use Digest::SHA;
use PVE::Tools;
use PVE::QemuServer;
+use File::Basename;
use File::Path;
use IO::File;
use Net::IP;
use Data::Dumper;
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
+my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status";
+
+my $default_log_level = 'info';
+
+my $log_level_hash = {
+ debug => 7,
+ info => 6,
+ notice => 5,
+ warning => 4,
+ err => 3,
+ crit => 2,
+ alert => 1,
+ emerg => 0,
+};
-# todo: define more MACROS
# imported/converted from: /usr/share/shorewall/macro.*
my $pve_fw_macros = {
'Amanda' => [
{ action => 'PARAM', proto => 'tcp', dport => '1723' },
],
'Ping' => [
- { action => 'PARAM', proto => 'icmp', dport => '8' },
+ { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
],
'PostgreSQL' => [
{ action => 'PARAM', proto => 'tcp', dport => '5432' },
],
'Trcrt' => [
{ action => 'PARAM', proto => 'udp', dport => '33434:33524' },
- { action => 'PARAM', proto => 'icmp', dport => '8' },
+ { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
],
'VNC' => [
{ action => 'PARAM', proto => 'tcp', dport => '5900:5909' },
my $pve_fw_parsed_macros;
my $pve_fw_preferred_macro_names = {};
+my $pve_std_chains = {
+ 'PVEFW-SET-ACCEPT-MARK' => [
+ "-j MARK --set-mark 1",
+ ],
+ 'PVEFW-DropBroadcast' => [
+ # same as shorewall 'Broadcast'
+ # simply DROP BROADCAST/MULTICAST/ANYCAST
+ # we can use this to reduce logging
+ { action => 'DROP', dsttype => 'BROADCAST' },
+ { action => 'DROP', dsttype => 'MULTICAST' },
+ { action => 'DROP', dsttype => 'ANYCAST' },
+ { action => 'DROP', dest => '224.0.0.0/4' },
+ ],
+ 'PVEFW-reject' => [
+ # same as shorewall 'reject'
+ { action => 'DROP', dsttype => 'BROADCAST' },
+ { action => 'DROP', source => '224.0.0.0/4' },
+ { action => 'DROP', proto => 'icmp' },
+ "-p tcp -j REJECT --reject-with tcp-reset",
+ "-p udp -j REJECT --reject-with icmp-port-unreachable",
+ "-p icmp -j REJECT --reject-with icmp-host-unreachable",
+ "-j REJECT --reject-with icmp-host-prohibited",
+ ],
+ 'PVEFW-Drop' => [
+ # same as shorewall 'Drop', which is equal to DROP,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
+ { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
+ # Drop packets with INVALID state
+ "-m conntrack --ctstate INVALID -j DROP",
+ # Drop Microsoft SMB noise
+ { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 },
+ { action => 'DROP', proto => 'udp', dport => '137:139'},
+ { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP",
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },
+ ],
+ 'PVEFW-Reject' => [
+ # same as shorewall 'Reject', which is equal to Reject,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
+ { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
+ # Drop packets with INVALID state
+ "-m conntrack --ctstate INVALID -j DROP",
+ # Drop Microsoft SMB noise
+ { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
+ { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP",
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },
+ ],
+ 'PVEFW-tcpflags' => [
+ # same as shorewall tcpflags action.
+ # Packets arriving on this interface are checked for som illegal combinations of TCP flags
+ "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags",
+ "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags",
+ "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags",
+ "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags",
+ "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags",
+ ],
+ 'PVEFW-smurfs' => [
+ # same as shorewall smurfs action
+ # Filter packets for smurfs (packets with a broadcast address as the source).
