use POSIX;
use Data::Dumper;
use Digest::SHA;
+use Socket qw(AF_INET6 inet_ntop inet_pton);
use PVE::INotify;
use PVE::Exception qw(raise raise_param_exc);
use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Cluster;
use PVE::ProcFSTools;
-use PVE::Tools qw($IPV4RE);
+use PVE::Tools qw($IPV4RE $IPV6RE);
use File::Basename;
use File::Path;
use IO::File;
my $max_ipset_name_length = 64;
my $max_group_name_length = 20;
-PVE::JSONSchema::register_format('IPv4orCIDR', \&pve_verify_ipv4_or_cidr);
-sub pve_verify_ipv4_or_cidr {
+PVE::JSONSchema::register_format('IPorCIDR', \&pve_verify_ip_or_cidr);
+sub pve_verify_ip_or_cidr {
my ($cidr, $noerr) = @_;
- if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) {
+ if ($cidr =~ m!^(?:$IPV6RE|$IPV4RE)(/(\d+))?$!) {
return $cidr if Net::IP->new($cidr);
return undef if $noerr;
die Net::IP::Error() . "\n";
die "value does not look like a valid IP address or CIDR network\n";
}
-PVE::JSONSchema::register_format('IPv4orCIDRorAlias', \&pve_verify_ipv4_or_cidr_or_alias);
-sub pve_verify_ipv4_or_cidr_or_alias {
+PVE::JSONSchema::register_format('IPorCIDRorAlias', \&pve_verify_ip_or_cidr_or_alias);
+sub pve_verify_ip_or_cidr_or_alias {
my ($cidr, $noerr) = @_;
return if $cidr =~ m/^(?:$ip_alias_pattern)$/;
- if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) {
- return $cidr if Net::IP->new($cidr);
- return undef if $noerr;
- die Net::IP::Error() . "\n";
- }
- return undef if $noerr;
- die "value does not look like a valid IP address or CIDR network\n";
+ return pve_verify_ip_or_cidr($cidr, $noerr);
}
PVE::JSONSchema::register_standard_option('ipset-name', {
my $pve_fw_macro_descr;
my $pve_fw_preferred_macro_names = {};
-my $pve_std_chains = {
+my $pve_std_chains = {};
+$pve_std_chains->{4} = {
'PVEFW-SET-ACCEPT-MARK' => [
"-j MARK --set-mark 1",
],
return $__local_network;
}
-my $max_iptables_ipset_name_length = 27;
+# ipset names are limited to 31 characters,
+# and we use '-v4' or '-v6' to indicate IP versions,
+# and we use '_swap' suffix for atomic update,
+# for example PVEFW-${VMID}-${ipset_name}_swap
+
+my $max_iptables_ipset_name_length = 31 - length("_swap") - length("-v4");
sub compute_ipset_chain_name {
my ($vmid, $ipset_name) = @_;
my $id = "$vmid-${ipset_name}";
-
if ((length($id) + 6) > $max_iptables_ipset_name_length) {
$id = PVE::Tools::fnv31a_hex($id);
}
return "PVEFW-$id";
}
+sub compute_ipfilter_ipset_name {
+ my ($iface) = @_;
+
+ return "ipfilter-$iface";
+}
+
sub parse_address_list {
my ($str) = @_;
my $count = 0;
my $iprange = 0;
+ my $ipversion;
+
foreach my $elem (split(/,/, $str)) {
$count++;
- if (!Net::IP->new($elem)) {
+ my $ip = Net::IP->new($elem);
+ if (!$ip) {
my $err = Net::IP::Error();
die "invalid IP address: $err\n";
}
$iprange = 1 if $elem =~ m/-/;
+
+ my $new_ipversion = Net::IP::ip_is_ipv6($ip->ip()) ? 6 : 4;
+
+ die "detected mixed ipv4/ipv6 addresses in address list '$str'\n"
+ if $ipversion && ($new_ipversion != $ipversion);
+
+ $ipversion = $new_ipversion;
}
- die "you can use a range in a list\n" if $iprange && $count > 1;
+ die "you can't use a range in a list\n" if $iprange && $count > 1;
+
+ return $ipversion;
}
sub parse_port_name_number_or_range {
return $portstr;
}
-PVE::JSONSchema::register_format('pve-fw-v4addr-spec', \&pve_fw_verify_v4addr_spec);
-sub pve_fw_verify_v4addr_spec {
+PVE::JSONSchema::register_format('pve-fw-addr-spec', \&pve_fw_verify_addr_spec);
+sub pve_fw_verify_addr_spec {
my ($list) = @_;
parse_address_list($list);
},
iface => get_standard_option('pve-iface', { optional => 1 }),
source => {
- type => 'string', format => 'pve-fw-v4addr-spec',
+ type => 'string', format => 'pve-fw-addr-spec',
optional => 1,
},
dest => {
- type => 'string', format => 'pve-fw-v4addr-spec',
+ type => 'string', format => 'pve-fw-addr-spec',
optional => 1,
},
proto => {
};
my $check_ipset_or_alias_property = sub {
- my ($name) = @_;
+ my ($name, $expected_ipversion) = @_;
if (my $value = $rule->{$name}) {
if ($value =~ m/^\+/) {
} elsif ($value =~ m/^${ip_alias_pattern}$/){
my $alias = lc($value);
&$add_error($name, "no such alias '$value'")
- if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}))
+ if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}));
+
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+
