use Digest::SHA;
use PVE::Tools;
use PVE::QemuServer;
+use File::Basename;
use File::Path;
use IO::File;
use Net::IP;
use Data::Dumper;
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
+my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status";
+
+my $default_log_level = 'info';
+
+my $log_level_hash = {
+ debug => 7,
+ info => 6,
+ notice => 5,
+ warning => 4,
+ err => 3,
+ crit => 2,
+ alert => 1,
+ emerg => 0,
+};
# imported/converted from: /usr/share/shorewall/macro.*
my $pve_fw_macros = {
# Drop DNS replies
{ action => 'DROP', proto => 'udp', sport => 53 },
],
- 'PVEFW-logflags' => [
- # same as shorewall logflags action. (fixme: enable/disable logging)
- "-j LOG --log-prefix \"logflags-dropped:\" --log-level 4 --log-ip-options",
- "-j DROP",
- ],
'PVEFW-tcpflags' => [
# same as shorewall tcpflags action.
# Packets arriving on this interface are checked for som illegal combinations of TCP flags
"-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags",
"-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags",
],
- 'PVEFW-smurflog' => [
- # same as shorewall smurflog. (fixme: enable/disable logging)
- "-j LOG --log-prefix \"smurfs-dropped\" --log-level 4",
- "-j DROP",
- ],
'PVEFW-smurfs' => [
# same as shorewall smurfs action
# Filter packets for smurfs (packets with a broadcast address as the source).
return $rules;
}
-sub parse_fw_option {
+sub parse_vmfw_option {
my ($line) = @_;
my ($opt, $value);
return ($opt, $value);
}
+sub parse_hostfw_option {
+ my ($line) = @_;
+
+ my ($opt, $value);
+
+ my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
+
+ if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
+ } elsif ($line =~ m/^(tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
+ $opt = lc($1);
+ $value = $2 ? lc($3) : '';
+ } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+ $opt = lc($1);
+ $value = uc($3);
+ } else {
+ chomp $line;
+ die "can't parse option '$line'\n"
+ }
+
+ return ($opt, $value);
+}
+
sub parse_vm_fw_rules {
my ($filename, $fh) = @_;
if ($section eq 'options') {
eval {
- my ($opt, $value) = parse_fw_option($line);
+ my ($opt, $value) = parse_vmfw_option($line);
$res->{options}->{$opt} = $value;
};
warn "$prefix: $@" if $@;
sub parse_host_fw_rules {
my ($filename, $fh) = @_;
- my $res = { in => [], out => [] };
+ my $res = { in => [], out => [], options => {}};
my $section;
my $linenr = $fh->input_line_number();
my $prefix = "$filename (line $linenr)";
- if ($line =~ m/^\[(in|out)\]\s*$/i) {
+ if ($line =~ m/^\[(\S+)\]\s*$/i) {
$section = lc($1);
+ warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section};
next;
}
if (!$section) {
next;
}
+ next if !$res->{$section}; # skip undefined section
+
+ if ($section eq 'options') {
+ eval {
+ print "PARSE:$line\n";
+ my ($opt, $value) = parse_hostfw_option($line);
+ $res->{options}->{$opt} = $value;
+ };
+ warn "$prefix: $@" if $@;
+ next;
+ }
+
my $rules;
eval { $rules = parse_fw_rule($line, 1, 1); };
if (my $err = $@) {
return $rules;
}
+sub get_option_log_level {
+ my ($options, $k) = @_;
+
+ my $v = $options->{$k};
+ return $v = $default_log_level if !defined($v);
+
+ return undef if $v eq '' || $v eq 'nolog';
+
+ $v = $log_level_hash->{$v} if defined($log_level_hash->{$v});
+
+ return $v if ($v >= 0) && ($v <= 7);
+
+ warn "unknown log level ($k = '$v')\n";
+
+ return undef;
+}
+
sub generate_std_chains {
- my ($ruleset) = @_;
+ my ($ruleset, $options) = @_;
+
+ my $loglevel = get_option_log_level($options, 'smurf_log_level');
+
+ # same as shorewall smurflog.
