X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=4dd83e90fa76bec7ea80117bfa710606ea8e85b2;hp=324a20dce997681b01744c5062802dd802c8fc02;hb=857f62c833a604eb8399467a94d325c1994367eb;hpb=780bcc0ffe61a9ad2e8237e86917ba7ed1ac225d diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 324a20d..4dd83e9 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -3,7 +3,7 @@ package PVE::Firewall; use warnings; use strict; use Data::Dumper; -use Digest::MD5; +use Digest::SHA; use PVE::Tools; use PVE::QemuServer; use File::Path; @@ -15,22 +15,355 @@ use Data::Dumper; my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; -my $macros; +# todo: define more MACROS +# imported/converted from: /usr/share/shorewall/macro.* +my $pve_fw_macros = { + 'Amanda' => [ + { action => 'PARAM', proto => 'udp', dport => '10080' }, + { action => 'PARAM', proto => 'tcp', dport => '10080' }, + ], + 'Auth' => [ + { action => 'PARAM', proto => 'tcp', dport => '113' }, + ], + 'BGP' => [ + { action => 'PARAM', proto => 'tcp', dport => '179' }, + ], + 'BitTorrent' => [ + { action => 'PARAM', proto => 'tcp', dport => '6881:6889' }, + { action => 'PARAM', proto => 'udp', dport => '6881' }, + ], + 'BitTorrent32' => [ + { action => 'PARAM', proto => 'tcp', dport => '6881:6999' }, + { action => 'PARAM', proto => 'udp', dport => '6881' }, + ], + 'CVS' => [ + { action => 'PARAM', proto => 'tcp', dport => '2401' }, + ], + 'Citrix' => [ + { action => 'PARAM', proto => 'tcp', dport => '1494' }, + { action => 'PARAM', proto => 'udp', dport => '1604' }, + { action => 'PARAM', proto => 'tcp', dport => '2598' }, + ], + 'DAAP' => [ + { action => 'PARAM', proto => 'tcp', dport => '3689' }, + { action => 'PARAM', proto => 'udp', dport => '3689' }, + ], + 'DCC' => [ + { action => 'PARAM', proto => 'tcp', dport => '6277' }, + ], + 'DHCPfwd' => [ + { action => 'PARAM', proto => 'udp', dport => '67:68', sport => '67:68' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '67:68', sport => '67:68' }, + ], + 'DNS' => [ + { action => 'PARAM', proto => 'udp', dport => '53' }, + { action => 'PARAM', proto => 'tcp', dport => '53' }, + ], + 'Distcc' => [ + { action => 'PARAM', proto => 'tcp', dport => '3632' }, + ], + 'Edonkey' => [ + { action => 'PARAM', proto => 'tcp', dport => '4662' }, + { action => 'PARAM', proto => 'udp', dport => '4665' }, + ], + 'FTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '21' }, + ], + 'Finger' => [ + { action => 'PARAM', proto => 'tcp', dport => '79' }, + ], + 'GNUnet' => [ + { action => 'PARAM', proto => 'tcp', dport => '2086' }, + { action => 'PARAM', proto => 'udp', dport => '2086' }, + { action => 'PARAM', proto => 'tcp', dport => '1080' }, + { action => 'PARAM', proto => 'udp', dport => '1080' }, + ], + 'GRE' => [ + { action => 'PARAM', proto => '47' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' }, + ], + 'Git' => [ + { action => 'PARAM', proto => 'tcp', dport => '9418' }, + ], + 'Gnutella' => [ + { action => 'PARAM', proto => 'tcp', dport => '6346' }, + { action => 'PARAM', proto => 'udp', dport => '6346' }, + ], + 'HKP' => [ + { action => 'PARAM', proto => 'tcp', dport => '11371' }, + ], + 'HTTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '80' }, + ], + 'HTTPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '443' }, + ], + 'ICPV2' => [ + { action => 'PARAM', proto => 'udp', dport => '3130' }, + ], + 'ICQ' => [ + { action => 'PARAM', proto => 'tcp', dport => '5190' }, + ], + 'IMAP' => [ + { action => 'PARAM', proto => 'tcp', dport => '143' }, + ], + 'IMAPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '993' }, + ], + 'IPIP' => [ + { action => 'PARAM', proto => '94' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '94' }, + ], + 