my $nbaor = 0;
foreach my $aor (split(/,/, $str)) {
+ if($nbaor > 0 && $aor =~ m/-/){
+ die "you can use a range in a list";
+ }
if (!Net::IP->new($aor)) {
my $err = Net::IP::Error();
die "invalid IP address: $err\n";
$nbaor++;
}
}
- return $nbaor;
}
sub parse_port_name_number_or_range {
return if $line =~ m/^#/;
return if $line =~ m/^\s*$/;
- if ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) {
+ if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
my $chain = $1;
$line =~ s/\s+$//; # delete trailing white space
push @{$chains->{$chain}}, $line;
}
sub ruleset_generate_cmdstr {
- my ($ruleset, $chain, $rule, $actions, $goto) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
return if defined($rule->{enable}) && !$rule->{enable};
my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}) : 0;
my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}) : 0;
- my $nbsource = $rule->{source} ? parse_address_list( $rule->{source}) : 0;
- my $nbdest = $rule->{dest} ? parse_address_list($rule->{dest}) : 0;
my @cmd = ();
push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in};
push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out};
- push @cmd, "-m iprange --src-range" if $nbsource > 1;
- push @cmd, "-s $rule->{source}" if $rule->{source};
- push @cmd, "-m iprange --dst-range" if $nbdest > 1;
- push @cmd, "-d $rule->{dest}" if $rule->{dest};
+ my $source = $rule->{source};
+ my $dest = $rule->{dest};
+
+ if ($source){
+ if($source =~ m/^(\+)(\S+)$/){
+ die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
+ push @cmd, "-m set --match-set PVEFW-$2 src";
+
+ }elsif ($source =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+ push @cmd, "-m iprange --src-range $source";
+
+ }else{
+ push @cmd, "-s $source";
+ }
+ }
+
+ if ($dest){
+ if($dest =~ m/^(\+)(\S+)$/){
+ die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
+ push @cmd, "-m set --match-set PVEFW-$2 dst";
+
+ }elsif ($dest =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+ push @cmd, "-m iprange --dst-range $dest";
+
+ }else{
+ push @cmd, "-s $dest";
+ }
+ }
if ($rule->{proto}) {
push @cmd, "-p $rule->{proto}";
};
sub ruleset_generate_rule {
- my ($ruleset, $chain, $rule, $actions, $goto) = @_;
+ my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
my $rules;
}
foreach my $tmp (@$rules) {
- if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto)) {
+ if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf)) {
ruleset_addrule($ruleset, $chain, $cmdstr);
}
}
next if $rule->{type} ne $lc_direction;
if ($direction eq 'OUT') {
ruleset_generate_rule($ruleset, $chain, $rule,
- { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
+ { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
} else {
my $accept = generate_nfqueue($options);
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" });
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
}
}
foreach my $rule (@$rules) {
next if $rule->{type} ne 'in';
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
# implement input policy
foreach my $rule (@$rules) {
next if $rule->{type} ne 'out';
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
# implement output policy
foreach my $rule (@$rules) {
next if $rule->{type} ne 'in';
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
$chain = "GROUP-${group}-OUT";
# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
# check also other tap rules later
ruleset_generate_rule($ruleset, $chain, $rule,
- { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" });
+ { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
}
parse_port_name_number_or_range($dport) if defined($dport);
parse_port_name_number_or_range($sport) if defined($sport);
-
- parse_address_list($source) if $source;
- parse_address_list($dest) if $dest;
+
+ parse_address_list($source) if $source && $source !~ m/^(\+)(\S+)$/;
+ parse_address_list($dest) if $dest && $dest !~ m/^(\+)(\S+)$/;
return {
type => $type,
next;
}
- if ($line =~ m/^\[netgroup\s+(\S+)\]\s*$/i) {
+ if ($line =~ m/^\[ipset\s+(\S+)\]\s*$/i) {
$section = 'ipset';
$group = lc($1);
next;
};
my $format_options = sub {
- my ($raw, $options) = @_;
+ my ($options) = @_;
+
+ my $raw = '';
$raw .= "[OPTIONS]\n\n";
foreach my $opt (keys %$options) {
$raw .= "$opt: $options->{$opt}\n";
}
$raw .= "\n";
+
+ return $raw;
};
sub save_vmfw_conf {
my $raw = '';
my $options = $vmfw_conf->{options};
- &$format_options($raw, $options) if scalar(keys %$options);
+ $raw .= &$format_options($options) if scalar(keys %$options);
my $rules = $vmfw_conf->{rules};
if (scalar(@$rules)) {
my ($ipset_ruleset, $fw_conf) = @_;
foreach my $ipset (keys %{$fw_conf->{ipset}}) {
- generate_ipset($ipset_ruleset, $ipset, $fw_conf->{ipset}->{$ipset});
+ generate_ipset($ipset_ruleset, "PVEFW-$ipset", $fw_conf->{ipset}->{$ipset});
}
}
my $raw = '';
my $options = $cluster_conf->{options};
- &$format_options($raw, $options) if scalar(keys %$options);
+ $raw .= &$format_options($options) if scalar(keys %$options);
# fixme: save ipset
my $raw = '';
my $options = $hostfw_conf->{options};
- &$format_options($raw, $options) if scalar(keys %$options);
+ $raw .= &$format_options($options) if scalar(keys %$options);
my $rules = $hostfw_conf->{rules};
if (scalar(@$rules)) {
projects / pve-firewall.git / blobdiff