use Net::IP;
use PVE::Tools qw(run_command lock_file dir_glob_foreach);
use Encode;
+use Storable qw(dclone);
my $hostfw_conf_filename = "/etc/pve/local/host.fw";
my $pvefw_conf_dir = "/etc/pve/firewall";
my $FWACCEPTMARK_OFF = "0x00000000/0x80000000";
my $pve_std_chains = {};
-$pve_std_chains->{4} = {
+my $pve_std_chains_conf = {};
+$pve_std_chains_conf->{4} = {
'PVEFW-SET-ACCEPT-MARK' => [
{ target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
],
# Drop packets with INVALID state
{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
# Drop Microsoft SMB noise
- { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 },
- { action => 'DROP', proto => 'udp', dport => '137:139'},
+ { action => 'DROP', proto => 'udp', dport => '135,445' },
+ { action => 'DROP', proto => 'udp', dport => '137:139' },
{ action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
- { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'DROP', proto => 'tcp', dport => '135,139,445' },
{ action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
# Drop new/NotSyn traffic so that it doesn't get logged
{ action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
# Drop packets with INVALID state
{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
# Drop Microsoft SMB noise
- { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' },
{ action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
{ action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
- { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' },
{ action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
# Drop new/NotSyn traffic so that it doesn't get logged
{ action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
],
};
-$pve_std_chains->{6} = {
+$pve_std_chains_conf->{6} = {
'PVEFW-SET-ACCEPT-MARK' => [
{ target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
],
# Drop packets with INVALID state
{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
# Drop Microsoft SMB noise
- { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 },
+ { action => 'DROP', proto => 'udp', dport => '135,445' },
{ action => 'DROP', proto => 'udp', dport => '137:139'},
{ action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
- { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'DROP', proto => 'tcp', dport => '135,139,445' },
{ action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
# Drop new/NotSyn traffic so that it doesn't get logged
{ action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
# Drop packets with INVALID state
{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
# Drop Microsoft SMB noise
- { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
- { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
+ { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '137:139' },
{ action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
- { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' },
{ action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
# Drop new/NotSyn traffic so that it doesn't get logged
{ action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
my $vmfw_configs;
+ # fixme: once we read standard chains from config this needs to be put in test/standard cases below
+ $pve_std_chains = dclone($pve_std_chains_conf);
+
if ($vmdata) { # test mode
my $testdir = $vmdata->{testdir} || die "no test directory specified";
my $filename = "$testdir/cluster.fw";