use Data::Dumper;
use Digest::SHA;
use PVE::INotify;
+use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::ProcFSTools;
use PVE::Tools;
use PVE::Tools qw(run_command lock_file);
use Encode;
+my $clusterfw_conf_filename = "/etc/pve/firewall/cluster.fw";
+
# dynamically include PVE::QemuServer and PVE::OpenVZ
# to avoid dependency problems
my $have_qemu_server;
'address-mask-reply' => 1,
};
-sub get_firewall_macros {
-
- return $pve_fw_parsed_macros if $pve_fw_parsed_macros;
+sub init_firewall_macros {
$pve_fw_parsed_macros = {};
$pve_fw_preferred_macro_names->{$lc_name} = $k;
$pve_fw_parsed_macros->{$k} = $macro;
}
-
- return $pve_fw_parsed_macros;
}
+init_firewall_macros();
+
my $etc_services;
sub get_etc_services {
return ($nbports);
}
+PVE::JSONSchema::register_format('pve-fw-port-spec', \&pve_fw_verify_port_spec);
+sub pve_fw_verify_port_spec {
+ my ($portstr) = @_;
+
+ parse_port_name_number_or_range($portstr);
+
+ return $portstr;
+}
+
+PVE::JSONSchema::register_format('pve-fw-v4addr-spec', \&pve_fw_verify_v4addr_spec);
+sub pve_fw_verify_v4addr_spec {
+ my ($list) = @_;
+
+ parse_address_list($list);
+
+ return $list;
+}
+
+PVE::JSONSchema::register_format('pve-fw-protocol-spec', \&pve_fw_verify_protocol_spec);
+sub pve_fw_verify_protocol_spec {
+ my ($proto) = @_;
+
+ my $protocols = get_etc_protocols();
+
+ die "unknown protocol '$proto'\n" if $proto &&
+ !(defined($protocols->{byname}->{$proto}) ||
+ defined($protocols->{byid}->{$proto}));
+
+ return $proto;
+}
+
+
# helper function for API
my $rule_properties = {
digest => {
type => 'string',
optional => 1,
+ maxLength => 27,
+ minLength => 27,
},
type => {
type => 'string',
action => {
type => 'string',
optional => 1,
+ enum => ['ACCEPT', 'DROP', 'REJECT'],
},
macro => {
type => 'string',
optional => 1,
+ maxLength => 128,
},
+ iface => get_standard_option('pve-iface', { optional => 1 }),
source => {
- type => 'string',
+ type => 'string', format => 'pve-fw-v4addr-spec',
optional => 1,
},
dest => {
- type => 'string',
+ type => 'string', format => 'pve-fw-v4addr-spec',
optional => 1,
},
proto => {
- type => 'string',
+ type => 'string', format => 'pve-fw-protocol-spec',
optional => 1,
},
enable => {
optional => 1,
},
sport => {
- type => 'string',
+ type => 'string', format => 'pve-fw-port-spec',
optional => 1,
},
dport => {
- type => 'string',
+ type => 'string', format => 'pve-fw-port-spec',
optional => 1,
},
comment => {
my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
-sub iptables {
- my ($cmd) = @_;
+sub iptables_restore_cmdlist {
+ my ($cmdlist) = @_;
- run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
+ run_command("/sbin/iptables-restore -n", input => $cmdlist);
}
-sub iptables_restore_cmdlist {
+sub ipset_restore_cmdlist {
my ($cmdlist) = @_;
- run_command("/sbin/iptables-restore -n", input => $cmdlist);
+ run_command("/usr/sbin/ipset restore", input => $cmdlist);
}
sub iptables_get_chains {
my $table = '';
+ my $hooks = {};
+
my $parser = sub {
my $line = shift;
my ($chain, $sig) = ($1, $2);
return if !&$is_pvefw_chain($chain);
$res->{$chain} = $sig;
+ } elsif ($line =~ m/^-A\s+(INPUT|OUTPUT|FORWARD)\s+-j\s+PVEFW-\1$/) {
+ $hooks->{$1} = 1;
} else {
# simply ignore the rest
return;
run_command("/sbin/iptables-save", outfunc => $parser);
- return $res;
+ return wantarray ? ($res, $hooks) : $res;
}
-sub iptables_chain_exist {
- my ($chain) = @_;
+sub iptables_chain_digest {
+ my ($rules) = @_;
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $rule (@$rules) { # order is important
+ $digest->add($rule);
+ }
+ return $digest->b64digest;
+}
- eval{
- iptables("-n --list $chain");
- };
- return undef if $@;
+sub ipset_chain_digest {
+ my ($rules) = @_;
- return 1;
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $rule (sort @$rules) { # note: sorted
+ $digest->add($rule);
+ }
+ return $digest->b64digest;
}
-sub iptables_rule_exist {
- my ($rule) = @_;
+sub ipset_get_chains {
- eval{
