return $rules;
};
+my $rule_env_iface_lookup = {
+ 'ct' => 1,
+ 'vm' => 1,
+ 'group' => 0,
+ 'cluster' => 1,
+ 'host' => 1,
+};
+
sub verify_rule {
- my ($rule, $allow_groups, $noerr) = @_;
+ my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_;
+
+ my $allow_groups = $rule_env eq 'group' ? 0 : 1;
+
+ my $allow_iface = $rule_env_iface_lookup->{$rule_env};
+ die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
+
+ my $errors = $rule->{errors} || {};
- my $errors = {};
my $error_count = 0;
my $add_error = sub {
my ($param, $msg) = @_;
+ chomp $msg;
raise_param_exc({ $param => $msg }) if !$noerr;
$error_count++;
$errors->{$param} = $msg if !$errors->{$param};
};
+ my $check_ipset_or_alias_property = sub {
+ my ($name) = @_;
+
+ if (my $value = $rule->{$name}) {
+ if ($value =~ m/^\+/) {
+ if ($value =~ m/^\+(${security_group_name_pattern})$/) {
+ &$add_error($name, "no such ipset '$1'")
+ if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+
+ } else {
+ &$add_error($name, "invalid security group name '$value'");
+ }
+ } elsif ($value =~ m/^${ip_alias_pattern}$/){
+ my $alias = lc($value);
+ &$add_error($name, "no such alias '$value'")
+ if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}))
+ }
+ }
+ };
+
my $type = $rule->{type};
my $action = $rule->{action};
}
if ($rule->{iface}) {
+ &$add_error('type', "parameter -i not allowed for this rule type")
+ if !$allow_iface;
eval { PVE::JSONSchema::pve_verify_iface($rule->{iface}); };
&$add_error('iface', $@) if $@;
- }
+ if ($rule_env eq 'vm') {
+ &$add_error('iface', "value does not match the regex pattern 'net\\d+'")
+ if $rule->{iface} !~ m/^net(\d+)$/;
+ } elsif ($rule_env eq 'ct') {
+ &$add_error('iface', "value does not match the regex pattern '(venet|eth\\d+)'")
+ if $rule->{iface} !~ m/^(venet|eth(\d+))$/;
+ }
+ }
if ($rule->{macro}) {
if (my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})}) {
if ($rule->{source}) {
eval { parse_address_list($rule->{source}); };
&$add_error('source', $@) if $@;
+ &$check_ipset_or_alias_property('source');
}
if ($rule->{dest}) {
eval { parse_address_list($rule->{dest}); };
&$add_error('dest', $@) if $@;
+ &$check_ipset_or_alias_property('dest');
}
- if ($rule->{macro}) {
+ if ($rule->{macro} && !$error_count) {
eval { &$apply_macro($rule->{macro}, $rule, 1); };
if (my $err = $@) {
if (ref($err) eq "PVE::Exception" && $err->{errors}) {
}
sub ruleset_generate_cmdstr {
- my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
return if defined($rule->{enable}) && !$rule->{enable};
return if $rule->{errors};
if ($source) {
if ($source =~ m/^\+/) {
if ($source =~ m/^\+(${security_group_name_pattern})$/) {
- die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
- push @cmd, "-m set --match-set PVEFW-$1 src";
+ my $name = $1;
+ if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ die "implement me";
+ } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ push @cmd, "-m set --match-set PVEFW-$1 src";
+ } else {
+ die "no such ipset '$name'\n";
+ }
} else {
die "invalid security group name '$source'\n";
}
} elsif ($source =~ m/^${ip_alias_pattern}$/){
my $alias = lc($source);
- my $e = $cluster_conf->{aliases}->{$alias};
- die "no such alias $source\n" if !$e;
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+ die "no such alias '$source'\n" if !$e;
push @cmd, "-s $e->{cidr}";
} elsif ($source =~ m/\-/){
push @cmd, "-m iprange --src-range $source";
-
} else {
push @cmd, "-s $source";
}
if ($dest) {
if ($dest =~ m/^\+/) {
if ($dest =~ m/^\+(${security_group_name_pattern})$/) {
- die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
- push @cmd, "-m set --match-set PVEFW-$1 dst";
+ my $name = $1;
+ if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ die "implement me";
+ } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ push @cmd, "-m set --match-set PVEFW-$1 dst";
+ } else {
+ die "no such ipset '$name'\n";
+ }
} else {
die "invalid security group name '$dest'\n";
}
} elsif ($dest =~ m/^${ip_alias_pattern}$/){
my $alias = lc($dest);
- my $e = $cluster_conf->{aliases}->{$alias};