'IPP' => [ + { action => 'PARAM', proto => 'tcp', dport => '631' }, + ], + 'IPPbrd' => [ + { action => 'PARAM', proto => 'udp', dport => '631' }, + ], + 'IPPserver' => [ + { action => 'PARAM', source => 'SOURCE', dest => 'DEST', proto => 'tcp', dport => '631' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '631' }, + ], + 'IPsec' => [ + { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', proto => '50' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' }, + ], + 'IPsecah' => [ + { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', proto => '51' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '51' }, + ], + 'IPsecnat' => [ + { action => 'PARAM', proto => 'udp', dport => '500' }, + { action => 'PARAM', proto => 'udp', dport => '4500' }, + { action => 'PARAM', proto => '50' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '4500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' }, + ], + 'IRC' => [ + { action => 'PARAM', proto => 'tcp', dport => '6667' }, + ], + 'JabberPlain' => [ + { action => 'PARAM', proto => 'tcp', dport => '5222' }, + ], + 'JabberSecure' => [ + { action => 'PARAM', proto => 'tcp', dport => '5223' }, + ], + 'Jabberd' => [ + { action => 'PARAM', proto => 'tcp', dport => '5269' }, + ], + 'Jetdirect' => [ + { action => 'PARAM', proto => 'tcp', dport => '9100' }, + ], + 'L2TP' => [ + { action => 'PARAM', proto => 'udp', dport => '1701' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1701' }, + ], + 'LDAP' => [ + { action => 'PARAM', proto => 'tcp', dport => '389' }, + ], + 'LDAPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '636' }, + ], + 'MSNP' => [ + { action => 'PARAM', proto => 'tcp', dport => '1863' }, + ], + 'MSSQL' => [ + { action => 'PARAM', proto => 'tcp', dport => '1433' }, + ], + 'Mail' => [ + { action => 'PARAM', proto => 'tcp', dport => '25' }, + { action => 'PARAM', proto => 'tcp', dport => '465' }, + { action => 'PARAM', proto => 'tcp', dport => '587' }, + ], + 'Munin' => [ + { action => 'PARAM', proto => 'tcp', dport => '4949' }, + ], + 'MySQL' => [ + { action => 'PARAM', proto => 'tcp', dport => '3306' }, + ], + 'NNTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '119' }, + ], + 'NNTPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '563' }, + ], + 'NTP' => [ + { action => 'PARAM', proto => 'udp', dport => '123' }, + ], + 'NTPbi' => [ + { action => 'PARAM', proto => 'udp', dport => '123' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '123' }, + ], + 'NTPbrd' => [ + { action => 'PARAM', proto => 'udp', dport => '123' }, + { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '123' }, + ], + 'OSPF' => [ + { action => 'PARAM', proto => '89' }, + ], + 'OpenVPN' => [ + { action => 'PARAM', proto => 'udp', dport => '1194' }, + ], + 'PCA' => [ + { action => 'PARAM', proto => 'udp', dport => '5632' }, + { action => 'PARAM', proto => 'tcp', dport => '5631' }, + ], + 'POP3' => [ + { action => 'PARAM', proto => 'tcp', dport => '110' }, + ], + 'POP3S' => [ + { action => 'PARAM', proto => 'tcp', dport => '995' }, + ], + 'PPtP' => [ + { action => 'PARAM', proto => '47' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' }, + { action => 'PARAM', proto => 'tcp', dport => '1723' }, + ], + 'Ping' => [ + { action => 'PARAM', proto => 'icmp', dport => '8' }, + ], + 'PostgreSQL' => [ + { action => 'PARAM', proto => 'tcp', dport => '5432' }, + ], + 'Printer' => [ + { action => 'PARAM', proto => 'tcp', dport => '515' }, + ], + 'RDP' => [ + { action => 'PARAM', proto => 'tcp', dport => '3389' }, + ], + 'RIPbi' => [ + { action => 'PARAM', proto => 'udp', dport => '520' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '520' }, + ], + 