}
sub generate_bridge_chains {
- my ($ruleset, $bridge) = @_;
+ my ($ruleset, $hostfw_conf, $bridge) = @_;
- if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
- ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- }
+ my $options = $hostfw_conf->{options} || {};
+
+ # fixme: what log level should we use here?
+ my $loglevel = get_option_log_level($options, "log_level_out");
if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
ruleset_create_chain($ruleset, "$bridge-FW");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
+ # disable interbridge routing
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP");
}
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
} elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
$opt = lc($1);
$value = uc($3);
+ } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
} else {
chomp $line;
die "can't parse option '$line'\n"
return $vmdata;
};
-sub read_vm_firewall_rules {
+sub read_vm_firewall_configs {
my ($vmdata) = @_;
- my $rules = {};
+ my $vmfw_configs = {};
foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
my $filename = "/etc/pve/firewall/$vmid.fw";
my $fh = IO::File->new($filename, O_RDONLY);
next if !$fh;
- $rules->{$vmid} = parse_vm_fw_rules($filename, $fh);
+ $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh);
}
- return $rules;
+ return $vmfw_configs;
}
sub get_option_log_level {
# same as shorewall smurflog.
if (defined($loglevel)) {
$pve_std_chains-> {'PVEFW-smurflog'} = [
- "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel",
+ "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel",
"-j DROP",
];
} else {
$loglevel = get_option_log_level($options, 'tcp_flags_log_level');
if (defined($loglevel)) {
$pve_std_chains-> {'PVEFW-logflags'} = [
- "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options",
+ "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options",
"-j DROP",
];
} else {
sub compile {
my $vmdata = read_local_vm_config();
- my $rules = read_vm_firewall_rules($vmdata);
+ my $vmfw_configs = read_vm_firewall_configs($vmdata);
my $groups_conf = {};
my $filename = "/etc/pve/firewall/groups.fw";
ruleset_create_chain($ruleset, "PVEFW-INPUT");
ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
+
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
my $hostfw_options = {};
- my $hostfw_conf;
+ my $hostfw_conf = {};
$filename = "/etc/pve/local/host.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
generate_std_chains($ruleset, $hostfw_options);
- my $hostfw_enable = $hostfw_conf &&
- !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
+ my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
my $conf = $vmdata->{qemu}->{$vmid};
- my $vmfw_conf = $rules->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
next if !$vmfw_conf;
next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
$bridge .= "v$net->{tag}" if $net->{tag};
- generate_bridge_chains($ruleset, $bridge);
+ generate_bridge_chains($ruleset, $hostfw_conf, $bridge);
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
}
}
- return $ruleset;
+ return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
}
sub get_ruleset_status {
die "unable to apply firewall changes\n" if $errors;
}
+sub update_nf_conntrack_max {
+ my ($hostfw_conf) = @_;
+
+ my $max = 65536; # reasonable default
+
+ my $options = $hostfw_conf->{options} || {};
+
+ if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) {
+ $max = $options->{nf_conntrack_max};
+ $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192
+ }
+
+ my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max";
+ my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize";
+
+ my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max);
+
+ if ($current != $max) {
+ my $hashsize = int($max/4);
+ PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize);
+ PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max);
+ }
+}
+
sub update {
my ($start, $verbose) = @_;
my $code = sub {
my $status = read_pvefw_status();
- my $ruleset = PVE::Firewall::compile();
+ my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
+
+ update_nf_conntrack_max($hostfw_conf);
if ($start || $status eq 'active') {
projects / pve-firewall.git / blobdiff