- iptables("-C $rule");
+ my $res = {};
+ my $chains = {};
+
+ my $parser = sub {
+ my $line = shift;
+
+ return if $line =~ m/^#/;
+ return if $line =~ m/^\s*$/;
+ if ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) {
+ my $chain = $1;
+ $line =~ s/\s+$//; # delete trailing white space
+ push @{$chains->{$chain}}, $line;
+ } else {
+ # simply ignore the rest
+ return;
+ }
};
- return undef if $@;
- return 1;
+ run_command("/usr/sbin/ipset save", outfunc => $parser);
+
+ # compute digest for each chain
+ foreach my $chain (keys %$chains) {
+ $res->{$chain} = ipset_chain_digest($chains->{$chain});
+ }
+
+ return $res;
}
sub ruleset_generate_cmdstr {
}
sub ruleset_generate_vm_rules {
- my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction, $options) = @_;
+ my ($ruleset, $rules, $cluster_conf, $chain, $netid, $direction, $options) = @_;
my $lc_direction = lc($direction);
if ($rule->{type} eq 'group') {
my $group_chain = "GROUP-$rule->{action}-$direction";
if(!ruleset_chain_exist($ruleset, $group_chain)){
- generate_group_rules($ruleset, $groups_conf, $rule->{action});
+ generate_group_rules($ruleset, $cluster_conf, $rule->{action});
}
ruleset_addrule($ruleset, $chain, "-j $group_chain");
if ($direction eq 'OUT'){
}
sub generate_venet_rules_direction {
- my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
+ my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
parse_address_list($ip); # make sure we have a valid $ip list
ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $chain, 'venet', $direction);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction);
# implement policy
my $policy;
}
sub generate_tap_rules_direction {
- my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_;
+ my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_;
my $lc_direction = lc($direction);
ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction, $options);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options);
ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface, $bridge);
}
sub enable_host_firewall {
- my ($ruleset, $hostfw_conf, $groups_conf) = @_;
+ my ($ruleset, $hostfw_conf, $cluster_conf) = @_;
# fixme: allow security groups
}
sub generate_group_rules {
- my ($ruleset, $groups_conf, $group) = @_;
- die "no such security group '$group'\n" if !$groups_conf->{rules}->{$group};
+ my ($ruleset, $cluster_conf, $group) = @_;
+ die "no such security group '$group'\n" if !$cluster_conf->{groups}->{$group};
- my $rules = $groups_conf->{rules}->{$group};
+ my $rules = $cluster_conf->{groups}->{$group};
my $chain = "GROUP-${group}-IN";
sub parse_fw_rule {
my ($line, $need_iface, $allow_groups) = @_;
- my $macros = get_firewall_macros();
- my $protocols = get_etc_protocols();
-
my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport);
# we can add single line comments to the end of the rule
}
$proto = undef if $proto && $proto eq '-';
- die "unknown protokol '$proto'\n" if $proto &&
- !(defined($protocols->{byname}->{$proto}) ||
- defined($protocols->{byid}->{$proto}));
+ pve_fw_verify_protocol_spec($proto) if $proto;
$source = undef if $source && $source eq '-';
$dest = undef if $dest && $dest eq '-';
return ($opt, $value);
}
+sub parse_clusterfw_option {
+ my ($line) = @_;
+
+ my ($opt, $value);
+
+ if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
+ } else {
+ chomp $line;
+ die "can't parse option '$line'\n"
+ }
+
+ return ($opt, $value);
+}
+
sub parse_vm_fw_rules {
my ($filename, $fh) = @_;
return $res;
}
-sub parse_group_fw_rules {
+sub parse_cluster_fw_rules {
my ($filename, $fh) = @_;
my $section;
my $group;
- my $res = { rules => {} };
+ my $res = { rules => [], options => {}, groups => {}, ipset => {} };
my $digest = Digest::SHA->new('sha1');
my $linenr = $fh->input_line_number();
my $prefix = "$filename (line $linenr)";
+ if ($line =~ m/^\[options\]$/i) {
+ $section = 'options';
+ next;
+ }
+
if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) {
