}
sub generate_bridge_chains {
- my ($ruleset, $bridge) = @_;
+ my ($ruleset, $hostfw_conf, $bridge) = @_;
- if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
- ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- }
+ my $options = $hostfw_conf->{options};
+
+ # fixme: what log level should we use here?
+ my $loglevel = get_option_log_level($options, "log_level_out");
if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
ruleset_create_chain($ruleset, "$bridge-FW");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
+ # disable interbridge routing
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP");
}
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
ruleset_create_chain($ruleset, "$bridge-OUT");
ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
}
if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- if ($direction eq 'OUT' && defined($macaddr) &&
- !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
- ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+ if ($direction eq 'OUT') {
+ if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
+ ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+ }
+ ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark
}
foreach my $rule (@$rules) {
my $physdevdirection = $direction eq 'IN' ? "out" : "in";
my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
-
- if ($direction eq 'OUT'){
- # add tap->host rules
- my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
- ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
- }
}
sub enable_host_firewall {
# same as shorewall smurflog.
if (defined($loglevel)) {
$pve_std_chains-> {'PVEFW-smurflog'} = [
- "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel",
+ "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel",
"-j DROP",
];
} else {
$loglevel = get_option_log_level($options, 'tcp_flags_log_level');
if (defined($loglevel)) {
$pve_std_chains-> {'PVEFW-logflags'} = [
- "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options",
+ "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options",
"-j DROP",
];
} else {
ruleset_create_chain($ruleset, "PVEFW-INPUT");
ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
+
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
my $hostfw_options = {};
my $hostfw_conf;
$bridge .= "v$net->{tag}" if $net->{tag};
- generate_bridge_chains($ruleset, $bridge);
+ generate_bridge_chains($ruleset, $hostfw_conf, $bridge);
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
projects / pve-firewall.git / blobdiff