};
sub verify_rule {
- my ($rule, $rule_env, $noerr) = @_;
+ my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_;
my $allow_groups = $rule_env eq 'group' ? 0 : 1;
my $allow_iface = $rule_env_iface_lookup->{$rule_env};
die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
- my $errors = {};
+ my $errors = $rule->{errors} || {};
+
my $error_count = 0;
my $add_error = sub {
$errors->{$param} = $msg if !$errors->{$param};
};
+ my $check_ipset_or_alias_property = sub {
+ my ($name) = @_;
+
+ if (my $value = $rule->{$name}) {
+ if ($value =~ m/^\+/) {
+ if ($value =~ m/^\+(${security_group_name_pattern})$/) {
+ &$add_error($name, "no such ipset '$1'")
+ if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+
+ } else {
+ &$add_error($name, "invalid security group name '$value'");
+ }
+ } elsif ($value =~ m/^${ip_alias_pattern}$/){
+ my $alias = lc($value);
+ &$add_error($name, "no such alias '$value'")
+ if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}))
+ }
+ }
+ };
+
my $type = $rule->{type};
my $action = $rule->{action};
if ($rule->{source}) {
eval { parse_address_list($rule->{source}); };
&$add_error('source', $@) if $@;
+ &$check_ipset_or_alias_property('source');
}
if ($rule->{dest}) {
eval { parse_address_list($rule->{dest}); };
&$add_error('dest', $@) if $@;
+ &$check_ipset_or_alias_property('dest');
}
- if ($rule->{macro}) {
+ if ($rule->{macro} && !$error_count) {
eval { &$apply_macro($rule->{macro}, $rule, 1); };
if (my $err = $@) {
if (ref($err) eq "PVE::Exception" && $err->{errors}) {
}
sub ruleset_generate_cmdstr {
- my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
return if defined($rule->{enable}) && !$rule->{enable};
return if $rule->{errors};
if ($source) {
if ($source =~ m/^\+/) {
if ($source =~ m/^\+(${security_group_name_pattern})$/) {
- die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
- push @cmd, "-m set --match-set PVEFW-$1 src";
+ my $name = $1;
+ if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ die "implement me";
+ } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ push @cmd, "-m set --match-set PVEFW-$1 src";
+ } else {
+ die "no such ipset '$name'\n";
+ }
} else {
die "invalid security group name '$source'\n";
}
} elsif ($source =~ m/^${ip_alias_pattern}$/){
my $alias = lc($source);
- my $e = $cluster_conf->{aliases}->{$alias};
- die "no such alias $source\n" if !$e;
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+ die "no such alias '$source'\n" if !$e;
push @cmd, "-s $e->{cidr}";
} elsif ($source =~ m/\-/){
push @cmd, "-m iprange --src-range $source";
-
} else {
push @cmd, "-s $source";
}
if ($dest) {
if ($dest =~ m/^\+/) {
if ($dest =~ m/^\+(${security_group_name_pattern})$/) {
- die "no such ipset '$1'\n" if !$cluster_conf->{ipset}->{$1};
- push @cmd, "-m set --match-set PVEFW-$1 dst";
+ my $name = $1;
+ if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ die "implement me";
+ } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ push @cmd, "-m set --match-set PVEFW-$1 dst";
+ } else {
+ die "no such ipset '$name'\n";
+ }
} else {
die "invalid security group name '$dest'\n";
}
} elsif ($dest =~ m/^${ip_alias_pattern}$/){
my $alias = lc($dest);
- my $e = $cluster_conf->{aliases}->{$alias};
- die "no such alias $dest" if !$e;
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+ die "no such alias '$dest'\n" if !$e;
push @cmd, "-d $e->{cidr}";
} elsif ($dest =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
push @cmd, "-m iprange --dst-range $dest";
}
sub ruleset_generate_rule {
- my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
my $rules;
my @cmds = ();
foreach my $tmp (@$rules) {
- if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf)) {
+ if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf, $fw_conf)) {
push @cmds, $cmdstr;
}
}
my ($ruleset, $chain, $options, $cluster_conf, $loglevel) = @_;
if ($cluster_conf->{ipset}->{blacklist}){
- ruleset_addlog($ruleset, $chain, 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
- ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j DROP");
+ if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
+ ruleset_create_chain($ruleset, "PVEFW-blacklist");
+ ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
+ ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
+ }
+ ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j PVEFW-blacklist");
}
if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
}
sub ruleset_generate_vm_rules {
- my ($ruleset, $rules, $cluster_conf, $chain, $netid, $direction, $options) = @_;
+ my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options) = @_;
my $lc_direction = lc($direction);
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
- next if !$rule->{enable};
+ next if !$rule->{enable} || $rule->{errors};
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
$direction eq 'OUT' ? 'RETURN' : $in_accept);
if ($direction eq 'OUT') {
ruleset_generate_rule($ruleset, $chain, $rule,
{ ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $vmfw_conf);