'RNDC' => [ + { action => 'PARAM', proto => 'tcp', dport => '953' }, + ], + 'Razor' => [ + { action => 'ACCEPT', proto => 'tcp', dport => '2703' }, + ], + 'Rdate' => [ + { action => 'PARAM', proto => 'tcp', dport => '37' }, + ], + 'Rsync' => [ + { action => 'PARAM', proto => 'tcp', dport => '873' }, + ], + 'SANE' => [ + { action => 'PARAM', proto => 'tcp', dport => '6566' }, + ], + 'SMB' => [ + { action => 'PARAM', proto => 'udp', dport => '135,445' }, + { action => 'PARAM', proto => 'udp', dport => '137:139' }, + { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' }, + { action => 'PARAM', proto => 'tcp', dport => '135,139,445' }, + ], + 'SMBBI' => [ + { action => 'PARAM', proto => 'udp', dport => '135,445' }, + { action => 'PARAM', proto => 'udp', dport => '137:139' }, + { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' }, + { action => 'PARAM', proto => 'tcp', dport => '135,139,445' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '135,445' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '137:139' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1024:65535', sport => '137' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'tcp', dport => '135,139,445' }, + ], + 'SMBswat' => [ + { action => 'PARAM', proto => 'tcp', dport => '901' }, + ], + 'SMTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '25' }, + ], + 'SMTPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '465' }, + ], + 'SNMP' => [ + { action => 'PARAM', proto => 'udp', dport => '161:162' }, + { action => 'PARAM', proto => 'tcp', dport => '161' }, + ], + 'SPAMD' => [ + { action => 'PARAM', proto => 'tcp', dport => '783' }, + ], + 'SSH' => [ + { action => 'PARAM', proto => 'tcp', dport => '22' }, + ], + 'SVN' => [ + { action => 'PARAM', proto => 'tcp', dport => '3690' }, + ], + 'SixXS' => [ + { action => 'PARAM', proto => 'tcp', dport => '3874' }, + { action => 'PARAM', proto => 'udp', dport => '3740' }, + { action => 'PARAM', proto => '41' }, + { action => 'PARAM', proto => 'udp', dport => '5072,8374' }, + ], + 'Squid' => [ + { action => 'PARAM', proto => 'tcp', dport => '3128' }, + ], + 'Submission' => [ + { action => 'PARAM', proto => 'tcp', dport => '587' }, + ], + 'Syslog' => [ + { action => 'PARAM', proto => 'udp', dport => '514' }, + { action => 'PARAM', proto => 'tcp', dport => '514' }, + ], + 'TFTP' => [ + { action => 'PARAM', proto => 'udp', dport => '69' }, + ], + 'Telnet' => [ + { action => 'PARAM', proto => 'tcp', dport => '23' }, + ], + 'Telnets' => [ + { action => 'PARAM', proto => 'tcp', dport => '992' }, + ], + 'Time' => [ + { action => 'PARAM', proto => 'tcp', dport => '37' }, + ], + 'Trcrt' => [ + { action => 'PARAM', proto => 'udp', dport => '33434:33524' }, + { action => 'PARAM', proto => 'icmp', dport => '8' }, + ], + 'VNC' => [ + { action => 'PARAM', proto => 'tcp', dport => '5900:5909' }, + ], + 'VNCL' => [ + { action => 'PARAM', proto => 'tcp', dport => '5500' }, + ], + 'Web' => [ + { action => 'PARAM', proto => 'tcp', dport => '80' }, + { action => 'PARAM', proto => 'tcp', dport => '443' }, + ], + 'Webcache' => [ + { action => 'PARAM', proto => 'tcp', dport => '8080' }, + ], + 'Webmin' => [ + { action => 'PARAM', proto => 'tcp', dport => '10000' }, + ], + 'Whois' => [ + { action => 'PARAM', proto => 'tcp', dport => '43' }, + ], +}; + +my $pve_fw_parsed_macros; +my $pve_fw_preferred_macro_names = {}; -# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.* sub get_firewall_macros { - return $macros if $macros; + return $pve_fw_parsed_macros if $pve_fw_parsed_macros; + + $pve_fw_parsed_macros = {}; - #foreach my $path () { - # if ($path =~ m|/macro\.