+ "-s 0.0.0.0/32 -j RETURN",
+ "-m addrtype --src-type BROADCAST -g PVEFW-smurflog",
+ "-s 224.0.0.0/4 -g PVEFW-smurflog",
+ ],
+};
+
+# iptables -p icmp -h
+my $icmp_type_names = {
+ any => 1,
+ 'echo-reply' => 1,
+ 'destination-unreachable' => 1,
+ 'network-unreachable' => 1,
+ 'host-unreachable' => 1,
+ 'protocol-unreachable' => 1,
+ 'port-unreachable' => 1,
+ 'fragmentation-needed' => 1,
+ 'source-route-failed' => 1,
+ 'network-unknown' => 1,
+ 'host-unknown' => 1,
+ 'network-prohibited' => 1,
+ 'host-prohibited' => 1,
+ 'TOS-network-unreachable' => 1,
+ 'TOS-host-unreachable' => 1,
+ 'communication-prohibited' => 1,
+ 'host-precedence-violation' => 1,
+ 'precedence-cutoff' => 1,
+ 'source-quench' => 1,
+ 'redirect' => 1,
+ 'network-redirect' => 1,
+ 'host-redirect' => 1,
+ 'TOS-network-redirect' => 1,
+ 'TOS-host-redirect' => 1,
+ 'echo-request' => 1,
+ 'router-advertisement' => 1,
+ 'router-solicitation' => 1,
+ 'time-exceeded' => 1,
+ 'ttl-zero-during-transit' => 1,
+ 'ttl-zero-during-reassembly' => 1,
+ 'parameter-problem' => 1,
+ 'ip-header-bad' => 1,
+ 'required-option-missing' => 1,
+ 'timestamp-request' => 1,
+ 'timestamp-reply' => 1,
+ 'address-mask-request' => 1,
+ 'address-mask-reply' => 1,
+};
+
sub get_firewall_macros {
return $pve_fw_parsed_macros if $pve_fw_parsed_macros;
-
+
$pve_fw_parsed_macros = {};
foreach my $k (keys %$pve_fw_macros) {
close($fh);
- $etc_services = $services;
-
+ $etc_services = $services;
+
return $etc_services;
}
foreach my $item (split(/,/, $str)) {
my $portlist = "";
my $oldpon = undef;
+ $nbports++;
foreach my $pon (split(':', $item, 2)) {
$pon = $services->{byname}->{$pon}->{port} if $services->{byname}->{$pon}->{port};
if ($pon =~ m/^\d+$/){
}else{
die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
}
- $nbports++;
}
}
return 1 if $name =~ m/^PVEFW-\S+$/;
return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
- return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
+ return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/;
return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
return undef;
}
sub ruleset_generate_rule {
- my ($ruleset, $chain, $rule, $goto) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto) = @_;
+
+ return if $rule->{disable};
my $cmd = '';
$cmd .= " -s $rule->{source}" if $rule->{source};
$cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
$cmd .= " -d $rule->{dest}" if $rule->{dest};
- $cmd .= " -p $rule->{proto}" if $rule->{proto};
- $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1;
- $cmd .= " --dport $rule->{dport}" if $rule->{dport};
- $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
- $cmd .= " --sport $rule->{sport}" if $rule->{sport};
+
+ if ($rule->{proto}) {
+ $cmd .= " -p $rule->{proto}";
+
+ my $multiport = 0;
+ $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1);
+ $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1);
+
+ $cmd .= " --match multiport" if $multiport;
+
+ die "multiport: option '--sports' cannot be used together with '--dports'\n"
+ if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
+
+ if ($rule->{dport}) {
+ if ($rule->{proto} && $rule->{proto} eq 'icmp') {
+ # Note: we use dport to store --icmp-type
+ die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}});
+ $cmd .= " -m icmp --icmp-type $rule->{dport}";
+ } else {
+ if ($rule->{nbdport} && $rule->{nbdport} > 1) {
+ if ($multiport == 2) {
+ $cmd .= " --ports $rule->{dport}";
+ } else {
+ $cmd .= " --dports $rule->{dport}";
+ }
+ } else {
+ $cmd .= " --dport $rule->{dport}";
+ }
+ }
+ }
+
+ if ($rule->{sport}) {
+ if ($rule->{nbsport} && $rule->{nbsport} > 1) {
+ $cmd .= " --sports $rule->{sport}" if $multiport != 2;
+ } else {
+ $cmd .= " --sport $rule->{sport}";
+ }
+ }
+ } elsif ($rule->{dport} || $rule->{sport}) {
+ warn "ignoring destination port '$rule->{dport}' - no protocol specified\n" if $rule->{dport};
+ warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport};
+ }
+
+ $cmd .= " -m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
if (my $action = $rule->{action}) {
+ $action = $actions->{$action} if defined($actions->{$action});
$goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
$cmd .= $goto ? " -g $action" : " -j $action";
- };
+ }
ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
}
sub generate_bridge_chains {
my ($ruleset, $bridge) = @_;
- if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){
- ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN");
- }
-
- if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){
- ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT");
- }
-
if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
}
- if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
- ruleset_create_chain($ruleset, "$bridge-IN");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
- ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
