use warnings;
use strict;
-use POSIX;
-use Data::Dumper;
use Digest::SHA;
+use Encode;
+use File::Basename;
+use File::Path;
+use IO::File;
+use Net::IP;
+use POSIX;
use Socket qw(AF_INET6 inet_ntop inet_pton);
-use PVE::INotify;
+use Storable qw(dclone);
+
+use PVE::Cluster;
use PVE::Exception qw(raise raise_param_exc);
+use PVE::INotify;
use PVE::JSONSchema qw(register_standard_option get_standard_option);
-use PVE::Cluster;
-use PVE::ProcFSTools;
-use PVE::Tools qw($IPV4RE $IPV6RE);
use PVE::Network;
+use PVE::ProcFSTools;
use PVE::SafeSyslog;
-use File::Basename;
-use File::Path;
-use IO::File;
-use Net::IP;
+use PVE::Tools qw($IPV4RE $IPV6RE);
use PVE::Tools qw(run_command lock_file dir_glob_foreach);
-use Encode;
-use Storable qw(dclone);
-my $hostfw_conf_filename = "/etc/pve/local/host.fw";
my $pvefw_conf_dir = "/etc/pve/firewall";
my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
};
my $nodename = PVE::INotify::nodename();
+my $hostfw_conf_filename = "/etc/pve/nodes/$nodename/host.fw";
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
#{ action => 'DROP', dest => '224.0.0.0/4' },
],
'PVEFW-reject' => [
- # same as shorewall 'reject'
- #{ action => 'DROP', dsttype => 'BROADCAST' },
- #{ action => 'DROP', source => '224.0.0.0/4' },
{ action => 'DROP', proto => 'icmpv6' },
{ match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
- #"-p udp -j REJECT --reject-with icmp-port-unreachable",
- #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
- #"-j REJECT --reject-with icmp-host-prohibited",
+ { match => '-p udp', target => '-j REJECT --reject-with icmp6-port-unreachable' },
+ { target => '-j REJECT --reject-with icmp6-adm-prohibited' },
],
'PVEFW-Drop' => [
# same as shorewall 'Drop', which is equal to DROP,
# plug the tap chain to bridge chain
if ($direction eq 'IN') {
ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
- "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
} else {
ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
- "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
}
}
sub generic_fw_config_parser {
my ($filename, $cluster_conf, $empty_conf, $rule_env) = @_;
- my $fh = IO::File->new($filename, O_RDONLY);
- return {} if !$fh;
-
my $section;
my $group;
my $res = $empty_conf;
- while (defined(my $line = <$fh>)) {
+ my $raw;
+ if ($filename =~ m!^/etc/pve/(.*)$!) {
+ $raw = PVE::Cluster::get_config($1);
+ } else {
+ $raw = eval { PVE::Tools::file_get_contents($filename) }; # ignore errors
+ }
+ return {} if !$raw;
+
+ my $linenr = 0;
+ while ($raw =~ /^\h*(.*?)\h*$/gm) {
+ my $line = $1;
+ $linenr++;
next if $line =~ m/^#/;
next if $line =~ m/^\s*$/;
-
chomp $line;
- my $linenr = $fh->input_line_number();
my $prefix = "$filename (line $linenr)";
if ($empty_conf->{options} && ($line =~ m/^\[options\]$/i)) {
push(@$arpfilter, $ip);
}
}
- push(@$arpfilter, $net->{ip}) if $net->{ip} && $vmfw_conf->{options}->{ipfilter};
+ if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
+ # ebtables changes this to a .0/MASK network but we just
+ # want the address here, no network - see #2193
+ $ip =~ s|/(\d+)$||;
+ push @$arpfilter, $ip;
+ }
generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
}
};