(\S+)$|) { - # $macros->{$1} = 1; - # } - #} + foreach my $k (keys %$pve_fw_macros) { + my $name = lc($k); - $macros = {}; # fixme: implemet me + my $macro = $pve_fw_macros->{$k}; + $pve_fw_preferred_macro_names->{$name} = $k; + $pve_fw_parsed_macros->{$name} = $macro; + } - return $macros; + return $pve_fw_parsed_macros; } my $etc_services; @@ -126,7 +459,7 @@ sub parse_port_name_number_or_range { my $portlist = ""; foreach my $pon (split(':', $item, 2)) { if ($pon =~ m/^\d+$/){ - die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536; + die "invalid port '$pon'\n" if $pon < 0 && $pon > 65535; }else{ die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon}; } @@ -199,7 +532,7 @@ sub iptables_get_chains { my $chain = $1; return if !&$is_pvefw_chain($chain); $res->{$chain} = "unknown"; - } elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) { + } elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) { my ($chain, $sig) = ($1, $2); return if !&$is_pvefw_chain($chain); $res->{$chain} = $sig; @@ -237,20 +570,24 @@ sub iptables_rule_exist { } sub ruleset_generate_rule { - my ($ruleset, $chain, $rule) = @_; + my ($ruleset, $chain, $rule, $goto) = @_; my $cmd = ''; $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; $cmd .= " -s $rule->{source}" if $rule->{source}; $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; - $cmd .= " -d $rule->{dest}" if $rule->{destination}; + $cmd .= " -d $rule->{dest}" if $rule->{dest}; $cmd .= " -p $rule->{proto}" if $rule->{proto}; $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1; $cmd .= " --dport $rule->{dport}" if $rule->{dport}; $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1; $cmd .= " --sport $rule->{sport}" if $rule->{sport}; - $cmd .= " -j $rule->{action}" if $rule->{action}; + + if (my $action = $rule->{action}) { + $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; + $cmd .= $goto ? " -g $action" : " -j $action"; + }; ruleset_addrule($ruleset, $chain, $cmd) if $cmd; } @@ -258,6 +595,8 @@ sub ruleset_generate_rule { sub ruleset_create_chain { my ($ruleset, $chain) = @_; + die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28; + die "chain '$chain' already exists\n" if $ruleset->{$chain}; $ruleset->{$chain} = []; @@ -319,7 +658,7 @@ sub generate_bridge_chains { } sub generate_tap_rules_direction { - my ($ruleset, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; + my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; my $tapchain = "$iface-$direction"; @@ -335,17 +674,21 @@ sub generate_tap_rules_direction { if ($rules) { foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; + # we go to $bridge-IN if accept in out rules if($rule->{action} =~ m/^(GROUP-(\S+))$/){ $rule->{action} .= "-$direction"; # generate empty group rule if don't exist if(!ruleset_chain_exist($ruleset, $rule->{action})){ - generate_group_rules($ruleset, $2); + generate_group_rules($ruleset, $group_rules, $2); } + ruleset_generate_rule($ruleset, $tapchain, $rule); + ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN") + if $direction eq 'OUT'; + } else { + $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; + ruleset_generate_rule($ruleset, $tapchain, $rule); } - # we go to vmbr-IN if accept in out rules - $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; - ruleset_generate_rule($ruleset, $tapchain, $rule); - } + } } ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); @@ -364,13 +707,9 @@ sub generate_tap_rules_direction { } sub enablehostfw { - my ($ruleset) = @_; + my ($ruleset, $rules, $group_rules) = @_; - my $filename = "/etc/pve/local/host.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - return if !