset, $bridge);
my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
- generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT');
}
}