- die "no such alias $dest" if !$e;
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+ die "no such alias '$dest'\n" if !$e;
push @cmd, "-d $e->{cidr}";
} elsif ($dest =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
push @cmd, "-m iprange --dst-range $dest";
}
sub ruleset_generate_rule {
- my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
my $rules;
my @cmds = ();
foreach my $tmp (@$rules) {
- if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf)) {
+ if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf, $fw_conf)) {
push @cmds, $cmdstr;
}
}
my ($ruleset, $chain, $options, $cluster_conf, $loglevel) = @_;
if ($cluster_conf->{ipset}->{blacklist}){
- ruleset_addlog($ruleset, $chain, 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
- ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j DROP");
+ if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
+ ruleset_create_chain($ruleset, "PVEFW-blacklist");
+ ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
+ ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
+ }
+ ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j PVEFW-blacklist");
}
if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
}
sub ruleset_generate_vm_rules {
- my ($ruleset, $rules, $cluster_conf, $chain, $netid, $direction, $options) = @_;
+ my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options) = @_;
my $lc_direction = lc($direction);
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
- next if !$rule->{enable};
+ next if !$rule->{enable} || $rule->{errors};
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
$direction eq 'OUT' ? 'RETURN' : $in_accept);
if ($direction eq 'OUT') {
ruleset_generate_rule($ruleset, $chain, $rule,
{ ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $vmfw_conf);
} else {
ruleset_generate_rule($ruleset, $chain, $rule,
{ ACCEPT => $in_accept , REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $vmfw_conf);
}
};
warn $@ if $@;
ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
# implement policy
my $policy;
ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
# add host rules first, so that cluster wide rules can be overwritten
foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
$rule->{iface_in} = $rule->{iface} if $rule->{iface};
+
eval {
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
} elsif ($rule->{type} eq 'in') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $hostfw_conf);
}
};
warn $@ if $@;
# add host rules first, so that cluster wide rules can be overwritten
foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
$rule->{iface_out} = $rule->{iface} if $rule->{iface};
eval {
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action);
} elsif ($rule->{type} eq 'out') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $hostfw_conf);
}
};
warn $@ if $@;
}
sub parse_fw_rule {
- my ($line, $allow_iface, $allow_groups) = @_;
+ my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
chomp $line;
+ my $orig_line = $line;
+
my $rule = {};
# we can add single line comments to the end of the rule
while (length($line)) {
if ($line =~ s/^-i (\S+)\s*//) {
- die "parameter -i not allowed\n" if !$allow_iface;
$rule->{iface} = $1;
next;
}
die "unable to parse rule parameters: $line\n" if length($line);
- $rule = verify_rule($rule, $allow_groups, 1);
+ $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1);
+ if ($verbose && $rule->{errors}) {
+ warn "$prefix - errors in rule parameters: $orig_line\n";
+ foreach my $p (keys %{$rule->{errors}}) {
+ warn " $p: $rule->{errors}->{$p}\n";
+ }
+ }
return $rule;
}
}
sub parse_vm_fw_rules {
- my ($filename, $fh) = @_;
+ my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_;
my $res = {
rules => [],
}
my $rule;
- eval { $rule = parse_fw_rule($line, 1, 1); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env, $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
}
sub parse_host_fw_rules {
- my ($filename, $fh) = @_;
+ my ($filename, $fh, $cluster_conf, $verbose) = @_;
my $res = { rules => [], options => {}};
}
my $rule;
