return $rules;
};
+my $rule_env_iface_lookup = {
+ 'ct' => 1,
+ 'vm' => 1,
+ 'group' => 0,
+ 'cluster' => 1,
+ 'host' => 1,
+};
+
sub verify_rule {
- my ($rule, $allow_groups, $noerr) = @_;
+ my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_;
+
+ my $allow_groups = $rule_env eq 'group' ? 0 : 1;
+
+ my $allow_iface = $rule_env_iface_lookup->{$rule_env};
+ die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
+
+ my $errors = $rule->{errors} || {};
- my $errors = {};
my $error_count = 0;
my $add_error = sub {
$errors->{$param} = $msg if !$errors->{$param};
};
+ my $check_ipset_or_alias_property = sub {
+ my ($name) = @_;
+
+ if (my $value = $rule->{$name}) {
+ if ($value =~ m/^\+/) {
+ if ($value =~ m/^\+(${security_group_name_pattern})$/) {
+ &$add_error($name, "no such ipset '$1'")
+ if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+
+ } else {
+ &$add_error($name, "invalid security group name '$value'");
+ }
+ } elsif ($value =~ m/^${ip_alias_pattern}$/){
+ my $alias = lc($value);
+ &$add_error($name, "no such alias '$value'")
+ if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}))
+ }
+ }
+ };
+
my $type = $rule->{type};
my $action = $rule->{action};
}
if ($rule->{iface}) {
+ &$add_error('type', "parameter -i not allowed for this rule type")
+ if !$allow_iface;
eval { PVE::JSONSchema::pve_verify_iface($rule->{iface}); };
&$add_error('iface', $@) if $@;
- }
+ if ($rule_env eq 'vm') {
+ &$add_error('iface', "value does not match the regex pattern 'net\\d+'")
+ if $rule->{iface} !~ m/^net(\d+)$/;
+ } elsif ($rule_env eq 'ct') {
+ &$add_error('iface', "value does not match the regex pattern '(venet|eth\\d+)'")
+ if $rule->{iface} !~ m/^(venet|eth(\d+))$/;
+ }
+ }
if ($rule->{macro}) {
if (my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})}) {
if ($rule->{source}) {
eval { parse_address_list($rule->{source}); };
&$add_error('source', $@) if $@;
+ &$check_ipset_or_alias_property('source');
}
if ($rule->{dest}) {
eval { parse_address_list($rule->{dest}); };
&$add_error('dest', $@) if $@;
+ &$check_ipset_or_alias_property('dest');
}
- if ($rule->{macro}) {
+ if ($rule->{macro} && !$error_count) {
eval { &$apply_macro($rule->{macro}, $rule, 1); };
if (my $err = $@) {
if (ref($err) eq "PVE::Exception" && $err->{errors}) {
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
- next if !$rule->{enable};
+ next if !$rule->{enable} || $rule->{errors};
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
$direction eq 'OUT' ? 'RETURN' : $in_accept);
}
sub parse_fw_rule {
- my ($prefix, $line, $allow_iface, $allow_groups, $verbose) = @_;
+ my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
chomp $line;
while (length($line)) {
if ($line =~ s/^-i (\S+)\s*//) {
- die "parameter -i not allowed\n" if !$allow_iface;
$rule->{iface} = $1;
next;
}
die "unable to parse rule parameters: $line\n" if length($line);
- $rule = verify_rule($rule, $allow_groups, 1);
+ $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1);
if ($verbose && $rule->{errors}) {
warn "$prefix - errors in rule parameters: $orig_line\n";
foreach my $p (keys %{$rule->{errors}}) {
}
sub parse_vm_fw_rules {
- my ($filename, $fh, $verbose) = @_;
+ my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_;
my $res = {
rules => [],
}
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 1, 1, $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env, $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
}
sub parse_host_fw_rules {
- my ($filename, $fh, $verbose) = @_;
+ my ($filename, $fh, $cluster_conf, $verbose) = @_;
my $res = { rules => [], options => {}};
}
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 1, 1, $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, 'host', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
warn "$prefix: $@" if $@;
} elsif ($section eq 'rules') {
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 1, 1, $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'cluster', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
push @{$res->{$section}}, $rule;
} elsif ($section eq 'groups') {
my $rule;
- eval { $rule = parse_fw_rule($prefix, $line, 0, 0, $verbose); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'group', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
};
sub load_vmfw_conf {
- my ($vmid, $dir, $verbose) = @_;
+ my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_;
my $vmfw_conf = {};
my $filename = "$dir/$vmid.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $vmfw_conf = parse_vm_fw_rules($filename, $fh, $verbose);
+ $vmfw_conf = parse_vm_fw_rules($filename, $fh, $cluster_conf, $rule_env, $verbose);
}
return $vmfw_conf;
}
sub read_vm_firewall_configs {
- my ($vmdata, $dir, $verbose) = @_;
+ my ($cluster_conf, $vmdata, $dir, $verbose) = @_;
my $vmfw_configs = {};
- foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
- my $vmfw_conf = load_vmfw_conf($vmid, $dir, $verbose);
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir, $verbose);
+ next if !$vmfw_conf->{options}; # skip if file does not exists
+ $vmfw_configs->{$vmid} = $vmfw_conf;
+ }
+ foreach my $vmid (keys %{$vmdata->{openvz}}) {
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir, $verbose);
next if !$vmfw_conf->{options}; # skip if file does not exists
$vmfw_configs->{$vmid} = $vmfw_conf;
}
}
sub load_hostfw_conf {
- my ($filename, $verbose) = @_;
+ my ($cluster_conf, $filename, $verbose) = @_;
$filename = $hostfw_conf_filename if !defined($filename);
my $hostfw_conf = {};
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $hostfw_conf = parse_host_fw_rules($filename, $fh, $verbose);
+ $hostfw_conf = parse_host_fw_rules($filename, $fh, $cluster_conf, $verbose);
}
return $hostfw_conf;
}
$cluster_conf = load_clusterfw_conf($filename, $verbose);
$filename = "$testdir/host.fw";
- $hostfw_conf = load_hostfw_conf($filename, $verbose);
+ $hostfw_conf = load_hostfw_conf($cluster_conf, $filename, $verbose);
- $vmfw_configs = read_vm_firewall_configs($vmdata, $testdir, $verbose);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir, $verbose);
} else { # normal operation
$cluster_conf = load_clusterfw_conf(undef, $verbose) if !$cluster_conf;
- $hostfw_conf = load_hostfw_conf(undef, $verbose) if !$hostfw_conf;
+ $hostfw_conf = load_hostfw_conf($cluster_conf, undef, $verbose) if !$hostfw_conf;
$vmdata = read_local_vm_config();
- $vmfw_configs = read_vm_firewall_configs($vmdata, undef, $verbose);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
-
$cluster_conf->{ipset}->{venet0} = [];
my $localnet;
projects / pve-firewall.git / blobdiff