+ $section = 'groups';
+ $group = lc($1);
+ next;
+ }
+
+ if ($line =~ m/^\[rules\]$/i) {
$section = 'rules';
+ next;
+ }
+
+ if ($line =~ m/^\[netgroup\s+(\S+)\]\s*$/i) {
+ $section = 'ipset';
$group = lc($1);
next;
}
- if (!$section || !$group) {
+
+ if (!$section) {
warn "$prefix: skip line - no section";
next;
}
- my $rule;
- eval { $rule = parse_fw_rule($line, 0, 0); };
- if (my $err = $@) {
- warn "$prefix: $err";
- next;
+ if ($section eq 'options') {
+ eval {
+ my ($opt, $value) = parse_clusterfw_option($line);
+ $res->{options}->{$opt} = $value;
+ };
+ warn "$prefix: $@" if $@;
+ } elsif ($section eq 'rules') {
+ my $rule;
+ eval { $rule = parse_fw_rule($line, 1, 1); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
+ next;
+ }
+ push @{$res->{$section}}, $rule;
+ } elsif ($section eq 'groups') {
+ my $rule;
+ eval { $rule = parse_fw_rule($line, 0, 0); };
+ if (my $err = $@) {
+ warn "$prefix: $err";
+ next;
+ }
+ push @{$res->{$section}->{$group}}, $rule;
+ } elsif ($section eq 'ipset') {
+ chomp $line;
+ $line =~ m/^(\!)?(\s)?((\d+)\.(\d+)\.(\d+)\.(\d+)(\/(\d+))?)/;
+ my $nomatch = $1;
+ my $ip = $3;
+
+ if(!$ip){
+ warn "$prefix: $line is not an valid ip address";
+ next;
+ }
+ if (!Net::IP->new($ip)) {
+ warn "$prefix: $line is not an valid ip address";
+ next;
+ }
+ $ip .= " nomatch" if $nomatch;
+
+ push @{$res->{$section}->{$group}}, $ip;
}
-
- push @{$res->{$section}->{$group}}, $rule;
}
$res->{digest} = $digest->b64digest;
-
return $res;
}
}
}
+sub generate_ipset_chains {
+ my ($ipset_ruleset, $fw_conf) = @_;
+
+ foreach my $ipset (keys %{$fw_conf->{ipset}}) {
+ generate_ipset($ipset_ruleset, $ipset, $fw_conf->{ipset}->{$ipset});
+ }
+}
+
+sub generate_ipset {
+ my ($ipset_ruleset, $name, $options) = @_;
+
+ my $hashsize = scalar(@$options);
+ if ($hashsize <= 64) {
+ $hashsize = 64;
+ } else {
+ $hashsize = round_powerof2($hashsize);
+ }
+
+ push @{$ipset_ruleset->{$name}}, "create $name hash:net family inet hashsize $hashsize maxelem $hashsize";
+
+ foreach my $ip (@$options) {
+ push @{$ipset_ruleset->{$name}}, "add $name $ip";
+ }
+}
+
+sub round_powerof2 {
+ my ($int) = @_;
+
+ $int--;
+ $int |= $int >> $_ foreach (1,2,4,8,16);
+ return ++$int;
+}
+
sub save_pvefw_status {
my ($status) = @_;
return $res;
}
-sub load_security_groups {
+sub load_clusterfw_conf {
- my $groups_conf = {};
- my $filename = "/etc/pve/firewall/groups.fw";
- if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $groups_conf = parse_group_fw_rules($filename, $fh);
+ my $cluster_conf = {};
+ if (my $fh = IO::File->new($clusterfw_conf_filename, O_RDONLY)) {
+ $cluster_conf = parse_cluster_fw_rules($clusterfw_conf_filename, $fh);
}
- return $groups_conf;
+ return $cluster_conf;
}
-sub save_security_groups {
- my ($groups_conf) = @_;
+my $rules_to_conf = sub {
+ my ($rules, $need_iface) = @_;
my $raw = '';
- my $filename = "/etc/pve/firewall/groups.fw";
- foreach my $group (sort keys %{$groups_conf->{rules}}) {
- my $rules = $groups_conf->{rules}->{$group};
- $raw .= "[group $group]\n\n";
+ foreach my $rule (@$rules) {
+ if ($rule->{type} eq 'in' || $rule->{type} eq 'out') {
+ $raw .= '|' if defined($rule->{enable}) && !$rule->{enable};
+ $raw .= uc($rule->{type});
+ $raw .= " " . $rule->{action};
+ $raw .= " " . ($rule->{iface} || '-') if $need_iface;
+ $raw .= " " . ($rule->{source} || '-');
+ $raw .= " " . ($rule->{dest} || '-');
+ $raw .= " " . ($rule->{proto} || '-');
+ $raw .= " " . ($rule->{dport} || '-');
+ $raw .= " " . ($rule->{sport} || '-');
+ $raw .= " # " . encode('utf8', $rule->{comment})
+ if $rule->{comment} && $rule->{comment} !~ m/^\s*$/;
+ $raw .= "\n";
+ } else {
+ die "implement me '$rule->{type}'";
+ }
+ }
- foreach my $rule (@$rules) {
- if ($rule->{type} eq 'in' || $rule->{type} eq 'out') {
- $raw .= '|' if defined($rule->{enable}) && !$rule->{enable};
- $raw .= uc($rule->{type});
- $raw .= " " . $rule->{action};
- $raw .= " " . ($rule->{source} || '-');