- eval { $rule = parse_fw_rule($line, 1, 1); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, 'host', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
}
sub parse_cluster_fw_rules {
- my ($filename, $fh) = @_;
+ my ($filename, $fh, $verbose) = @_;
my $section;
my $group;
warn "$prefix: $@" if $@;
} elsif ($section eq 'rules') {
my $rule;
- eval { $rule = parse_fw_rule($line, 1, 1); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'cluster', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
push @{$res->{$section}}, $rule;
} elsif ($section eq 'groups') {
my $rule;
- eval { $rule = parse_fw_rule($line, 0, 0); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'group', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
};
sub load_vmfw_conf {
- my ($vmid, $dir) = @_;
+ my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_;
my $vmfw_conf = {};
my $filename = "$dir/$vmid.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $vmfw_conf = parse_vm_fw_rules($filename, $fh);
+ $vmfw_conf = parse_vm_fw_rules($filename, $fh, $cluster_conf, $rule_env, $verbose);
}
return $vmfw_conf;
}
sub read_vm_firewall_configs {
- my ($vmdata, $dir) = @_;
+ my ($cluster_conf, $vmdata, $dir, $verbose) = @_;
my $vmfw_configs = {};
- foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
- my $vmfw_conf = load_vmfw_conf($vmid, $dir);
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir, $verbose);
+ next if !$vmfw_conf->{options}; # skip if file does not exists
+ $vmfw_configs->{$vmid} = $vmfw_conf;
+ }
+ foreach my $vmid (keys %{$vmdata->{openvz}}) {
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir, $verbose);
next if !$vmfw_conf->{options}; # skip if file does not exists
$vmfw_configs->{$vmid} = $vmfw_conf;
}
}
sub load_clusterfw_conf {
- my ($filename) = @_;
+ my ($filename, $verbose) = @_;
$filename = $clusterfw_conf_filename if !defined($filename);
my $cluster_conf = {};
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $cluster_conf = parse_cluster_fw_rules($filename, $fh);
+ $cluster_conf = parse_cluster_fw_rules($filename, $fh, $verbose);
}
return $cluster_conf;
}
sub load_hostfw_conf {
- my ($filename) = @_;
+ my ($cluster_conf, $filename, $verbose) = @_;
$filename = $hostfw_conf_filename if !defined($filename);
my $hostfw_conf = {};
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $hostfw_conf = parse_host_fw_rules($filename, $fh);
+ $hostfw_conf = parse_host_fw_rules($filename, $fh, $cluster_conf, $verbose);
}
return $hostfw_conf;
}
}
sub compile {
- my ($cluster_conf, $hostfw_conf, $vmdata) = @_;
+ my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_;
my $vmfw_configs;
if ($vmdata) { # test mode
my $testdir = $vmdata->{testdir} || die "no test directory specified";
my $filename = "$testdir/cluster.fw";
- $cluster_conf = load_clusterfw_conf($filename);
+ $cluster_conf = load_clusterfw_conf($filename, $verbose);
$filename = "$testdir/host.fw";
- $hostfw_conf = load_hostfw_conf($filename);
+ $hostfw_conf = load_hostfw_conf($cluster_conf, $filename, $verbose);
- $vmfw_configs = read_vm_firewall_configs($vmdata, $testdir);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir, $verbose);
} else { # normal operation
- $cluster_conf = load_clusterfw_conf() if !$cluster_conf;
+ $cluster_conf = load_clusterfw_conf(undef, $verbose) if !$cluster_conf;
- $hostfw_conf = load_hostfw_conf() if !$hostfw_conf;
+ $hostfw_conf = load_hostfw_conf($cluster_conf, undef, $verbose) if !$hostfw_conf;
$vmdata = read_local_vm_config();
- $vmfw_configs = read_vm_firewall_configs($vmdata);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
-
$cluster_conf->{ipset}->{venet0} = [];
my $localnet;
}
sub update {
- my ($verbose) = @_;
-
my $code = sub {
my $cluster_conf = load_clusterfw_conf();
if (!$enable) {
PVE::Firewall::remove_pvefw_chains();
- print "Firewall disabled\n" if $verbose;
return;
}
my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf);
- apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $verbose);
+ apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset);
};
run_locked($code);