],
'Ceph' => [
"Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Deamons)",
+ # Legacy port for protocol v1
{ action => 'PARAM', proto => 'tcp', dport => '6789' },
+ # New port for protocol v2
+ { action => 'PARAM', proto => 'tcp', dport => '3300' },
{ action => 'PARAM', proto => 'tcp', dport => '6800:7300' },
],
'CVS' => [
sub iptables_restore_cmdlist {
my ($cmdlist) = @_;
- run_command("/sbin/iptables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
+ run_command(['iptables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
}
sub ip6tables_restore_cmdlist {
my ($cmdlist) = @_;
- run_command("/sbin/ip6tables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
+ run_command(['ip6tables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
}
sub ipset_restore_cmdlist {
my ($cmdlist) = @_;
- run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist");
+ run_command(['ipset', 'restore'], input => $cmdlist, errmsg => "ipset_restore_cmdlist");
}
sub ebtables_restore_cmdlist {
my ($cmdlist) = @_;
- run_command("/sbin/ebtables-restore", input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
+ run_command(['ebtables-restore'], input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
}
sub iptables_get_chains {
}
};
- run_command("/sbin/$iptablescmd-save", outfunc => $parser);
+ run_command(["$iptablescmd-save"], outfunc => $parser);
return wantarray ? ($res, $hooks) : $res;
}
}
};
- run_command("/sbin/ipset save", outfunc => $parser);
+ run_command(['ipset', 'save'], outfunc => $parser);
# compute digest for each chain
foreach my $chain (keys %$chains) {
}
};
- run_command("/sbin/ebtables-save", outfunc => $parser);
+ run_command(['ebtables-save'], outfunc => $parser);
# compute digest for each chain and store rules as well
foreach my $chain (keys %$chains) {
$res->{$chain}->{rules} = $chains->{$chain};
my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
- # create chain with mac and ip filter
- ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
-
if ($options->{enable}) {
+ # create chain with mac and ip filter
+ ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
+
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion, $vmid);
ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
});
# allow multicast only if enabled in config
- $multicast_enabled = $corosync_conf->{main}->{totem}->{transport} // 0;
+ my $corosync_transport = $corosync_conf->{main}->{totem}->{transport};
+ $multicast_enabled = defined($corosync_transport) && $corosync_transport eq 'udp';
}
# host inbound firewall
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+ my $destination = $corosync_local_addresses->{$key};
- if ($node_name ne $local_hostname) {
- my $destination = $corosync_local_addresses->{$key};
-
+ if ($node_name ne $local_hostname && defined($destination)) {
# accept only traffic on same ring
- if (defined($destination)) {
- ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
- }
+ ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
}
});
}
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+ my $source = $corosync_local_addresses->{$key};
- if ($node_name ne $local_hostname) {
- my $source = $corosync_local_addresses->{$key};
-
+ if ($node_name ne $local_hostname && defined($source)) {
# accept only traffic on same ring
- if (defined($source)) {
- ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
- }
+ ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
}
});
}
$hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
# cfs_update is handled by daemon or API
- $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf;
+ $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf")
+ if !defined($corosync_conf) && PVE::Corosync::check_conf_exists(1);
$vmdata = read_local_vm_config();
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef);
eval {
my $conf = $vmdata->{qemu}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
- return if !$vmfw_conf;
+ return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $net = PVE::QemuServer::parse_net($conf->{$netid});
next if !$net->{firewall};
- my $iface = "tap${vmid}i$1";
+ my $iface = "tap${vmid}i$1";
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'IN', $ipversion);
+ $vmfw_conf, $vmid, 'IN', $ipversion);
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT', $ipversion);
+ $vmfw_conf, $vmid, 'OUT', $ipversion);
}
};
warn $@ if $@; # just to be sure - should not happen
# generate firewall rules for LXC containers
foreach my $vmid (sort keys %{$vmdata->{lxc}}) {
- eval {
- my $conf = $vmdata->{lxc}->{$vmid};
- my $vmfw_conf = $vmfw_configs->{$vmid};
- return if !$vmfw_conf;
-
- if ($vmfw_conf->{options}->{enable}) {
- foreach my $netid (sort keys %$conf) {
- next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
- next if !$net->{firewall};
- my $iface = "veth${vmid}i$1";
- my $macaddr = $net->{hwaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'IN', $ipversion);
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT', $ipversion);
- }
- }
- };
- warn $@ if $@; # just to be sure - should not happen
+ eval {
+ my $conf = $vmdata->{lxc}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
+
+ foreach my $netid (sort keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
+ next if !$net->{firewall};
+
+ my $iface = "veth${vmid}i$1";
+ my $macaddr = $net->{hwaddr};
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'IN', $ipversion);
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'OUT', $ipversion);
+ }
+ };
+ warn $@ if $@; # just to be sure - should not happen
}
- if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
+ if (ruleset_chain_exist($ruleset, "PVEFW-IPS")){
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED", "-j PVEFW-IPS");
}
foreach my $chain (sort keys %$statushash) {
my $stat = $statushash->{$chain};
- next if ($stat->{action} eq 'delete');
$changes = 1 if ($stat->{action} !~ 'ignore|exists');
+ next if ($stat->{action} eq 'delete');
foreach my $cmd (@{$statushash->{$chain}->{'rules'}}) {
if ($chain eq 'FORWARD' && $cmd eq $append_pve_to_forward) {
my $tmpfile = "$pve_fw_status_dir/log_nf_conntrack";
PVE::Tools::file_set_contents($tmpfile, $value);
- PVE::Tools::run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);
+ run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);
$log_nf_conntrack_enabled = $value;
}
}
PVE::Firewall::remove_pvefw_chains_iptables("iptables");
PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
PVE::Firewall::remove_pvefw_chains_ipset();
+ PVE::Firewall::remove_pvefw_chains_ebtables();
}
ipset_restore_cmdlist($cmdlist) if $cmdlist;
}
+sub remove_pvefw_chains_ebtables {
+ # apply empty ruleset = remove all our chains
+ ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
+}
+
sub init {
my $cluster_conf = load_clusterfw_conf();
my $cluster_options = $cluster_conf->{options};
projects / pve-firewall.git / blobdiff