+ my $options = $vmfw_conf->{options};
+ my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
+
+ my $chain = "venet0-$vmid-$direction";
+
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction);
+
+ # implement policy
+ my $policy;
+
+ if ($direction eq 'OUT') {
+ $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+ } else {
+ $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+ }
+
+ my $accept = generate_nfqueue($options);
+ my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+ ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action);
+
+ # plug into FORWARD, INPUT and OUTPUT chain
+ if ($direction eq 'OUT') {
+ ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", {
+ action => $chain,
+ source => $ip,
+ iface_in => 'venet0'});
+
+ ruleset_generate_rule_insert($ruleset, "PVEFW-INPUT", {
+ action => $chain,
+ source => $ip,
+ iface_in => 'venet0'});
+ } else {
+ ruleset_generate_rule($ruleset, "PVEFW-FORWARD", {
+ action => $chain,
+ dest => $ip,
+ iface_out => 'venet0'});
+
+ ruleset_generate_rule($ruleset, "PVEFW-OUTPUT", {
+ action => $chain,
+ dest => $ip,
+ iface_out => 'venet0'});
+ }
+}
+
+sub generate_tap_rules_direction {
+ my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_;
+
+ my $lc_direction = lc($direction);
+
+ my $rules = $vmfw_conf->{rules};
+
+ my $options = $vmfw_conf->{options};
+ my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
+
+ my $tapchain = "$iface-$direction";
+
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options);
+
+ ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface, $bridge);
+
+ # implement policy
+ my $policy;
+
+ if ($direction eq 'OUT') {
+ $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+ } else {
+ $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+ }
+
+ my $accept = generate_nfqueue($options);
+ my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+ ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
+
+ # plug the tap chain to bridge chain
+ if ($direction eq 'IN') {
+ ruleset_insertrule($ruleset, "$bridge-IN",
+ "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain");
+ } else {
+ ruleset_insertrule($ruleset, "$bridge-OUT",
+ "-m physdev --physdev-in $iface -j $tapchain");
+ }
+}
+
+sub enable_host_firewall {
+ my ($ruleset, $hostfw_conf, $cluster_conf) = @_;
+
+ # fixme: allow security groups
+
+ my $options = $hostfw_conf->{options};
+ my $rules = $hostfw_conf->{rules};
+
+ # host inbound firewall
+ my $chain = "PVEFW-HOST-IN";
+ ruleset_create_chain($ruleset, $chain);
+
+ my $loglevel = get_option_log_level($options, "log_level_in");
+
+ if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+ }
+
+ if ($options->{tcpflags}) {
+ ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+ }
+
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+ ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
+ ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
+ ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
+
+ # we use RETURN because we need to check also tap rules
+ my $accept_action = 'RETURN';
+
+ foreach my $rule (@$rules) {
+ next if $rule->{type} ne 'in';
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+ }
+
+ # implement input policy
+ my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+ ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
+
+ # host outbound firewall
+ $chain = "PVEFW-HOST-OUT";
+ ruleset_create_chain($ruleset, $chain);