+ if (defined($loglevel)) {
+ $pve_std_chains-> {'PVEFW-smurflog'} = [
+ "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel",
+ "-j DROP",
+ ];
+ } else {
+ $pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ];
+ }
+
+ # same as shorewall logflags action.
+ $loglevel = get_option_log_level($options, 'tcp_flags_log_level');
+ if (defined($loglevel)) {
+ $pve_std_chains-> {'PVEFW-logflags'} = [
+ "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options",
+ "-j DROP",
+ ];
+ } else {
+ $pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ];
+ }
foreach my $chain (keys %$pve_std_chains) {
ruleset_create_chain($ruleset, $chain);
}
}
+sub save_pvefw_status {
+ my ($status) = @_;
+
+ die "unknown status '$status' - internal error"
+ if $status !~ m/^(stopped|active)$/;
+
+ mkdir dirname($pve_fw_status_filename);
+ PVE::Tools::file_set_contents($pve_fw_status_filename, $status);
+}
+
+sub read_pvefw_status {
+
+ my $status = 'unknown';
+
+ return 'stopped' if ! -f $pve_fw_status_filename;
+
+ eval {
+ $status = PVE::Tools::file_get_contents($pve_fw_status_filename);
+ };
+ warn $@ if $@;
+
+ return $status;
+}
+
sub compile {
my $vmdata = read_local_vm_config();
my $rules = read_vm_firewall_rules($vmdata);
ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- generate_std_chains($ruleset);
+ my $host_options = {};
+ my $host_rules;
- my $enable_hostfw = 0;
$filename = "/etc/pve/local/host.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- my $host_rules = parse_host_fw_rules($filename, $fh);
+ $host_rules = parse_host_fw_rules($filename, $fh);
+ $host_options = $host_rules->{options};
+ }
- $enable_hostfw = 1;
+ generate_std_chains($ruleset, $host_options);
- enablehostfw($ruleset, $host_rules, $group_rules);
- }
+ my $hotsfw_enable = $host_rules && !(defined($host_options->{enable}) && ($host_options->{enable} == 0));
+
+ enablehostfw($ruleset, $host_rules, $group_rules) if $hotsfw_enable;
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
}
}
- if ($enable_hostfw) {
+ if ($hotsfw_enable) {
# allow traffic from lo (ourself)
ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT");
}
return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
}
-sub apply_ruleset {
+sub get_rulset_cmdlist {
my ($ruleset, $verbose) = @_;
- enable_bridge_firewall();
-
my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
my $statushash = get_ruleset_status($ruleset, $verbose);
$cmdlist .= "COMMIT\n";
+ return $cmdlist;
+}
+
+sub apply_ruleset {
+ my ($ruleset, $verbose) = @_;
+
+ enable_bridge_firewall();
+
+ my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
+
print $cmdlist if $verbose;
iptables_restore_cmdlist($cmdlist);
# test: re-read status and check if everything is up to date
- $statushash = get_ruleset_status($ruleset);
+ my $statushash = get_ruleset_status($ruleset);
my $errors;
foreach my $chain (sort keys %$ruleset) {
die "unable to apply firewall changes\n" if $errors;
}
+sub update {
+ my ($start, $verbose) = @_;
+
+ my $code = sub {
+ my $status = read_pvefw_status();
+
+ my $ruleset = PVE::Firewall::compile();
+
+ if ($start || $status eq 'active') {
+
+ save_pvefw_status('active') if ($status ne 'active');
+
+ PVE::Firewall::apply_ruleset($ruleset, $verbose);
+ } else {
+ print "Firewall not active (status = $status)\n" if $verbose;
+ }
+ };
+
+ run_locked($code);
+}
+
+
1;
projects / pve-firewall.git / blobdiff