use warnings;
use strict;
-use POSIX;
-use Data::Dumper;
use Digest::SHA;
+use Encode;
+use File::Basename;
+use File::Path;
+use IO::File;
+use Net::IP;
+use POSIX;
use Socket qw(AF_INET6 inet_ntop inet_pton);
-use PVE::INotify;
+use Storable qw(dclone);
+
+use PVE::Cluster;
use PVE::Exception qw(raise raise_param_exc);
+use PVE::INotify;
use PVE::JSONSchema qw(register_standard_option get_standard_option);
-use PVE::Cluster;
-use PVE::ProcFSTools;
-use PVE::Tools qw($IPV4RE $IPV6RE);
use PVE::Network;
+use PVE::ProcFSTools;
use PVE::SafeSyslog;
-use File::Basename;
-use File::Path;
-use IO::File;
-use Net::IP;
+use PVE::Tools qw($IPV4RE $IPV6RE);
use PVE::Tools qw(run_command lock_file dir_glob_foreach);
-use Encode;
-use Storable qw(dclone);
-my $hostfw_conf_filename = "/etc/pve/local/host.fw";
my $pvefw_conf_dir = "/etc/pve/firewall";
my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
};
my $nodename = PVE::INotify::nodename();
+my $hostfw_conf_filename = "/etc/pve/nodes/$nodename/host.fw";
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
#{ action => 'DROP', dest => '224.0.0.0/4' },
],
'PVEFW-reject' => [
- # same as shorewall 'reject'
- #{ action => 'DROP', dsttype => 'BROADCAST' },
- #{ action => 'DROP', source => '224.0.0.0/4' },
{ action => 'DROP', proto => 'icmpv6' },
{ match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
- #"-p udp -j REJECT --reject-with icmp-port-unreachable",
- #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
- #"-j REJECT --reject-with icmp-host-prohibited",
+ { match => '-p udp', target => '-j REJECT --reject-with icmp6-port-unreachable' },
+ { target => '-j REJECT --reject-with icmp6-adm-prohibited' },
],
'PVEFW-Drop' => [
# same as shorewall 'Drop', which is equal to DROP,
# plug the tap chain to bridge chain
if ($direction eq 'IN') {
ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
- "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
} else {
ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
- "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
}
}
push(@$arpfilter, $ip);
}
}
- push(@$arpfilter, $net->{ip}) if $net->{ip} && $vmfw_conf->{options}->{ipfilter};
+ if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+ # ebtables changes this to a .0/MASK network but we just
+ # want the address here, no network - see #2193
+ $ip =~ s|/(\d+)$||;
+ push @$arpfilter, $ip;
+ }
generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
}
};