+ die "detected mixed ipv4/ipv6 adresses in rule\n"
+ if $expected_ipversion && ($expected_ipversion != $e->{ipversion});
}
}
};
if !$rule->{proto};
}
+ my $ipversion;
+
if ($rule->{source}) {
- eval { parse_address_list($rule->{source}); };
+ eval { $ipversion = parse_address_list($rule->{source}); };
&$add_error('source', $@) if $@;
- &$check_ipset_or_alias_property('source');
+ &$check_ipset_or_alias_property('source', $ipversion);
}
if ($rule->{dest}) {
- eval { parse_address_list($rule->{dest}); };
+ eval {
+ my $dest_ipversion = parse_address_list($rule->{dest});
+ die "detected mixed ipv4/ipv6 adresses in rule\n"
+ if $ipversion && $dest_ipversion && ($dest_ipversion != $ipversion);
+ $ipversion = $dest_ipversion if $dest_ipversion;
+ };
&$add_error('dest', $@) if $@;
- &$check_ipset_or_alias_property('dest');
+ &$check_ipset_or_alias_property('dest', $ipversion);
}
if ($rule->{macro} && !$error_count) {
}
$rule->{errors} = $errors if $error_count;
+ $rule->{ipversion} = $ipversion if $ipversion;
return $rule;
}
return $rule;
}
+sub rules_modify_permissions {
+ my ($rule_env) = @_;
+
+ if ($rule_env eq 'host') {
+ return {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ };
+ } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+ return {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ };
+ } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
+ return {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+ }
+ }
+
+ return undef;
+}
+
+sub rules_audit_permissions {
+ my ($rule_env) = @_;
+
+ if ($rule_env eq 'host') {
+ return {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+ };
+ } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+ return {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ };
+ } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
+ return {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+ }
+ }
+
+ return undef;
+}
+
# core functions
my $bridge_firewall_enabled = 0;
}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
+ my ($ruleset, $chain, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
}
+ if ($ipfilter_ipset) {
+ ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+ }
ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
}
}
sub ruleset_add_group_rule {
- my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action) = @_;
+ my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action, $ipversion) = @_;
my $group = $rule->{action};
my $group_chain = "GROUP-$group-$direction";
if(!ruleset_chain_exist($ruleset, $group_chain)){
- generate_group_rules($ruleset, $cluster_conf, $group);
+ generate_group_rules($ruleset, $cluster_conf, $group, $ipversion);
}
if ($direction eq 'OUT' && $rule->{iface_out}) {
}
sub ruleset_generate_vm_rules {
- my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options) = @_;
+ my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options, $ipversion) = @_;
my $lc_direction = lc($direction);
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
next if !$rule->{enable} || $rule->{errors};
+ next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
+
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
- $direction eq 'OUT' ? 'RETURN' : $in_accept);
+ $direction eq 'OUT' ? 'RETURN' : $in_accept, $ipversion);
} else {
next if $rule->{type} ne $lc_direction;
eval {
}
sub generate_venet_rules_direction {
- my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
+ my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction, $ipversion) = @_;
my $lc_direction = lc($direction);
my $chain = "venet0-$vmid-$direction";
- ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, undef, $direction);
- ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction, undef, $ipversion);
# implement policy
my $policy;
}
sub generate_tap_rules_direction {
- my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
+ my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction, $ipversion) = @_;
my $lc_direction = lc($direction);
my $tapchain = "$iface-$direction";
- ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+ my $ipfilter_name = compute_ipfilter_ipset_name($netid);
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name)
+ if $vmfw_conf->{ipset}->{$ipfilter_name};
- ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
+ # create chain with mac and ip filter