- $raw .= " " . ($rule->{dest} || '-');
- $raw .= " " . ($rule->{proto} || '-');
- $raw .= " " . ($rule->{dport} || '-');
- $raw .= " " . ($rule->{sport} || '-');
- $raw .= " # " . encode('utf8', $rule->{comment})
- if $rule->{comment} && $rule->{comment} !~ m/^\s*$/;
- $raw .= "\n";
- } else {
- die "implement me '$rule->{type}'";
- }
+ return $raw;
+};
+
+sub save_clusterfw_conf {
+ my ($cluster_conf) = @_;
+
+ my $raw = '';
+
+ my $options = $cluster_conf->{options};
+ if (scalar(keys %$options)) {
+ $raw .= "[OPTIONS]\n\n";
+ foreach my $opt (keys %$options) {
+ $raw .= "$opt: $options->{$opt}\n";
}
+ $raw .= "\n";
+ }
+
+ # fixme: save ipset
+ my $rules = $cluster_conf->{rules};
+ if (scalar(@$rules)) {
+ $raw .= "[RULES]\n\n";
+ $raw .= &$rules_to_conf($rules, 1);
$raw .= "\n";
}
- PVE::Tools::file_set_contents($filename, $raw);
+ foreach my $group (sort keys %{$cluster_conf->{groups}}) {
+ my $rules = $cluster_conf->{groups}->{$group};
+ $raw .= "[group $group]\n\n";
+ $raw .= &$rules_to_conf($rules, 0);
+ $raw .= "\n";
+ }
+
+ PVE::Tools::file_set_contents($clusterfw_conf_filename, $raw);
}
sub load_hostfw_conf {
my $routing_table = read_proc_net_route();
- my $groups_conf = load_security_groups();
+ my $cluster_conf = load_clusterfw_conf();
+
+ my $ipset_ruleset = {};
+ generate_ipset_chains($ipset_ruleset, $cluster_conf);
my $ruleset = {};
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
- enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
-
- my $ips_enable = undef;
+ enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf) if $hostfw_enable;
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
next if !$vmfw_conf;
next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
- $ips_enable = 1 if $vmfw_conf->{options}->{ips};
-
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $net = PVE::QemuServer::parse_net($conf->{$netid});
generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table);
my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, $bridge, 'IN');
- generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, $bridge, 'OUT');
}
}
next if !$vmfw_conf;
next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
- $ips_enable = 1 if $vmfw_conf->{options}->{ips};
-
if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
my $ip = $conf->{ip_address}->{value};
- generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'IN');
- generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
}
if ($conf->{netif} && $conf->{netif}->{value}) {
my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
- generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, $bridge, 'IN');
- generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, $bridge, 'OUT');
}
}
if($hostfw_options->{optimize}){
- my $accept = $ips_enable ? "PVEFW-IPS" : "ACCEPT";
+ my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
}
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");
- return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
+ return wantarray ? ($ruleset, $hostfw_conf, $ipset_ruleset) : $ruleset;
}
sub get_ruleset_status {
- my ($ruleset, $verbose) = @_;
-
- my $active_chains = iptables_get_chains();
+ my ($ruleset, $active_chains, $digest_fn, $verbose) = @_;
my $statushash = {};
foreach my $chain (sort keys %$ruleset) {
- my $digest = Digest::SHA->new('sha1');
- foreach my $cmd (@{$ruleset->{$chain}}) {
- $digest->add("$cmd\n");
- }
- my $sig = $digest->b64digest;
+ my $sig = &$digest_fn($ruleset->{$chain});
+
$statushash->{$chain}->{sig} = $sig;
my $oldsig = $active_chains->{$chain};
return $statushash;
}
-sub print_ruleset {
- my ($ruleset) = @_;
-
- get_ruleset_status($ruleset, 1);
-}
-
sub print_sig_rule {
my ($chain, $sig) = @_;
return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
}
-sub get_rulset_cmdlist {
+sub get_ruleset_cmdlist {
my ($ruleset, $verbose) = @_;
my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
-
- my $statushash = get_ruleset_status($ruleset, $verbose);