$fh; - - my $rules = parse_fw_rules($filename, $fh); + # fixme: allow security groups # host inbound firewall my $chain = "PVEFW-HOST-IN"; @@ -395,7 +734,7 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-j DROP"); # host outbound firewall - my $chain = "PVEFW-HOST-OUT"; + $chain = "PVEFW-HOST-OUT"; ruleset_create_chain($ruleset, $chain); ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP"); @@ -421,14 +760,12 @@ sub enablehostfw { } sub generate_group_rules { - my ($ruleset, $group) = @_; - - my $filename = "/etc/pve/firewall/groups.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - return if !$fh; + my ($ruleset, $group_rules, $group) = @_; - my $rules = parse_fw_rules($filename, $fh, $group); + my $rules = $group_rules->{$group}; + die "no such security group '$group'\n" if !$rules; + my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); @@ -442,120 +779,242 @@ sub generate_group_rules { $chain = "GROUP-${group}-OUT"; ruleset_create_chain($ruleset, $chain); + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { - # we go the PVEFW-BRIDGE-IN because we need to check also other tap rules - # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN) - $rule->{action} = 'PVEFW-BRIDGE-IN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($rule, $chain, $rule); + # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to + # check also other tap rules (and group rules can be set on any bridge, + # so we can't go to VMBRXX-IN) + $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT'; + ruleset_generate_rule($ruleset, $chain, $rule); } } } -sub parse_fw_rules { - my ($filename, $fh, $group) = @_; - - my $section; - my $securitygroup; - my $securitygroupexist; +my $MAX_NETS = 32; +my $valid_netdev_names = {}; +for (my $i = 0; $i < $MAX_NETS; $i++) { + $valid_netdev_names->{"net$i"} = 1; +} - my $res = { in => [], out => [] }; +sub parse_fw_rule { + my ($line, $need_iface, $allow_groups) = @_; my $macros = get_firewall_macros(); my $protocols = get_etc_protocols(); - + + my ($action, $iface, $source, $dest, $proto, $dport, $sport); + + $line =~ s/#.*$//; + + my @data = split(/\s+/, $line); + my $expected_elements = $need_iface ? 7 : 6; + + die "wrong number of rule elements\n" if scalar(@data) > $expected_elements; + + if ($need_iface) { + ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data + } else { + ($action, $source, $dest, $proto, $dport, $sport) = @data; + } + + die "incomplete rule\n" if !$action; + + my $macro; + my $macro_name; + + if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { + # OK + } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) { + # OK + } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { + ($macro_name, $action) = ($1, $2); + my $lc_macro_name = lc($macro_name); + my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name}; + $macro_name = $preferred_name if $preferred_name; + $macro = $macros->{$lc_macro_name}; + die "unknown macro '$macro_name'\n" if !$macro; + } else { + die "unknown action '$action'\n"; + } + + if ($need_iface) { + $iface = undef if $iface && $iface eq '-'; + die "unknown interface '$iface'\n" + if defined($iface) && !$valid_netdev_names->{$iface}; + } + + $proto = undef if $proto && $proto eq '-'; + die "unknown protokol '$proto'\n" if $proto && + !