X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=be9b847d6e463e4bcc2f35abf025ec6d6163920b;hp=24bc2c756aee9094ff27a5e45797afc5c5a70531;hb=d050c7240e2a3d4c1de906fea7e48f926d876098;hpb=c29f55c97c7eca2e4db559f7e1c4b88c35b8fb10

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 24bc2c7..be9b847 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -3,7 +3,7 @@ package PVE::Firewall;
 use warnings;
 use strict;
 use Data::Dumper;
-use Digest::MD5;
+use Digest::SHA;
 use PVE::Tools;
 use PVE::QemuServer;
 use File::Path;
@@ -137,6 +137,18 @@ sub parse_port_name_number_or_range {
     return ($nbports);
 }
 
+my $bridge_firewall_enabled = 0;
+
+sub enable_bridge_firewall {
+
+    return if $bridge_firewall_enabled; # only once
+
+    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
+    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
+
+    $bridge_firewall_enabled = 1;
+}
+
 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
 
 sub iptables {
@@ -187,7 +199,7 @@ sub iptables_get_chains {
 	    my $chain = $1;
 	    return if !&$is_pvefw_chain($chain);
 	    $res->{$chain} = "unknown";
-	} elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
+	} elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) {
 	    my ($chain, $sig) = ($1, $2);
 	    return if !&$is_pvefw_chain($chain);
 	    $res->{$chain} = $sig;
@@ -246,6 +258,8 @@ sub ruleset_generate_rule {
 sub ruleset_create_chain {
     my ($ruleset, $chain) = @_;
 
+    die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28;
+
     die "chain '$chain' already exists\n" if $ruleset->{$chain};
 
     $ruleset->{$chain} = [];
@@ -383,7 +397,7 @@ sub enablehostfw {
     ruleset_addrule($ruleset, $chain, "-j DROP");
 
     # host outbound firewall
-    my $chain = "PVEFW-HOST-OUT";
+    $chain = "PVEFW-HOST-OUT";
     ruleset_create_chain($ruleset, $chain);
 
     ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP");
@@ -641,7 +655,7 @@ sub get_ruleset_status {
     my $statushash = {};
 
     foreach my $chain (sort keys %$ruleset) {
-	my $digest = Digest::MD5->new();
+	my $digest = Digest::SHA->new('sha1');
 	foreach my $cmd (@{$ruleset->{$chain}}) {
 	     $digest->add("$cmd\n");
 	}
@@ -685,15 +699,14 @@ sub print_ruleset {
 sub print_sig_rule {
     my ($chain, $sig) = @_;
 
-    # Note: This rule should never match! We just use this hack to store a SHA1 checksum
-    # used to detect changes
-    return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n";
+    # We just use this to store a SHA1 checksum used to detect changes
+    return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
 }
 
-sub compile_and_start {
-    my ($verbose) = @_;
+sub apply_ruleset {
+    my ($ruleset, $verbose) = @_;
 
-    my $ruleset = compile();
+    enable_bridge_firewall();
 
     my $cmdlist = "*filter\n"; # we pass this to iptables-restore;