use PVE::Firewall;
use Getopt::Long;
use File::Basename;
+use Net::IP;
my $mark;
my $trace;
return ($dev =~ m/^${devre}$/) ? 1 : 0;
}
+sub ipset_match {
+ my ($ipsetname, $ipset, $ipaddr) = @_;
+
+ my $ip = Net::IP->new($ipaddr);
+
+ foreach my $entry (@$ipset) {
+ next if $entry =~ m/^create/; # simply ignore
+ if ($entry =~ m/add \S+ (\S+)$/) {
+ my $test = Net::IP->new($1);
+ if ($test->overlaps($ip)) {
+ add_trace("IPSET $ipsetname match $ipaddr\n");
+ return 1;
+ }
+ } else {
+ die "implement me";
+ }
+ }
+
+ return 0;
+}
+
sub rule_match {
- my ($chain, $rule, $pkg) = @_;
+ my ($ipset_ruleset, $chain, $rule, $pkg) = @_;
$rule =~ s/^-A $chain // || die "got strange rule: $rule";
- if ($rule =~ s/^-m conntrack\s*//) {
- return undef; # simply ignore
- }
+ while (length($rule)) {
- if ($rule =~ s/^-m addrtype\s*//) {
- return undef; # simply ignore
- }
+ if ($rule =~ s/^-m conntrack\s*//) {
+ return undef; # simply ignore
+ }
- if ($rule =~ s/^-i (\S+)\s*//) {
- my $devre = $1;
- die "missing iface_in" if !$pkg->{iface_in};
- return undef if !nf_dev_match($devre, $pkg->{iface_in});
- }
- if ($rule =~ s/^-o (\S+)\s*//) {
- my $devre = $1;
- die "missing iface_out" if !$pkg->{iface_out};
- return undef if !nf_dev_match($devre, $pkg->{iface_out});
- }
+ if ($rule =~ s/^-m addrtype\s*//) {
+ return undef; # simply ignore
+ }
- if ($rule =~ s/^-p (tcp|udp)\s*//) {
- die "missing proto" if !$pkg->{proto};
- return undef if $pkg->{proto} ne $1; # no match
- }
+ if ($rule =~ s/^-i (\S+)\s*//) {
+ my $devre = $1;
+ die "missing iface_in" if !$pkg->{iface_in};
+ return undef if !nf_dev_match($devre, $pkg->{iface_in});
+ next;
+ }
- if ($rule =~ s/^--dport (\d+):(\d+)\s*//) {
- die "missing dport" if !$pkg->{dport};
- return undef if ($pkg->{dport} < $1) || ($pkg->{dport} > $2); # no match
- }
+ if ($rule =~ s/^-o (\S+)\s*//) {
+ my $devre = $1;
+ die "missing iface_out" if !$pkg->{iface_out};
+ return undef if !nf_dev_match($devre, $pkg->{iface_out});
+ next;
+ }
- if ($rule =~ s/^--dport (\d+)\s*//) {
- die "missing dport" if !$pkg->{dport};
- return undef if $pkg->{dport} != $1; # no match
- }
+ if ($rule =~ s/^-p (tcp|udp)\s*//) {
+ die "missing proto" if !$pkg->{proto};
+ return undef if $pkg->{proto} ne $1; # no match
+ next;
+ }
- if ($rule =~ s/^-s (\S+)\s*//) {
- die "missing source" if !$pkg->{source};
- return undef if $pkg->{source} ne $1; # no match
- }
+ if ($rule =~ s/^--dport (\d+):(\d+)\s*//) {
+ die "missing dport" if !$pkg->{dport};
+ return undef if ($pkg->{dport} < $1) || ($pkg->{dport} > $2); # no match
+ next;
+ }
+
+ if ($rule =~ s/^--dport (\d+)\s*//) {
+ die "missing dport" if !$pkg->{dport};
+ return undef if $pkg->{dport} != $1; # no match
+ next;
+ }
+
+ if ($rule =~ s/^-s (\S+)\s*//) {
+ die "missing source" if !$pkg->{source};
+ my $ip = Net::IP->new($1);
+ return undef if !$ip->overlaps(Net::IP->new($pkg->{source})); # no match
+ next;
+ }
- if ($rule =~ s/^-d (\S+)\s*//) {
- die "missing destination" if !$pkg->{dest};
- return undef if $pkg->{dest} ne $1; # no match
- }
+ if ($rule =~ s/^-d (\S+)\s*//) {
+ die "missing destination" if !$pkg->{dest};
+ my $ip = Net::IP->new($1);
+ return undef if !$ip->overlaps(Net::IP->new($pkg->{dest})); # no match
+ next;
+ }
- if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) {
- die "missing source mac" if !$pkg->{mac_source};
- return undef if $pkg->{mac_source} eq $1; # no match
- }
+ if ($rule =~ s/^-m set --match-set (\S+) src\s*//) {
+ die "missing source" if !$pkg->{source};
+ my $ipset = $ipset_ruleset->{$1};
+ die "no such ip set '$1'" if !$ipset;
+ return undef if !ipset_match($1, $ipset, $pkg->{source});
+ next;
+ }
- if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) {
- my $devre = $1;
- return undef if !$pkg->{physdev_in};
- return undef if !nf_dev_match($devre, $pkg->{physdev_in});
- }
+ if ($rule =~ s/^-m set --match-set (\S+) dst\s*//) {
+ die "missing destination" if !$pkg->{dest};
+ my $ipset = $ipset_ruleset->{$1};
+ die "no such ip set '$1'" if !$ipset;
+ return undef if !ipset_match($1, $ipset, $pkg->{dest});
+ next;
+ }
- if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) {
- my $devre = $1;
- return undef if !$pkg->{physdev_out};
- return undef if !nf_dev_match($devre, $pkg->{physdev_out});
- }
+ if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) {
+ die "missing source mac" if !$pkg->{mac_source};
+ return undef if $pkg->{mac_source} eq $1; # no match
+ next;
+ }