+
+ my ($active_chains, $hooks) = iptables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
# create missing chains first
foreach my $chain (sort keys %$ruleset) {
$cmdlist .= ":$chain - [0:0]\n";
}
- my $rule = "INPUT -j PVEFW-INPUT";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
- }
- $rule = "OUTPUT -j PVEFW-OUTPUT";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
- }
-
- $rule = "FORWARD -j PVEFW-FORWARD";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
+ foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+ if (!$hooks->{$h}) {
+ $cmdlist .= "-A $h -j PVEFW-$h\n";
+ }
}
foreach my $chain (sort keys %$ruleset) {
$cmdlist .= "-X $chain\n";
}
+ my $changes = $cmdlist ne "*filter\n" ? 1 : 0;
+
$cmdlist .= "COMMIT\n";
- return $cmdlist;
+ return wantarray ? ($cmdlist, $changes) : $cmdlist;
+}
+
+sub get_ipset_cmdlist {
+ my ($ruleset, $verbose) = @_;
+
+ my $cmdlist = "";
+
+ my $delete_cmdlist = "";
+
+ my $active_chains = ipset_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose);
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ die "internal error" if !$stat;
+
+ if ($stat->{action} eq 'create') {
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $cmdlist .= "$cmd\n";
+ }
+ }
+
+ if ($stat->{action} eq 'update') {
+ my $chain_swap = $chain."_swap";
+
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $cmd =~ s/$chain/$chain_swap/;
+ $cmdlist .= "$cmd\n";
+ }
+ $cmdlist .= "swap $chain_swap $chain\n";
+ $cmdlist .= "flush $chain_swap\n";
+ $cmdlist .= "destroy $chain_swap\n";
+ }
+
+ }
+
+ foreach my $chain (keys %$statushash) {
+ next if $statushash->{$chain}->{action} ne 'delete';
+
+ $delete_cmdlist .= "flush $chain\n";
+ $delete_cmdlist .= "destroy $chain\n";
+ }
+
+ my $changes = ($cmdlist || $delete_cmdlist) ? 1 : 0;
+
+ return ($cmdlist, $delete_cmdlist, $changes);
}
sub apply_ruleset {
- my ($ruleset, $hostfw_conf, $verbose) = @_;
+ my ($ruleset, $hostfw_conf, $ipset_ruleset, $verbose) = @_;
enable_bridge_firewall();
update_nf_conntrack_max($hostfw_conf);
- my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
+ my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
+ get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
- print $cmdlist if $verbose;
+ my ($cmdlist, $changes) = get_ruleset_cmdlist($ruleset, $verbose);
+
+ if ($verbose) {
+ if ($ipset_changes) {
+ print "ipset changes:\n";
+ print $ipset_create_cmdlist if $ipset_create_cmdlist;
+ print $ipset_delete_cmdlist if $ipset_delete_cmdlist;
+ }
+
+ if ($changes) {
+ print "iptables changes:\n";
+ print $cmdlist;
+ }
+ }
+
+ ipset_restore_cmdlist($ipset_create_cmdlist);
iptables_restore_cmdlist($cmdlist);
+ ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
+
# test: re-read status and check if everything is up to date
- my $statushash = get_ruleset_status($ruleset);
+ my $active_chains = iptables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, 0);
my $errors;
foreach my $chain (sort keys %$ruleset) {
}
}
+sub remove_pvefw_chains {
+
+ my ($chash, $hooks) = iptables_get_chains();
+ my $cmdlist = "*filter\n";
+
+ foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+ if ($hooks->{$h}) {
+ $cmdlist .= "-D $h -j PVEFW-$h\n";
+ }
+ }
+
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-F $chain\n";
+ }
+
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-X $chain\n";
+ }
+ $cmdlist .= "COMMIT\n";
+
+ iptables_restore_cmdlist($cmdlist);
+}
+
sub update {
my ($start, $verbose) = @_;
my $code = sub {
my $status = read_pvefw_status();
- my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
+ my ($ruleset, $hostfw_conf, $ipset_ruleset) = compile();
if ($start || $status eq 'active') {
save_pvefw_status('active') if ($status ne 'active');
- apply_ruleset($ruleset, $hostfw_conf, $verbose);
+ apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $verbose);
} else {
print "Firewall not active (status = $status)\n" if $verbose;
}
projects / pve-firewall.git / blobdiff