+ if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
+ ruleset_create_chain($ruleset, "$bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
}
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
ruleset_create_chain($ruleset, "$bridge-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ }
+
+ if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
+ ruleset_create_chain($ruleset, "$bridge-IN");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT");
+ # accept traffic to unmanaged bridge ports
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT ");
}
}
sub generate_tap_rules_direction {
- my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
+ my ($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_;
+
+ my $rules = $vmfw_conf->{lc($direction)};
+ my $options = $vmfw_conf->{options};
my $tapchain = "$iface-$direction";
ruleset_create_chain($ruleset, $tapchain);
+ if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+ ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+ }
+
+ if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
+ ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT");
+ }
+
+ if ($options->{tcpflags}) {
+ ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags");
+ }
+
ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- if ($direction eq 'OUT' && defined($macaddr)) {
+ if ($direction eq 'OUT' && defined($macaddr) &&
+ !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
}
generate_group_rules($ruleset, $group_rules, $2);
}
ruleset_generate_rule($ruleset, $tapchain, $rule);
- ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN")
+ ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN")
if $direction eq 'OUT';
} else {
- $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
- ruleset_generate_rule($ruleset, $tapchain, $rule);
+ if ($direction eq 'OUT') {
+ ruleset_generate_rule($ruleset, $tapchain, $rule,
+ { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
+ } else {
+ ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" });
+ }
}
}
}
- ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
- ruleset_addrule($ruleset, $tapchain, "-j DROP");
+ # implement policy
+ my $policy;
+
+ if ($direction eq 'OUT') {
+ $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+ } else {
+ $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default
+ }
+
+ if ($policy eq 'ACCEPT') {
+ if ($direction eq 'OUT') {
+ ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK");
+ } else {
+ ruleset_addrule($ruleset, $tapchain, "-j ACCEPT");
+ }
+ } elsif ($policy eq 'DROP') {
+ ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop");
+ ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
+ ruleset_addrule($ruleset, $tapchain, "-j DROP");
+ } elsif ($policy eq 'REJECT') {
+ ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject");
+ ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level 4");
+ ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject");
+ } else {
+ # should not happen
+ die "internal error: unknown policy '$policy'";
+ }
# plug the tap chain to bridge chain
my $physdevdirection = $direction eq 'IN' ? "out" : "in";
if ($rules->{in}) {
foreach my $rule (@{$rules->{in}}) {
# we use RETURN because we need to check also tap rules
- $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
- ruleset_generate_rule($ruleset, $chain, $rule);
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" });
}
}
if ($rules->{out}) {
foreach my $rule (@{$rules->{out}}) {
# we use RETURN because we need to check also tap rules
- $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
- ruleset_generate_rule($ruleset, $chain, $rule);
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" });
}
}
ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
ruleset_addrule($ruleset, $chain, "-j DROP");
-
+
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
}
my $rules = $group_rules->{$group};
die "no such security group '$group'\n" if !$rules;
-
+
my $chain = "GROUP-${group}-IN";
ruleset_create_chain($ruleset, $chain);
if ($rules->{in}) {
foreach my $rule (@{$rules->{in}}) {
- ruleset_generate_rule($ruleset, $chain, $rule);
+ ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" });
}
}
if ($rules->{out}) {
foreach my $rule (@{$rules->{out}}) {
- # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to
- # check also other tap rules (and group rules can be set on any bridge,
- # so we can't go to VMBRXX-IN)
- $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT';
- ruleset_generate_rule($ruleset, $chain, $rule);
+ # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
+ # check also other tap rules later
+ ruleset_generate_rule($ruleset, $chain, $rule,
+ { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" });
}
}
}
my ($action, $iface, $source, $dest, $proto, $dport, $sport);
- $line =~ s/#.*$//;