(defined($protocols->{byname}->{$proto}) || + defined($protocols->{byid}->{$proto})); + + $source = undef if $source && $source eq '-'; + $dest = undef if $dest && $dest eq '-'; + + $dport = undef if $dport && $dport eq '-'; + $sport = undef if $sport && $sport eq '-'; + + my $nbsource = undef; + my $nbdest = undef; + + $nbsource = parse_address_list($source) if $source; + $nbdest = parse_address_list($dest) if $dest; + + my $rules = []; + + my $param = { + action => $action, + iface => $iface, + source => $source, + dest => $dest, + nbsource => $nbsource, + nbdest => $nbdest, + proto => $proto, + dport => $dport, + sport => $sport, + }; + + if ($macro) { + foreach my $templ (@$macro) { + my $rule = {}; + foreach my $k (keys %$templ) { + my $v = $templ->{$k}; + if ($v eq 'PARAM') { + $v = $param->{$k}; + } elsif ($v eq 'DEST') { + $v = $param->{dest}; + } elsif ($v eq 'SOURCE') { + $v = $param->{source}; + } + + die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); + $rule->{$k} = $v; + } + push @$rules, $rule; + } + } else { + push @$rules, $param; + } + + foreach my $rule (@$rules) { + $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) + if defined($rule->{dport}); + $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) + if defined($rule->{sport}); + } + + return $rules; +} + +sub parse_vm_fw_rules { + my ($filename, $fh) = @_; + + my $res = { in => [], out => [] }; + + my $section; + while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; next if $line =~ m/^\s*$/; - if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) { + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(in|out)\]\s*$/i) { $section = lc($1); - $securitygroup = lc($3) if $3; - $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group; next; } - next if !$section; - next if $group && $securitygroup ne $group; - - my ($action, $iface, $source, $dest, $proto, $dport, $sport) = - split(/\s+/, $line); - - if (!$action) { - warn "skip incomplete line\n"; + if (!$section) { + warn "$prefix: skip line - no section"; next; } - my $service; - if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) { - # OK - } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { - ($service, $action) = ($1, $2); - if (!$macros->{$service}) { - warn "unknown service '$service'\n"; - next; - } - } else { - warn "unknown action '$action'\n"; + my $rules; + eval { $rules = parse_fw_rule($line, 1, 1); }; + if (my $err = $@) { + warn "$prefix: $err"; next; } - $iface = undef if $iface && $iface eq '-'; - if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) { - warn "unknown interface '$iface'\n"; + push @{$res->{$section}}, @$rules; + } + + return $res; +} + +sub parse_host_fw_rules { + my ($filename, $fh) = @_; + + my $res = { in => [], out => [] }; + + my $section; + + while (defined(my $line = <$fh>)) { + next if $line =~ m/^#/; + next if $line =~ m/^\s*$/; + + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(in|out)\]\s*$/i) { + $section = lc($1); next; } - - $proto = undef if $proto && $proto eq '-'; - if ($proto && !(defined($protocols->{byname}->{$proto}) || - defined($protocols->{byid}->{$proto}))) { - warn "unknown protokol '$proto'\n"; + if (!$section) { + warn "$prefix: skip line - no section"; next; } - $source = undef if $source && $source eq '-'; - $dest = undef if $dest && $dest eq '-'; - - $dport = undef if $dport && $dport eq '-'; - $sport = undef if $sport && $sport eq '-'; - my $nbdport = undef; - my $nbsport = undef; - my $nbsource = undef; - my $nbdest = undef; - - eval { - $nbsource = parse_address_list($source) if $source; - $nbdest = parse_address_list($dest) if $dest; - $nbdport = parse_port_name_number_or_range($dport) if $dport; - $nbsport = parse_port_name_number_or_range($sport) if $sport; - }; + my $rules; + eval { $rules = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { - warn $err; + warn "$prefix: $err"; next; - } + push @{$res->{$section}}, @$rules; + } + + return $res; +} + +sub parse_group_fw_rules { + my ($filename, $fh) = @_; + + my $section; + my $group; + + my $res = { in => [], out => [] }; + + while (defined(my $line = <$fh>)) { + next if $line =~ m/^#/; + next if $line =~ m/^\s*$/; - my $rule = { - action => $action, - service => $service, - iface => $iface, - source => $source, - dest => $dest, - nbsource => $nbsource, - nbdest => $nbdest, - proto => $proto, - dport => $dport, - sport => $sport, - nbdport => $nbdport, - nbsport => $nbsport, + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; - }; + if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) { + $section = lc($1); + $group = lc($2); + next; + } + if (!