my $pve_fw_macro_descr;
my $pve_fw_preferred_macro_names = {};
-my $pve_std_chains = {
+my $pve_std_chains = {};
+$pve_std_chains->{4} = {
'PVEFW-SET-ACCEPT-MARK' => [
"-j MARK --set-mark 1",
],
return $__local_network;
}
-my $max_iptables_ipset_name_length = 27;
+# ipset names are limited to 31 characters, and we use '_swap'
+# suffix for atomic update, for example PVEFW-${VMID}-${ipset_name}_swap
+
+my $max_iptables_ipset_name_length = 31 - length("_swap");
sub compute_ipset_chain_name {
my ($vmid, $ipset_name) = @_;
my $count = 0;
my $iprange = 0;
+ my $ipversion;
+
foreach my $elem (split(/,/, $str)) {
$count++;
- if (!Net::IP->new($elem)) {
+ my $ip = Net::IP->new($elem);
+ if (!$ip) {
my $err = Net::IP::Error();
die "invalid IP address: $err\n";
}
$iprange = 1 if $elem =~ m/-/;
+
+ my $new_ipversion = Net::IP::ip_is_ipv6($ip->ip()) ? 6 : 4;
+
+ die "detected mixed ipv4/ipv6 addresses in address list '$str'\n"
+ if defined($ipversion) && ($new_ipversion != $ipversion);
+
+ $ipversion = $new_ipversion;
}
- die "you can use a range in a list\n" if $iprange && $count > 1;
+ die "you can't use a range in a list\n" if $iprange && $count > 1;
+
+ return $ipversion;
}
sub parse_port_name_number_or_range {
return $portstr;
}
-PVE::JSONSchema::register_format('pve-fw-v4addr-spec', \&pve_fw_verify_v4addr_spec);
-sub pve_fw_verify_v4addr_spec {
+PVE::JSONSchema::register_format('pve-fw-addr-spec', \&pve_fw_verify_addr_spec);
+sub pve_fw_verify_addr_spec {
my ($list) = @_;
parse_address_list($list);
},
iface => get_standard_option('pve-iface', { optional => 1 }),
source => {
- type => 'string', format => 'pve-fw-v4addr-spec',
+ type => 'string', format => 'pve-fw-addr-spec',
optional => 1,
},
dest => {
- type => 'string', format => 'pve-fw-v4addr-spec',
+ type => 'string', format => 'pve-fw-addr-spec',
optional => 1,
},
proto => {
if !$rule->{proto};
}
+ my $ipversion;
+
if ($rule->{source}) {
- eval { parse_address_list($rule->{source}); };
+ eval { $ipversion = parse_address_list($rule->{source}); };
&$add_error('source', $@) if $@;
&$check_ipset_or_alias_property('source');
}
if ($rule->{dest}) {
- eval { parse_address_list($rule->{dest}); };
+ eval {
+ my $dest_ipversion = parse_address_list($rule->{dest});
+ die "detected mixed ipv4/ipv6 adresses in rule\n"
+ if defined($ipversion) && ($dest_ipversion != $ipversion);
+ $ipversion = $dest_ipversion;
+ };
&$add_error('dest', $@) if $@;
&$check_ipset_or_alias_property('dest');
}
}
$rule->{errors} = $errors if $error_count;
+ $rule->{ipversion} = $ipversion if $ipversion;
return $rule;
}
}
sub generate_std_chains {
- my ($ruleset, $options) = @_;
+ my ($ruleset, $options, $ipversion) = @_;
+
+ my $std_chains = $pve_std_chains->{$ipversion} || die "internal error";
my $loglevel = get_option_log_level($options, 'smurf_log_level');
- # same as shorewall smurflog.
- my $chain = 'PVEFW-smurflog';
- $pve_std_chains->{$chain} = [];
+ my $chain;
- push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
- push @{$pve_std_chains->{$chain}}, "-j DROP";
+ if ($ipversion == 4) {
+ # same as shorewall smurflog.
+ $chain = 'PVEFW-smurflog';
+ $std_chains->{$chain} = [];
+
+ push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
+ push @{$std_chains->{$chain}}, "-j DROP";
+ }
# same as shorewall logflags action.
$loglevel = get_option_log_level($options, 'tcp_flags_log_level');
$chain = 'PVEFW-logflags';
- $pve_std_chains->{$chain} = [];
+ $std_chains->{$chain} = [];
# fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG)
- push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
- push @{$pve_std_chains->{$chain}}, "-j DROP";
+ push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
+ push @{$std_chains->{$chain}}, "-j DROP";
- foreach my $chain (keys %$pve_std_chains) {
+ foreach my $chain (keys %$std_chains) {
ruleset_create_chain($ruleset, $chain);
- foreach my $rule (@{$pve_std_chains->{$chain}}) {
+ foreach my $rule (@{$std_chains->{$chain}}) {
if (ref($rule)) {
ruleset_generate_rule($ruleset, $chain, $rule);
} else {
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
+ my ($ruleset, $ipset_ruleset) = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
+ return ($ruleset, $ipset_ruleset);
+}
+
+sub compile_iptables_filter {
+ my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $ipversion, $verbose) = @_;
+
$cluster_conf->{ipset}->{venet0} = [];
my $venet0_ipset_chain = compute_ipset_chain_name(0, 'venet0');
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -m set --match-set ${venet0_ipset_chain} dst -j PVEFW-VENET-IN");
- generate_std_chains($ruleset, $hostfw_options);
+ generate_std_chains($ruleset, $hostfw_options, $ipversion);
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
projects / pve-firewall.git / blobdiff