use strict;
use warnings;
-use PVE::SafeSyslog;
-use PVE::Daemon;
-use Time::HiRes qw (gettimeofday);
-use PVE::Tools qw(dir_glob_foreach file_read_firstline);
-use PVE::ProcFSTools;
-use PVE::INotify;
+use Data::Dumper;
+use Time::HiRes qw (gettimeofday usleep);
+
+use PVE::CLIHandler;
use PVE::Cluster qw(cfs_read_file);
use PVE::Corosync;
+use PVE::Daemon;
+use PVE::INotify;
+use PVE::ProcFSTools;
use PVE::RPCEnvironment;
-use PVE::CLIHandler;
+use PVE::SafeSyslog;
+use PVE::Tools qw(dir_glob_foreach file_read_firstline);
+
use PVE::Firewall;
use PVE::FirewallSimulator;
-use Data::Dumper;
use base qw(PVE::Daemon);
my $nodename = PVE::INotify::nodename();
sub init {
-
PVE::Cluster::cfs_update();
PVE::Firewall::init();
}
-my $restart_request = 0;
-my $next_update = 0;
-
-my $cycle = 0;
+my ($next_update, $cycle, $restart_request) = (0, 0, 0);
my $updatetime = 10;
my $initial_memory_usage;
sub shutdown {
my ($self) = @_;
- syslog('info' , "server closing");
+ syslog('info' , "server shutting down");
# wait for children
1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
- syslog('info' , "clear firewall rules");
+ syslog('info' , "clear PVE-generated firewall rules");
eval { PVE::Firewall::remove_pvefw_chains(); };
warn $@ if $@;
local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
for (;;) { # forever
-
$next_update = time() + $updatetime;
my ($ccsec, $cusec) = gettimeofday ();
PVE::Cluster::cfs_update();
PVE::Firewall::update();
};
- my $err = $@;
-
- if ($err) {
+ if (my $err = $@) {
syslog('err', "status update error: $err");
}
- my ($ccsec_end, $cusec_end) = gettimeofday ();
+ my ($ccsec_end, $cusec_end) = gettimeofday();
my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
$initial_memory_usage = $mem->{resident};
} else {
my $diff = $mem->{resident} - $initial_memory_usage;
- if ($diff > 5*1024*1024) {
+ if ($diff > 5 * 1024 * 1024) {
syslog ('info', "restarting server after $cycle cycles to " .
"reduce memory usage (free $mem->{resident} ($diff) bytes)");
$self->restart_daemon();
$daemon->register_start_command("Start the Proxmox VE firewall service.");
$daemon->register_restart_command(1, "Restart the Proxmox VE firewall service.");
-$daemon->register_stop_command("Stop firewall. This removes all Proxmox VE " .
- "related iptable rules. " .
- "The host is unprotected afterwards.");
+$daemon->register_stop_command(
+ "Stop the Proxmox VE firewall service. Note, stopping actively removes all Proxmox VE related"
+ ." iptable rules rendering the host potentially unprotected."
+);
__PACKAGE__->register_method ({
name => 'status',
PVE::Firewall::set_verbose(0); # do not show iptables details
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
- my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
- my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
+ my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset->{filter});
+ my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6->{filter}, "ip6tables");
+ my (undef, $ruleset_changes_raw) = PVE::Firewall::get_ruleset_cmdlist($ruleset->{raw}, undef, 'raw');
+ my (undef, $ruleset_changesv6_raw) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6->{raw}, "ip6tables", 'raw');
my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);
- $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) ? 1 : 0;
+ $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes || $ruleset_changes_raw || $ruleset_changesv6_raw) ? 1 : 0;
}
return $res;
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
print "\niptables cmdlist:\n";
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
+ my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset->{filter});
print "\nip6tables cmdlist:\n";
- my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
+ my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6->{filter}, "ip6tables");
print "\nebtables cmdlist:\n";
my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);
- if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) {
+ print "\niptables table raw cmdlist:\n";
+ my (undef, $ruleset_changes_raw) = PVE::Firewall::get_ruleset_cmdlist($ruleset->{raw}, undef, 'raw');
+
+ print "\nip6tables table raw cmdlist:\n";
+ my (undef, $ruleset_changesv6_raw) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6->{raw}, "ip6tables", 'raw');
+
+
+ if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes || $ruleset_changes_raw || $ruleset_changesv6_raw) {
print "detected changes\n";
} else {
print "no changes\n";
if (!$cluster_conf->{options}->{enable}) {
print "firewall disabled\n";
}
-
};
PVE::Firewall::run_locked($code);
my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8';
print "network auto detect: $localnet\n";
- if ($cluster_conf->{aliases}->{local_network}) {
- print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
+ if (my $local_network = $cluster_conf->{aliases}->{local_network}) {
+ print "using user defined local_network: $local_network->{cidr}\n";
} else {
print "using detected local_network: $localnet\n";
}
PVE::Corosync::for_all_corosync_addresses($corosync_conf, undef, sub {
my ($curr_node_name, $curr_node_ip, undef, $key) = @_;
- if (!$corosync_node_found) {
- $corosync_node_found = 1;
- }
+ return if $curr_node_name eq $nodename;
+
+ $corosync_node_found = 1;
$key =~ m/(?:ring|link)(\d+)_addr/;
print " - $curr_node_name: $curr_node_ip (link: $1)\n";
name => 'simulate',
path => 'simulate',
method => 'GET',
- description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
+ description => "Simulate firewall rules. This does not simulates the kernel 'routing' table,"
+ ." but simply assumes that routing from source zone to destination zone is possible.",
parameters => {
additionalProperties => 0,
properties => {
my $host_ip = PVE::Cluster::remote_node_ip($nodename);
PVE::FirewallSimulator::reset_trace();
- print Dumper($ruleset) if $param->{verbose};
+ print Dumper($ruleset->{filter}) if $param->{verbose};
+ print Dumper($ruleset->{raw}) if $param->{verbose};
my $test = {
from => $param->{from},
$test->{action} = 'QUERY';
- my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
- $host_ip, $vmdata, $test);
+ my $res = PVE::FirewallSimulator::simulate_firewall(
+ $ruleset->{filter}, $ipset_ruleset, $host_ip, $vmdata, $test);
print "ACTION: $res\n";