$section || !$group) { + warn "$prefix: skip line - no section"; + next; + } - push @{$res->{$section}}, $rule; + my $rules; + eval { $rules = parse_fw_rule($line, 0, 0); }; + if (my $err = $@) { + warn "$prefix: $err"; + next; + } + + push @{$res->{$group}->{$section}}, @$rules; } - die "security group $group don't exist" if $group && !$securitygroupexist; return $res; } @@ -599,7 +1058,7 @@ sub read_vm_firewall_rules { my $fh = IO::File->new($filename, O_RDONLY); next if !$fh; - $rules->{$vmid} = parse_fw_rules($filename, $fh); + $rules->{$vmid} = parse_vm_fw_rules($filename, $fh); } return $rules; @@ -608,6 +1067,12 @@ sub read_vm_firewall_rules { sub compile { my $vmdata = read_local_vm_config(); my $rules = read_vm_firewall_rules($vmdata); + + my $group_rules = {}; + my $filename = "/etc/pve/firewall/groups.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $group_rules = parse_group_fw_rules($filename, $fh); + } #print Dumper($rules); @@ -617,7 +1082,14 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); - enablehostfw($ruleset); + ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK"); + ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1"); + + $filename = "/etc/pve/local/host.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + my $host_rules = parse_host_fw_rules($filename, $fh); + enablehostfw($ruleset, $host_rules, $group_rules); + } # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { @@ -638,8 +1110,8 @@ sub compile { generate_bridge_chains($ruleset, $bridge); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); } } return $ruleset; @@ -653,7 +1125,7 @@ sub get_ruleset_status { my $statushash = {}; foreach my $chain (sort keys %$ruleset) { - my $digest = Digest::MD5->new(); + my $digest = Digest::SHA->new('sha1'); foreach my $cmd (@{$ruleset->{$chain}}) { $digest->add("$cmd\n"); } @@ -697,15 +1169,14 @@ sub print_ruleset { sub print_sig_rule { my ($chain, $sig) = @_; - # Note: This rule should never match! We just use this hack to store a SHA1 checksum - # used to detect changes - return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n"; + # We just use this to store a SHA1 checksum used to detect changes + return "-A $chain -m comment --comment \"PVESIG:$sig\"\n"; } -sub compile_and_start { - my ($verbose) = @_; +sub apply_ruleset { + my ($ruleset, $verbose) = @_; - my $ruleset = compile(); + enable_bridge_firewall(); my $cmdlist = "*filter\n"; # we pass this to iptables-restore; @@ -745,8 +1216,7 @@ sub compile_and_start { } $cmdlist .= print_sig_rule($chain, $stat->{sig}); } elsif ($stat->{action} eq 'delete') { - $cmdlist .= "-F $chain\n"; - $cmdlist .= "-X $chain\n"; + die "internal error"; # this should not happen } elsif ($stat->{action} eq 'exists') { # do nothing } else { @@ -754,6 +1224,15 @@ sub compile_and_start { } } + foreach my $chain (keys %$statushash) { + next if $statushash->{$chain}->{action} ne 'delete'; + $cmdlist .= "-F $chain\n"; + } + foreach my $chain (keys %$statushash) { + next if $statushash->{$chain}->{action} ne 'delete'; + $cmdlist .= "-X $chain\n"; + } + $cmdlist .= "COMMIT\n"; print $cmdlist if $verbose;