- if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
- $mark = $1;
- return undef;
- }
+ if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) {
+ my $devre = $1;
+ return undef if !$pkg->{physdev_in};
+ return undef if !nf_dev_match($devre, $pkg->{physdev_in});
+ next;
+ }
- if ($rule =~ s/^-j (\S+)\s*$//) {
- return (0, $1);
- }
+ if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) {
+ my $devre = $1;
+ return undef if !$pkg->{physdev_out};
+ return undef if !nf_dev_match($devre, $pkg->{physdev_out});
+ next;
+ }
+
+ if ($rule =~ s/^-m mark --mark (\d+)\s*//) {
+ return undef if !defined($mark) || $mark != $1;
+ next;
+ }
+
+ # final actions
+
+ if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
+ $mark = $1;
+ return undef;
+ }
- if ($rule =~ s/^-g (\S+)\s*$//) {
- return (1, $1);
+ if ($rule =~ s/^-j (\S+)\s*$//) {
+ return (0, $1);
+ }
+
+ if ($rule =~ s/^-g (\S+)\s*$//) {
+ return (1, $1);
+ }
+
+ if ($rule =~ s/^-j NFLOG --nflog-prefix \"[^\"]+\"$//) {
+ return undef;
+ }
+
+ last;
}
die "unable to parse rule: $rule";
}
sub ruleset_simulate_chain {
- my ($ruleset, $chain, $pkg) = @_;
+ my ($ruleset, $ipset_ruleset, $chain, $pkg) = @_;
add_trace("ENTER chain $chain\n");
foreach my $rule (@$rules) {
$counter++;
- my ($goto, $action) = rule_match($chain, $rule, $pkg);
+ my ($goto, $action) = rule_match($ipset_ruleset, $chain, $rule, $pkg);
if (!defined($action)) {
add_trace("SKIP: $rule\n");
next;
} else {
if ($goto) {
add_trace("LEAVE chain $chain - goto $action\n");
- return ruleset_simulate_chain($ruleset, $action, $pkg)
+ return ruleset_simulate_chain($ruleset, $ipset_ruleset, $action, $pkg)
#$chain = $action;
#$rules = $ruleset->{$chain} || die "no such chain '$chain'";
} else {
- my ($act, $ctr) = ruleset_simulate_chain($ruleset, $action, $pkg);
+ my ($act, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $action, $pkg);
$counter += $ctr;
return ($act, $counter) if $act;
add_trace("CONTINUE chain $chain\n");
add_trace("IPT check at $route_state (chain $chain)\n");
add_trace(Dumper($pkg));
$ipt_invocation_counter++;
- my ($res, $ctr) = ruleset_simulate_chain($ruleset, $chain, $pkg);
+ my ($res, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $chain, $pkg);
$rule_check_counter += $ctr;
return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT';
}
sub simulate_firewall {
my ($ruleset, $ipset_ruleset, $vmdata, $test) = @_;
- my $from = delete $test->{from} || die "missing 'from' field";
- my $to = delete $test->{to} || die "missing 'to' field";
- my $action = delete $test->{action} || die "missing 'action'";
+ my $from = $test->{from} || die "missing 'from' field";
+ my $to = $test->{to} || die "missing 'to' field";
+ my $action = $test->{action} || die "missing 'action'";
- my $testid = delete $test->{id};
+ my $testid = $test->{id};
die "from/to needs to be different" if $from eq $to;
};
while (my ($k,$v) = each %$test) {
+ next if $k eq 'from';
+ next if $k eq 'to';
+ next if $k eq 'action';
+ next if $k eq 'id';
die "unknown attribute '$k'\n" if !exists($pkg->{$k});
$pkg->{$k} = $v;
}
my $vmid = $1;
$from_info = extract_ct_info($vmdata, $vmid);
if ($from_info->{ip_address}) {
- $pkg->{source} = $from_info->{ip_address};
+ $pkg->{source} = $from_info->{ip_address} if !defined($pkg->{source});
$start_state = 'venet-out';
} else {
die "implement me";
die "unable to parse \"from => '$from'\"\n";
}
+ $pkg->{source} = '100.200.3.4' if !defined($pkg->{source});
+
my $target;
if ($to eq 'host') {
$trace = '';
print Dumper($ruleset) if $debug;
$testcount++;
- eval { simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test); };
+ eval {
+ my @test_zones = qw(host outside nfvm vm100 ct200);
+ if (!defined($test->{from}) && !defined($test->{to})) {
+ die "missing zone speification (from, to)\n";
+ } elsif (!defined($test->{to})) {
+ foreach my $zone (@test_zones) {
+ next if $zone eq $test->{from};
+ $test->{to} = $zone;
+ add_trace("Set Zone: to => '$zone'\n");
+ simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test);
+ }
+ } elsif (!defined($test->{from})) {
+ foreach my $zone (@test_zones) {
+ next if $zone eq $test->{to};
+ $test->{from} = $zone;
+ add_trace("Set Zone: from => '$zone'\n");
+ simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test);
+ }
+ } else {
+ simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test);
+ }
+ };
if (my $err = $@) {
print Dumper($ruleset) if !$debug;
projects / pve-firewall.git / blobdiff