$have_lxc = 1;
};
-my $mark;
+my $mark = 0;
my $trace;
my $debug = 0;
sub debug {
my $new_value = shift;
-
$debug = $new_value if defined($new_value);
-
return $debug;
}
-
+
sub reset_trace {
$trace = '';
}
return undef if $cstate eq 'INVALID'; # no match
return undef if $cstate eq 'RELATED,ESTABLISHED'; # no match
-
+
next if $cstate =~ m/NEW/;
-
+
die "cstate test '$cstate' not implemented\n";
}
if ($rule =~ s/^-m addrtype --src-type (\S+)\s*//) {
my $atype = $1;
- die "missing source address type (srctype)\n"
+ die "missing source address type (srctype)\n"
if !$pkg->{srctype};
return undef if $atype ne $pkg->{srctype};
}
if ($rule =~ s/^-m addrtype --dst-type (\S+)\s*//) {
my $atype = $1;
- die "missing destination address type (dsttype)\n"
+ die "missing destination address type (dsttype)\n"
if !$pkg->{dsttype};
return undef if $atype ne $pkg->{dsttype};
}
+ if ($rule =~ s/^-m icmp(v6)? --icmp-type (\S+)\s*//) {
+ my $icmpv6 = !!$1;
+ my $icmptype = $2;
+ die "missing destination address type (dsttype)\n" if !defined($pkg->{dport});
+ return undef if $icmptype ne $pkg->{dport};
+ }
+
if ($rule =~ s/^-i (\S+)\s*//) {
my $devre = $1;
die "missing interface (iface_in)\n" if !$pkg->{iface_in};
return undef if !$ip->overlaps(Net::IP->new($pkg->{source})); # no match
next;
}
-
+
if ($rule =~ s/^-d (\S+)\s*//) {
die "missing destination" if !$pkg->{dest};
my $ip = Net::IP->new($1);
if ($rule =~ s@^-m mark --mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*@@) {
my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
- return undef if !defined($mark) || ($mark & $mask) != $value;
+ return undef if ($mark & $mask) != $value;
next;
}
}
if ($rule =~ s/^-j NFLOG --nflog-prefix \"[^\"]+\"$//) {
- return undef;
+ return undef;
}
last;
my ($ruleset, $ipset_ruleset, $chain, $pkg) = @_;
add_trace("ENTER chain $chain\n");
-
+
my $counter = 0;
if ($chain eq 'PVEFW-Drop') {
next;
}
add_trace("MATCH: $rule\n");
-
+
if ($action eq 'ACCEPT' || $action eq 'DROP' || $action eq 'REJECT') {
add_trace("TERMINATE chain $chain: $action\n");
return ($action, $counter);
$pkg->{iface_out} = $from_info->{fwbr} || die 'internal error';
$pkg->{physdev_in} = $from_info->{tapdev} || die 'internal error';
$pkg->{physdev_out} = $from_info->{fwln} || die 'internal error';
-
+
} elsif ($route_state eq 'fwbr-in') {
$chain = 'PVEFW-FORWARD';
$pkg->{physdev_out} = $target->{tapdev} || die 'internal error';
} elsif ($route_state =~ m/^vmbr\d+$/) {
-
+
die "missing physdev_in - internal error?" if !$physdev_in;
$pkg->{physdev_in} = $physdev_in;
my ($res, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $chain, $pkg);
$rule_check_counter += $ctr;
return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT';
- }
+ }
$route_state = $next_route_state;
my $from = $test->{from} || die "missing 'from' field";
my $to = $test->{to} || die "missing 'to' field";
my $action = $test->{action} || die "missing 'action'";
-
+
my $testid = $test->{id};
-
+
die "from/to needs to be different" if $from eq $to;
my $pkg = {
return 'SKIPPED' if !$have_lxc;
my $vmid = $1;
$from_info = extract_ct_info($vmdata, $vmid, 0);
- $start_state = 'fwbr-out';
+ $start_state = 'fwbr-out';
$pkg->{mac_source} = $from_info->{macaddr};
} elsif ($from =~ m/^vm(\d+)(i(\d))?$/) {
return 'SKIPPED' if !$have_qemu_server;
my $vmid = $1;
my $netnum = $3 || 0;
$from_info = extract_vm_info($vmdata, $vmid, $netnum);
- $start_state = 'fwbr-out';
+ $start_state = 'fwbr-out';
$pkg->{mac_source} = $from_info->{macaddr};
} else {
die "unable to parse \"from => '$from'\"\n";
$pkg->{source} = '100.100.1.2' if !defined($pkg->{source});
$pkg->{dest} = '100.200.3.4' if !defined($pkg->{dest});
- my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg,
+ my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg,
$from_info, $target, $start_state);
add_trace("IPT statistics: invocation = $ic, checks = $rc\n");
-
+
return $res if $action eq 'QUERY';
die "test failed ($res != $action)\n" if $action ne $res;
- return undef;
+ return undef;
}
1;