X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=56125f120e6fbdb0e159a1aecb7fab130fb47056;hp=c10aab3e7a26d7d51ebd18326275391a5c635b87;hb=026a646624bd6ca3225d3ad74549368041daead6;hpb=35081236f38e2368e898bce151aa0741cb13cda9

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index c10aab3..56125f1 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -6,11 +6,42 @@ use Data::Dumper;
 use PVE::Tools;
 use PVE::QemuServer;
 
+
+my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n";
+
+my $generate_input_rule = sub {
+    my ($zoneinfo, $rule, $net, $netid) = @_;
+
+    die "not implemented" if $rule->{source} ne 'any';
+    die "not implemented" if $rule->{dest} ne 'any';
+
+    my $zone = $net->{zone} || die "internal error";
+    my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
+    my $tap = $net->{tap} || die "internal error";
+    
+    return sprintf($rule_format, $rule->{action}, $rule->{source}, "$zid:$tap", 
+		   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
+};
+
+my $generate_output_rule = sub {
+    my ($zoneinfo, $rule, $net, $netid) = @_;
+
+    die "not implemented" if $rule->{source} ne 'any';
+    die "not implemented" if $rule->{dest} ne 'any';
+
+    my $zone = $net->{zone} || die "internal error";
+    my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
+    my $tap = $net->{tap} || die "internal error";
+    
+    return sprintf($rule_format, $rule->{action}, "$zid:$tap", $rule->{dest}, 
+		   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
+};
+
 # we need complete VM configuration of all VMs (openvz/qemu)
 # in vmdata
 
 sub compile {
-    my ($targetdir, $vmdata) = @_;
+    my ($targetdir, $vmdata, $rules) = @_;
 
     my $netinfo;
 
@@ -18,6 +49,8 @@ sub compile {
 	fw => { type => 'firewall' },
     };
 
+    my $maclist = {};
+
     my $register_bridge;
 
     $register_bridge = sub {
@@ -61,14 +94,16 @@ sub compile {
 	my $conf = $vmdata->{qemu}->{$vmid};
 	foreach my $opt (keys %$conf) {
 	    next if $opt !~ m/^net(\d+)$/;
-	    my $netid = $1;
+	    my $netnum = $1;
 	    my $net = PVE::QemuServer::parse_net($conf->{$opt});
 	    next if !$net;
 	    die "implement me" if !$net->{bridge};
 
 	    my $vmzone = $conf->{zone} || "vm$vmid";
-	    $net->{zone} = &$register_bridge_port($net->{bridge}, $net->{tag}, $vmzone, "tap${vmid}i${netid}");
-	    $netinfo->{$vmid}->{$netid} = $net;
+	    $net->{tap} = "tap${vmid}i${netnum}";
+	    $maclist->{$net->{tap}} = $net->{macaddr} || die "internal error";
+	    $net->{zone} = &$register_bridge_port($net->{bridge}, $net->{tag}, $vmzone, $net->{tap});
+	    $netinfo->{$vmid}->{$opt} = $net;
 	}
     }
 
@@ -89,23 +124,27 @@ sub compile {
 	return $zonemap->{$zone};
     };
 
+    foreach my $z (sort keys %$zoneinfo) {
+	$zoneinfo->{$z}->{id} = &$lookup_zonename($z);
+    }
+
     # dump zone file
 
     my $out;
 