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $ipfilter_ipset, $direction);
- ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
+ if ($options->{enable}) {
+ ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion);
- # implement policy
- my $policy;
+ ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
- if ($direction eq 'OUT') {
- $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
- } else {
+ # implement policy
+ my $policy;
+
+ if ($direction eq 'OUT') {
+ $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+ } else {
$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
- }
+ }
- my $accept = generate_nfqueue($options);
- my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
- ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
+ my $accept = generate_nfqueue($options);
+ my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+ ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
+ } else {
+ my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : 'ACCEPT';
+ ruleset_add_chain_policy($ruleset, $tapchain, $vmid, 'ACCEPT', $loglevel, $accept_action);
+ }
# plug the tap chain to bridge chain
if ($direction eq 'IN') {
}
sub enable_host_firewall {
- my ($ruleset, $hostfw_conf, $cluster_conf) = @_;
+ my ($ruleset, $hostfw_conf, $cluster_conf, $ipversion) = @_;
my $options = $hostfw_conf->{options};
my $cluster_options = $cluster_conf->{options};
eval {
if ($rule->{type} eq 'group') {
- ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action, $ipversion);
} elsif ($rule->{type} eq 'in') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
undef, $cluster_conf, $hostfw_conf);
$rule->{iface_out} = $rule->{iface} if $rule->{iface};
eval {
if ($rule->{type} eq 'group') {
- ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action);
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action, $ipversion);
} elsif ($rule->{type} eq 'out') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
undef, $cluster_conf, $hostfw_conf);
}
sub generate_group_rules {
- my ($ruleset, $cluster_conf, $group) = @_;
+ my ($ruleset, $cluster_conf, $group, $ipversion) = @_;
my $rules = $cluster_conf->{groups}->{$group};
foreach my $rule (@$rules) {
next if $rule->{type} ne 'in';
+ next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
foreach my $rule (@$rules) {
next if $rule->{type} ne 'out';
+ next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
# check also other tap rules later
ruleset_generate_rule($ruleset, $chain, $rule,
sub resolve_alias {
my ($clusterfw_conf, $fw_conf, $cidr) = @_;
- if ($cidr !~ m/^\d/) {
- my $alias = lc($cidr);
- my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
- $e = $clusterfw_conf->{aliases}->{$alias} if !$e && $clusterfw_conf;
- return $e->{cidr} if $e;
-
- die "no such alias '$cidr'\n";
+ my $alias = lc($cidr);
+ my $e = $fw_conf->{aliases}->{$alias} if $fw_conf;
+ $e = $clusterfw_conf->{aliases}->{$alias} if !$e && $clusterfw_conf;
+
+ die "no such alias '$cidr'\n" if !$e;;
+
+ return wantarray ? ($e->{cidr}, $e->{ipversion}) : $e->{cidr};
+}
+
+sub parse_ip_or_cidr {
+ my ($cidr) = @_;
+
+ my $ipversion;
+
+ if ($cidr =~ m!^(?:$IPV6RE)(/(\d+))?$!) {
+ $cidr =~ s|/128$||;
+ $ipversion = 6;
+ } elsif ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) {
+ $cidr =~ s|/32$||;
+ $ipversion = 4;
+ } else {
+ die "value does not look like a valid IP address or CIDR network\n";
}
- return $cidr;
+ return wantarray ? ($cidr, $ipversion) : $cidr;
}
sub parse_alias {
if ($line =~ m/^(\S+)\s(\S+)$/) {
my ($name, $cidr) = ($1, $2);
- $cidr =~ s|/32$||;
- pve_verify_ipv4_or_cidr($cidr);
+ my $ipversion;
+
+ ($cidr, $ipversion) = parse_ip_or_cidr($cidr);
+
my $data = {
name => $name,
cidr => $cidr,
+ ipversion => $ipversion,
};
$data->{comment} = $comment if $comment;
return $data;
if ($cidr =~ m/^${ip_alias_pattern}$/) {
resolve_alias($cluster_conf, $res, $cidr); # make sure alias exists
} else {
- $cidr =~ s|/32$||;
- pve_verify_ipv4_or_cidr_or_alias($cidr);
+ $cidr = parse_ip_or_cidr($cidr);
}
};
if (my $err = $@) {
}
sub generate_std_chains {
- my ($ruleset, $options) = @_;
+ my ($ruleset, $options, $ipversion) = @_;
+
+ my $std_chains = $pve_std_chains->{$ipversion} || die "internal error";
my $loglevel = get_option_log_level($options, 'smurf_log_level');
- # same as shorewall smurflog.