} else {
ruleset_generate_rule($ruleset, $chain, $rule,
{ ACCEPT => $in_accept , REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $vmfw_conf);
}
};
warn $@ if $@;
ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
# implement policy
my $policy;
ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
# add host rules first, so that cluster wide rules can be overwritten
foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
$rule->{iface_in} = $rule->{iface} if $rule->{iface};
+
eval {
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
} elsif ($rule->{type} eq 'in') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $hostfw_conf);
}
};
warn $@ if $@;
# add host rules first, so that cluster wide rules can be overwritten
foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
$rule->{iface_out} = $rule->{iface} if $rule->{iface};
eval {
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action);
} elsif ($rule->{type} eq 'out') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
+ undef, $cluster_conf, $hostfw_conf);
}
};
warn $@ if $@;
}
sub parse_fw_rule {
- my ($prefix, $line, $rule_env, $verbose) = @_;
+ my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
chomp $line;
die "unable to parse rule parameters: $line\n" if length($line);
- $rule = verify_rule($rule, $rule_env, 1);
+ $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1);
if ($verbose && $rule->{errors}) {
warn "$prefix - errors in rule parameters: $orig_line\n";
foreach my $p (keys %{$rule->{errors}}) {
}
sub parse_vm_fw_rules {
- my ($filename, $fh, $rule_env, $verbose) = @_;
+ my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_;
my $res = {
rules => [],
}
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, $rule_env, $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env, $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
}
sub parse_host_fw_rules {
- my ($filename, $fh, $verbose) = @_;
+ my ($filename, $fh, $cluster_conf, $verbose) = @_;
my $res = { rules => [], options => {}};
}
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 'host', $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, 'host', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
warn "$prefix: $@" if $@;
} elsif ($section eq 'rules') {
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 'cluster', $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'cluster', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
push @{$res->{$section}}, $rule;
} elsif ($section eq 'groups') {
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 'group', $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'group', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
};
sub load_vmfw_conf {
- my ($rule_env, $vmid, $dir, $verbose) = @_;
+ my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_;
my $vmfw_conf = {};
my $filename = "$dir/$vmid.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $vmfw_conf = parse_vm_fw_rules($filename, $fh, $rule_env, $verbose);
+ $vmfw_conf = parse_vm_fw_rules($filename, $fh, $cluster_conf, $rule_env, $verbose);
}
return $vmfw_conf;
}
sub read_vm_firewall_configs {
- my ($vmdata, $dir, $verbose) = @_;
+ my ($cluster_conf, $vmdata, $dir, $verbose) = @_;
my $vmfw_configs = {};
foreach my $vmid (keys %{$vmdata->{qemu}}) {
- my $vmfw_conf = load_vmfw_conf('vm', $vmid, $dir, $verbose);
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir, $verbose);
next if !$vmfw_conf->{options}; # skip if file does not exists
$vmfw_configs->{$vmid} = $vmfw_conf;
}
foreach my $vmid (keys %{$vmdata->{openvz}}) {
- my $vmfw_conf = load_vmfw_conf('ct', $vmid, $dir, $verbose);
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir, $verbose);
next if !$vmfw_conf->{options}; # skip if file does not exists
$vmfw_configs->{$vmid} = $vmfw_conf;
}
}
sub load_hostfw_conf {
- my ($filename, $verbose) = @_;
+ my ($cluster_conf, $filename, $verbose) = @_;
$filename = $hostfw_conf_filename if !defined($filename);
my $hostfw_conf = {};
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $hostfw_conf = parse_host_fw_rules($filename, $fh, $verbose);
+ $hostfw_conf = parse_host_fw_rules($filename, $fh, $cluster_conf, $verbose);
}
return $hostfw_conf;
}
$cluster_conf = load_clusterfw_conf($filename, $verbose);
$filename = "$testdir/host.fw";
- $hostfw_conf = load_hostfw_conf($filename, $verbose);
+ $hostfw_conf = load_hostfw_conf($cluster_conf, $filename, $verbose);
- $vmfw_configs = read_vm_firewall_configs($vmdata, $testdir, $verbose);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir, $verbose);
} else { # normal operation
$cluster_conf = load_clusterfw_conf(undef, $verbose) if !$cluster_conf;
- $hostfw_conf = load_hostfw_conf(undef, $verbose) if !$hostfw_conf;
+ $hostfw_conf = load_hostfw_conf($cluster_conf, undef, $verbose) if !$hostfw_conf;
$vmdata = read_local_vm_config();
- $vmfw_configs = read_vm_firewall_configs($vmdata, undef, $verbose);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
-
$cluster_conf->{ipset}->{venet0} = [];
my $localnet;