use extra zone for physical devices

[pve-firewall.git] / pvefw

diff --git a/pvefw b/pvefw
index fdf72468e109e072d1837fa84907bcba4ec48ba8..978ffb15cdac07e95364d9c52bd137da2cd682f8 100755 (executable)
--- a/pvefw
+++ b/pvefw
@@ -33,6 +33,7 @@ $rpcenv->init_request();
 $rpcenv->set_language($ENV{LANG});
 $rpcenv->set_user('root@pam');
 
+
 sub parse_fw_rules {
     my ($filename, $fh) = @_;
 
@@ -40,6 +41,8 @@ sub parse_fw_rules {
 
     my $res = { in => [], out => [] };
 
+    my $macros = PVE::Firewall::get_shorewall_macros();
+
     while (defined(my $line = <$fh>)) {
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;
@@ -58,33 +61,51 @@ sub parse_fw_rules {
            next;
        }
 
-       if ($action !~ m/^(ACCEPT|DROP)$/) {
+       my $service;
+       if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
+           # OK
+       } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
+           ($service, $action) = ($1, $2);
+           if (!$macros->{$service}) {
+               warn "unknown service '$service'\n";
+               next;
+           }
+       } else {
            warn "unknown action '$action'\n";
-#          next;
+           next;
        }
 
-       if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {
+       $iface = undef if $iface eq '-';
+       if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
            warn "unknown interface '$iface'\n";
            next;
        }
 
+       $proto = undef if $proto eq '-';
        if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
            warn "unknown protokol '$proto'\n";
            next;
        }
 
-       if ($source !~ m/^(any)$/) {
-           warn "unknown source '$source'\n";
-           next;
-       }
+       $source = undef if $source eq '-';
 
-       if ($dest !~ m/^(any)$/) {
-           warn "unknown destination '$dest'\n";
-           next;
-       }
+#      if ($source !~ m/^(XYZ)$/) {
+#          warn "unknown source '$source'\n";
+#          next;
+#      }
+
+       $dest = undef if $dest eq '-';
+#      if ($dest !~ m/^XYZ)$/) {
+#          warn "unknown destination '$dest'\n";
+#          next;
+#      }
+
+       $dport = undef if $dport && $dport eq '-';
+       $sport = undef if $sport && $sport eq '-';
 
        my $rule = {
            action => $action,
+           service => $service,
            iface => $iface,
            source => $source,
            dest => $dest,
@@ -108,6 +129,7 @@ sub read_local_vm_config {
     my $list = PVE::QemuServer::config_list();
 
     foreach my $vmid (keys %$list) {
+       # next if $vmid ne '100';
        my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
        if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
            $qemu->{$vmid} = $conf;
@@ -121,10 +143,9 @@ sub read_local_vm_config {
 
 sub read_vm_firewall_rules {
     my ($vmdata) = @_;
-
     my $rules = {};
     foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
-       my $filename = "/etc/pve/$vmid.fw";
+       my $filename = "/etc/pve/firewall/$vmid.fw";
        my $fh = IO::File->new($filename, O_RDONLY);
        next if !$fh;
 
@@ -149,7 +170,7 @@ __PACKAGE__->register_method ({
        my ($param) = @_;
 
        my $vmdata = read_local_vm_config();
-       my $rules = read_vm_firewall_rules();
+       my $rules = read_vm_firewall_rules($vmdata);
 
        # print Dumper($vmdata);