- my $chain = 'PVEFW-smurflog';
- $pve_std_chains->{$chain} = [];
+ my $chain;
- push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
- push @{$pve_std_chains->{$chain}}, "-j DROP";
+ if ($ipversion == 4) {
+ # same as shorewall smurflog.
+ $chain = 'PVEFW-smurflog';
+ $std_chains->{$chain} = [];
+
+ push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
+ push @{$std_chains->{$chain}}, "-j DROP";
+ }
# same as shorewall logflags action.
$loglevel = get_option_log_level($options, 'tcp_flags_log_level');
$chain = 'PVEFW-logflags';
- $pve_std_chains->{$chain} = [];
+ $std_chains->{$chain} = [];
# fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG)
- push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
- push @{$pve_std_chains->{$chain}}, "-j DROP";
+ push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel;
+ push @{$std_chains->{$chain}}, "-j DROP";
- foreach my $chain (keys %$pve_std_chains) {
+ foreach my $chain (keys %$std_chains) {
ruleset_create_chain($ruleset, $chain);
- foreach my $rule (@{$pve_std_chains->{$chain}}) {
+ foreach my $rule (@{$std_chains->{$chain}}) {
if (ref($rule)) {
ruleset_generate_rule($ruleset, $chain, $rule);
} else {
die "duplicate ipset chain '$name'\n" if defined($ipset_ruleset->{$name});
- my $hashsize = scalar(@$options);
- if ($hashsize <= 64) {
- $hashsize = 64;
- } else {
- $hashsize = round_powerof2($hashsize);
- }
-
- $ipset_ruleset->{$name} = ["create $name hash:net family inet hashsize $hashsize maxelem $hashsize"];
+ $ipset_ruleset->{$name} = ["create $name list:set size 4"];
# remove duplicates
my $nethash = {};
foreach my $entry (@$options) {
next if $entry->{errors}; # skip entries with errors
eval {
- my $cidr = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
- $nethash->{$cidr} = { cidr => $cidr, nomatch => $entry->{nomatch} };
+ my ($cidr, $ipversion);
+ if ($entry->{cidr} =~ m/^${ip_alias_pattern}$/) {
+ ($cidr, $ipversion) = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
+ } else {
+ ($cidr, $ipversion) = parse_ip_or_cidr($entry->{cidr});
+ }
+ #http://backreference.org/2013/03/01/ipv6-address-normalization/
+ if ($ipversion == 6) {
+ my $ipv6 = inet_pton(AF_INET6, lc($cidr));
+ $cidr = inet_ntop(AF_INET6, $ipv6);
+ $cidr =~ s|/128$||;
+ } else {
+ $cidr =~ s|/32$||;
+ }
+
+ $nethash->{$ipversion}->{$cidr} = { cidr => $cidr, nomatch => $entry->{nomatch} };
};
warn $@ if $@;
}
- foreach my $cidr (sort keys %$nethash) {
- my $entry = $nethash->{$cidr};
+ foreach my $ipversion (sort keys %$nethash) {
+ my $data = $nethash->{$ipversion};
+ my $subname = "$name-v$ipversion";
+
+ my $hashsize = scalar(@$options);
+ if ($hashsize <= 64) {
+ $hashsize = 64;
+ } else {
+ $hashsize = round_powerof2($hashsize);
+ }
+
+ my $family = $ipversion == "6" ? "inet6" : "inet";
+
+ $ipset_ruleset->{$subname} = ["create $subname hash:net family $family hashsize $hashsize maxelem $hashsize"];
- my $cmd = "add $name $cidr";
- if ($entry->{nomatch}) {
- if ($feature_ipset_nomatch) {
- push @{$ipset_ruleset->{$name}}, "$cmd nomatch";
+ foreach my $cidr (sort keys %$data) {
+ my $entry = $data->{$cidr};
+
+ my $cmd = "add $subname $cidr";
+ if ($entry->{nomatch}) {
+ if ($feature_ipset_nomatch) {
+ push @{$ipset_ruleset->{$subname}}, "$cmd nomatch";
+ } else {
+ warn "ignore !$cidr - nomatch not supported by kernel\n";
+ }
} else {
- warn "ignore !$cidr - nomatch not supported by kernel\n";
+ push @{$ipset_ruleset->{$subname}}, $cmd;
}
- } else {
- push @{$ipset_ruleset->{$name}}, $cmd;
}
+
+ push @{$ipset_ruleset->{$name}}, "add $name $subname";
}
}
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