+ # we can add single line comments to the end of the rule
+ my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//;
+
+ # we can disable a rule when prefixed with '|'
+ my $disable = 1 if $line =~ s/^\|//;
my @data = split(/\s+/, $line);
my $expected_elements = $need_iface ? 7 : 6;
if ($need_iface) {
$iface = undef if $iface && $iface eq '-';
- die "unknown interface '$iface'\n"
+ die "unknown interface '$iface'\n"
if defined($iface) && !$valid_netdev_names->{$iface};
}
$proto = undef if $proto && $proto eq '-';
- die "unknown protokol '$proto'\n" if $proto &&
+ die "unknown protokol '$proto'\n" if $proto &&
!(defined($protocols->{byname}->{$proto}) ||
defined($protocols->{byid}->{$proto}));
$nbsource = parse_address_list($source) if $source;
$nbdest = parse_address_list($dest) if $dest;
-
+
my $rules = [];
my $param = {
+ disable => $disable,
+ comment => $comment,
action => $action,
iface => $iface,
source => $source,
if ($macro) {
foreach my $templ (@$macro) {
my $rule = {};
+ my $param_used = {};
foreach my $k (keys %$templ) {
my $v = $templ->{$k};
if ($v eq 'PARAM') {
$v = $param->{$k};
+ $param_used->{$k} = 1;
} elsif ($v eq 'DEST') {
$v = $param->{dest};
+ $param_used->{dest} = 1;
} elsif ($v eq 'SOURCE') {
$v = $param->{source};
+ $param_used->{source} = 1;
}
die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v);
$rule->{$k} = $v;
}
+ foreach my $k (keys %$param) {
+ next if !defined($param->{$k});
+ next if $param_used->{$k};
+ if (defined($rule->{$k})) {
+ die "parameter '$k' already define in macro (value = '$rule->{$k}')\n"
+ if $rule->{$k} ne $param->{$k};
+ } else {
+ $rule->{$k} = $param->{$k};
+ }
+ }
push @$rules, $rule;
}
} else {
}
foreach my $rule (@$rules) {
- $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport})
+ $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport})
if defined($rule->{dport});
- $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport})
+ $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport})
if defined($rule->{sport});
}
return $rules;
}
-sub parse_fw_option {
+sub parse_vmfw_option {
+ my ($line) = @_;
+
+ my ($opt, $value);
+
+ if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
+ } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+ $opt = lc($1);
+ $value = uc($3);
+ } else {
+ chomp $line;
+ die "can't parse option '$line'\n"
+ }
+
+ return ($opt, $value);
+}
+
+sub parse_hostfw_option {
my ($line) = @_;
my ($opt, $value);
- if ($line =~ m/^enable:\s*(0|1)\s*$/i) {
- $opt = 'enable';
- $value = int($1);
+ my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
+
+ if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
+ } elsif ($line =~ m/^(tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
+ $opt = lc($1);
+ $value = $2 ? lc($3) : '';
} elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
$opt = lc($1);
$value = uc($3);
- } else {
+ } else {
chomp $line;
die "can't parse option '$line'\n"
}
next if !$res->{$section}; # skip undefined section
if ($section eq 'options') {
- eval {
- my ($opt, $value) = parse_fw_option($line);
+ eval {
+ my ($opt, $value) = parse_vmfw_option($line);
$res->{options}->{$opt} = $value;
};
warn "$prefix: $@" if $@;
sub parse_host_fw_rules {
my ($filename, $fh) = @_;
- my $res = { in => [], out => [] };
+ my $res = { in => [], out => [], options => {}};
my $section;
my $linenr = $fh->input_line_number();
my $prefix = "$filename (line $linenr)";
- if ($line =~ m/^\[(in|out)\]\s*$/i) {
+ if ($line =~ m/^\[(\S+)\]\s*$/i) {
$section = lc($1);
+ warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section};
next;
}
if (!$section) {
next;
}
+ next if !$res->{$section}; # skip undefined section
+
+ if ($section eq 'options') {
+ eval {
+ print "PARSE:$line\n";
+ my ($opt, $value) = parse_hostfw_option($line);
+ $res->{options}->{$opt} = $value;
+ };
+ warn "$prefix: $@" if $@;
+ next;
+ }
+
my $rules;
eval { $rules = parse_fw_rule($line, 1, 1); };
if (my $err = $@) {
my $group;
my $res = { in => [], out => [] };
-
+
while (defined(my $line = <$fh>)) {
next if $line =~ m/^#/;
next if $line =~ m/^\s*$/;
return $rules;
}
+sub get_option_log_level {
+ my ($options, $k) = @_;
+
+ my $v = $options->{$k};
+ return $v = $default_log_level if !defined($v);
+
+ return undef if $v eq '' || $v eq 'nolog';
+
+ $v = $log_level_hash->{$v} if defined($log_level_hash->{$v});
+
+ return $v if ($v >= 0) && ($v <= 7);
+
+ warn "unknown log level ($k = '$v')\n";
+
+ return undef;
+}
+
+sub generate_std_chains {
+ my ($ruleset, $options) = @_;
+
+ my $loglevel = get_option_log_level($options, 'smurf_log_level');
+
+ # same as shorewall smurflog.
+ if (defined($loglevel)) {
+ $pve_std_chains-> {'PVEFW-smurflog'} = [
+ "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel",
+ "-j DROP",
+ ];
+ } else {
+ $pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ];
+ }
+
+ # same as shorewall logflags action.
