X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=c9f502a25598daaee50978a8a0a80526881d5fd8;hp=56125f120e6fbdb0e159a1aecb7fab130fb47056;hb=9aab3127bdc04bc3e17bcfb0b8461e32694dc098;hpb=026a646624bd6ca3225d3ad74549368041daead6 diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 56125f1..c9f502a 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -6,6 +6,19 @@ use Data::Dumper; use PVE::Tools; use PVE::QemuServer; +my $macros; +sub get_shorewall_macros { + + return $macros if $macros; + + foreach my $path () { + if ($path =~ m|/macro\.(\S+)$|) { + $macros->{$1} = 1; + } + } + return $macros; +} + my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n"; @@ -18,8 +31,11 @@ my $generate_input_rule = sub { my $zone = $net->{zone} || die "internal error"; my $zid = $zoneinfo->{$zone}->{id} || die "internal error"; my $tap = $net->{tap} || die "internal error"; - - return sprintf($rule_format, $rule->{action}, $rule->{source}, "$zid:$tap", + + my $action = $rule->{service} ? + "$rule->{service}($rule->{action})" : $rule->{action}; + + return sprintf($rule_format, $action, $rule->{source}, "$zid:$tap", $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-'); }; @@ -32,8 +48,11 @@ my $generate_output_rule = sub { my $zone = $net->{zone} || die "internal error"; my $zid = $zoneinfo->{$zone}->{id} || die "internal error"; my $tap = $net->{tap} || die "internal error"; + + my $action = $rule->{service} ? + "$rule->{service}($rule->{action})" : $rule->{action}; - return sprintf($rule_format, $rule->{action}, "$zid:$tap", $rule->{dest}, + return sprintf($rule_format, $action, "$zid:$tap", $rule->{dest}, $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-'); }; @@ -43,6 +62,11 @@ my $generate_output_rule = sub { sub compile { my ($targetdir, $vmdata, $rules) = @_; + # remove existing data ? + foreach my $file (qw(zones rules interfaces maclist policy)) { + unlink "$targetdir/$file"; + } + my $netinfo; my $zoneinfo = { @@ -168,7 +192,7 @@ sub compile { # do nothing; } elsif ($zoneinfo->{$z}->{type} eq 'bridge') { my $bridge = $zoneinfo->{$z}->{bridge} || die "internal error"; - $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge', "# $z"); + $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge,optional', "# $z"); } elsif ($zoneinfo->{$z}->{type} eq 'bport') { my $ifaces = $zoneinfo->{$z}->{ifaces}; @@ -195,6 +219,7 @@ sub compile { $format = "%-15s %-15s %-15s %s\n"; $out = sprintf($format, '#SOURCE', 'DEST', 'POLICY', 'LOG'); + #$out .= sprintf($format, 'fw', 'all', 'ACCEPT', ''); $out .= sprintf($format, 'all', 'all', 'REJECT', 'info'); PVE::Tools::file_set_contents("$targetdir/policy", $out);