-    my $format = "%-15s %-10s %s\n";
-    $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS');
+    my $format = "%-15s %-10s %-15s %s\n";
+    $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS', '');
     
     foreach my $z (sort keys %$zoneinfo) {
-	my $zid = &$lookup_zonename($z);
+	my $zid = $zoneinfo->{$z}->{id};
 	if ($zoneinfo->{$z}->{type} eq 'firewall') {
-	    $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type}, '');
+	    $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type}, '' , "# $z");
 	} elsif ($zoneinfo->{$z}->{type} eq 'bridge') {
-	    $out .= sprintf($format, &$lookup_zonename($z), 'ipv4', '');
+	    $out .= sprintf($format, $zid, 'ipv4', '', "# $z");
 	} elsif ($zoneinfo->{$z}->{type} eq 'bport') {
 	    my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error";
-	    my $bzid = &$lookup_zonename($bridge_zone);
-	    $out .= sprintf($format, "$zid:$bzid", 'bport', '');
+	    my $bzid = $zoneinfo->{$bridge_zone}->{id} || die "internal error";
+	    $out .= sprintf($format, "$zid:$bzid", 'bport', '', "# $z");
 	} else {
 	    die "internal error";
 	}
@@ -117,16 +156,19 @@ sub compile {
 
     # dump interfaces
 
-    $format = "%-15s %-20s %-10s %s\n";
-    $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS');
+    $format = "%-15s %-20s %-10s %-15s %s\n";
+    $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS', '');
+
+    my $maclist_format = "%-15s %-15s %-15s\n";
+    my $macs = sprintf($maclist_format, '#DISPOSITION', 'INTERFACE', 'MACZONE');
 
     foreach my $z (sort keys %$zoneinfo) {
-	my $zid = &$lookup_zonename($z);
+	my $zid = $zoneinfo->{$z}->{id};
 	if ($zoneinfo->{$z}->{type} eq 'firewall') {
 	    # do nothing;
 	} elsif ($zoneinfo->{$z}->{type} eq 'bridge') {
 	    my $bridge = $zoneinfo->{$z}->{bridge} || die "internal error";
-	    $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge');
+	    $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge', "# $z");
 
 	} elsif ($zoneinfo->{$z}->{type} eq 'bport') {
 	    my $ifaces = $zoneinfo->{$z}->{ifaces};
@@ -134,7 +176,8 @@ sub compile {
 		my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error";
 		my $bridge = $zoneinfo->{$bridge_zone}->{bridge} || die "internal error";
 		my $iftxt = "$bridge:$iface";
-		$out .= sprintf($format, $zid, $iftxt, '', '');
+		$out .= sprintf($format, $zid, $iftxt, '-', 'maclist', "# $z");
+		$macs .= sprintf($maclist_format, 'ACCEPT', $iface, $maclist->{$iface});
 	    }
 	} else {
 	    die "internal error";
@@ -145,6 +188,9 @@ sub compile {
 
     PVE::Tools::file_set_contents("$targetdir/interfaces", $out);
 
+    # dump maclist
+    PVE::Tools::file_set_contents("$targetdir/maclist", $macs);
+
     # dump policy
 
     $format = "%-15s %-15s %-15s %s\n";
@@ -153,6 +199,33 @@ sub compile {
 
     PVE::Tools::file_set_contents("$targetdir/policy", $out);
 
+    # dump rules
+    $out = '';
+
+    $out = sprintf($rule_format, '#ACTION', 'SOURCE', 'DEST', 'PROTO', 'DPORT', 'SPORT');
+    foreach my $vmid (sort keys %$rules) {
+	if (my $inrules = $rules->{$vmid}->{in}) {
+	    foreach my $rule (@$inrules) {
+		foreach my $netid (keys %{$netinfo->{$vmid}}) {
+		    my $net = $netinfo->{$vmid}->{$netid};
+		    next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+		    $out .= &$generate_input_rule($zoneinfo, $rule, $net, $netid);
+		}
+	    }
+	}
+
+	if (my $outrules = $rules->{$vmid}->{out}) {
+	    foreach my $rule (@$outrules) {
+		foreach my $netid (keys %{$netinfo->{$vmid}}) {
+		    my $net = $netinfo->{$vmid}->{$netid};
+		    next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+		    $out .= &$generate_output_rule($zoneinfo, $rule, $net, $netid);
+		}
+	    }
+	}
+    }
+
+    PVE::Tools::file_set_contents("$targetdir/rules", $out);
 
 }