+ $loglevel = get_option_log_level($options, 'tcp_flags_log_level');
+ if (defined($loglevel)) {
+ $pve_std_chains-> {'PVEFW-logflags'} = [
+ "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options",
+ "-j DROP",
+ ];
+ } else {
+ $pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ];
+ }
+
+ foreach my $chain (keys %$pve_std_chains) {
+ ruleset_create_chain($ruleset, $chain);
+ foreach my $rule (@{$pve_std_chains->{$chain}}) {
+ if (ref($rule)) {
+ ruleset_generate_rule($ruleset, $chain, $rule);
+ } else {
+ ruleset_addrule($ruleset, $chain, $rule);
+ }
+ }
+ }
+}
+
+sub save_pvefw_status {
+ my ($status) = @_;
+
+ die "unknown status '$status' - internal error"
+ if $status !~ m/^(stopped|active)$/;
+
+ mkdir dirname($pve_fw_status_filename);
+ PVE::Tools::file_set_contents($pve_fw_status_filename, $status);
+}
+
+sub read_pvefw_status {
+
+ my $status = 'unknown';
+
+ return 'stopped' if ! -f $pve_fw_status_filename;
+
+ eval {
+ $status = PVE::Tools::file_get_contents($pve_fw_status_filename);
+ };
+ warn $@ if $@;
+
+ return $status;
+}
+
sub compile {
my $vmdata = read_local_vm_config();
my $rules = read_vm_firewall_rules($vmdata);
-
+
my $group_rules = {};
my $filename = "/etc/pve/firewall/groups.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK");
- ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
+ my $host_options = {};
+ my $host_rules;
- my $enable_hostfw = 0;
$filename = "/etc/pve/local/host.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- my $host_rules = parse_host_fw_rules($filename, $fh);
+ $host_rules = parse_host_fw_rules($filename, $fh);
+ $host_options = $host_rules->{options};
+ }
- $enable_hostfw = 1;
+ generate_std_chains($ruleset, $host_options);
- enablehostfw($ruleset, $host_rules, $group_rules);
- }
+ my $hotsfw_enable = $host_rules && !(defined($host_options->{enable}) && ($host_options->{enable} == 0));
+
+ enablehostfw($ruleset, $host_rules, $group_rules) if $hotsfw_enable;
- # generate firewall rules for QEMU VMs
+ # generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
my $conf = $vmdata->{qemu}->{$vmid};
-
- next if !$rules->{$vmid};
- my $options = $rules->{$vmid}->{options};
- next if defined($options->{enable}) && ($options->{enable} == 0);
+ my $vmfw_conf = $rules->{$vmid};
+ next if !$vmfw_conf;
+ next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
generate_bridge_chains($ruleset, $bridge);
my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
- generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT');
}
}
- if ($enable_hostfw) {
+ if ($hotsfw_enable) {
# allow traffic from lo (ourself)
ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT");
}
$statushash->{$chain}->{sig} = $sig;
print "delete $chain ($sig)\n" if $verbose;
}
- }
+ }
return $statushash;
}
return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
}
-sub apply_ruleset {
+sub get_rulset_cmdlist {
my ($ruleset, $verbose) = @_;
- enable_bridge_firewall();
-
my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
my $statushash = get_ruleset_status($ruleset, $verbose);
$cmdlist .= "COMMIT\n";
+ return $cmdlist;
+}
+
+sub apply_ruleset {
+ my ($ruleset, $verbose) = @_;
+
+ enable_bridge_firewall();
+
+ my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
+
print $cmdlist if $verbose;
iptables_restore_cmdlist($cmdlist);
- # test: re-read status and check if everything is up to date
- $statushash = get_ruleset_status($ruleset);
+ # test: re-read status and check if everything is up to date
+ my $statushash = get_ruleset_status($ruleset);
my $errors;
foreach my $chain (sort keys %$ruleset) {
die "unable to apply firewall changes\n" if $errors;
}
+sub update {
+ my ($start, $verbose) = @_;
+
+ my $code = sub {
+ my $status = read_pvefw_status();
+
+ my $ruleset = PVE::Firewall::compile();
+
+ if ($start || $status eq 'active') {
+
+ save_pvefw_status('active') if ($status ne 'active');
+
+ PVE::Firewall::apply_ruleset($ruleset, $verbose);
+ } else {
+ print "Firewall not active (status = $status)\n" if $verbose;
+ }
+ };
+
+ run_locked($code);
+}
+
+
1;
projects / pve-firewall.git / blobdiff