+ my ($ruleset, $ipset_ruleset) = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
+ return ($ruleset, $ipset_ruleset);
+}
+
+sub compile_iptables_filter {
+ my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $ipversion, $verbose) = @_;
+
$cluster_conf->{ipset}->{venet0} = [];
my $venet0_ipset_chain = compute_ipset_chain_name(0, 'venet0');
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -m set --match-set ${venet0_ipset_chain} dst -j PVEFW-VENET-IN");
- generate_std_chains($ruleset, $hostfw_options);
+ generate_std_chains($ruleset, $hostfw_options, $ipversion);
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
my $ipset_ruleset = {};
- if ($hostfw_enable) {
- eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
+ # currently pveproxy don't works with ipv6, so let's generate host fw ipv4 only for the moment
+ if ($hostfw_enable && ($ipversion == 4)) {
+ eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion); };
warn $@ if $@; # just to be sure - should not happen
}
my $conf = $vmdata->{qemu}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
return if !$vmfw_conf;
- return if !$vmfw_conf->{options}->{enable};
generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'IN');
+ $vmfw_conf, $vmid, 'IN', $ipversion);
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT');
+ $vmfw_conf, $vmid, 'OUT', $ipversion);
}
};
warn $@ if $@; # just to be sure - should not happen
my $vmfw_conf = $vmfw_configs->{$vmid};
return if !$vmfw_conf;
- return if !$vmfw_conf->{options}->{enable};
generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
- if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
- my $ip = $conf->{ip_address}->{value};
- $ip =~ s/\s+/,/g;
- parse_address_list($ip); # make sure we have a valid $ip list
+ if ($vmfw_conf->{options}->{enable}) {
+ if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
+ my $ip = $conf->{ip_address}->{value};
+ $ip =~ s/\s+/,/g;
- my @ips = split(',', $ip);
+ my @ips = ();
- foreach my $singleip (@ips) {
- my $venet0ipset = {};
- $venet0ipset->{cidr} = $singleip;
- push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
- }
+ foreach my $singleip (split(',', $ip)) {
+ my $singleip_ver = parse_address_list($singleip); # make sure we have a valid $ip list
+ push @{$cluster_conf->{ipset}->{venet0}}, { cidr => $singleip };
+ push @ips, $singleip if $singleip_ver == $ipversion;
+ }
- generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
- generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+ if (scalar(@ips)) {
+ my $ip_list = join(',', @ips);
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'IN', $ipversion);
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip_list, 'OUT', $ipversion);
+ }
+ }
}
if ($conf->{netif} && $conf->{netif}->{value}) {
my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value});
foreach my $netid (keys %$netif) {
my $d = $netif->{$netid};
-
+ my $bridge = $d->{bridge};
+ next if !$bridge || $bridge !~ m/^vmbr\d+(v(\d+))?f$/; # firewall enabled ?
my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'IN');
+ $vmfw_conf, $vmid, 'IN', $ipversion);
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT');
+ $vmfw_conf, $vmid, 'OUT', $ipversion);
}
}
};
$cmdlist .= "$cmd\n";
}
}
+ }
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ die "internal error" if !$stat;
if ($stat->{action} eq 'update') {
my $chain_swap = $chain."_swap";
$cmdlist .= "flush $chain_swap\n";
$cmdlist .= "destroy $chain_swap\n";
}
-
}
- foreach my $chain (keys %$statushash) {
+ foreach my $chain (sort keys %$statushash) {
next if $statushash->{$chain}->{action} ne 'delete';
$delete_cmdlist .= "flush $chain\n";
projects / pve-firewall.git / blobdiff