X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=c9f502a25598daaee50978a8a0a80526881d5fd8;hp=6565212d1f3bcb0d470f866b25b38d9079f4ef97;hb=9aab3127bdc04bc3e17bcfb0b8461e32694dc098;hpb=886aba9c18188f736c28483eeec52add4790f5ee

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 6565212..c9f502a 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -3,88 +3,254 @@ package PVE::Firewall;
 use warnings;
 use strict;
 use Data::Dumper;
-
+use PVE::Tools;
 use PVE::QemuServer;
 
+my $macros;
+sub get_shorewall_macros {
+
+    return $macros if $macros;
+
+    foreach my $path (</usr/share/shorewall/macro.*>) {
+	if ($path =~ m|/macro\.(\S+)$|) {
+	    $macros->{$1} = 1;
+	}
+    }
+    return $macros;
+}
+
+
+my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n";
+
+my $generate_input_rule = sub {
+    my ($zoneinfo, $rule, $net, $netid) = @_;
+
+    die "not implemented" if $rule->{source} ne 'any';
+    die "not implemented" if $rule->{dest} ne 'any';
+
+    my $zone = $net->{zone} || die "internal error";
+    my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
+    my $tap = $net->{tap} || die "internal error";
+
+    my $action = $rule->{service} ? 
+	"$rule->{service}($rule->{action})" : $rule->{action};
+
+    return sprintf($rule_format, $action, $rule->{source}, "$zid:$tap", 
+		   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
+};
+
+my $generate_output_rule = sub {
+    my ($zoneinfo, $rule, $net, $netid) = @_;
+
+    die "not implemented" if $rule->{source} ne 'any';
+    die "not implemented" if $rule->{dest} ne 'any';
+
+    my $zone = $net->{zone} || die "internal error";
+    my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
+    my $tap = $net->{tap} || die "internal error";
+
+    my $action = $rule->{service} ? 
+	"$rule->{service}($rule->{action})" : $rule->{action};
+    
+    return sprintf($rule_format, $action, "$zid:$tap", $rule->{dest}, 
+		   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
+};
+
 # we need complete VM configuration of all VMs (openvz/qemu)
 # in vmdata
 
 sub compile {
-    my ($vmdata) = @_;
+    my ($targetdir, $vmdata, $rules) = @_;
+
+    # remove existing data ?
+    foreach my $file (qw(zones rules interfaces  maclist  policy)) {
+	unlink "$targetdir/$file";
+    }
 
     my $netinfo;
 
-    my $bridges = {};
     my $zoneinfo = {
 	fw => { type => 'firewall' },
     };
 
+    my $maclist = {};
+
+    my $register_bridge;
+
+    $register_bridge = sub {
+	my ($bridge, $vlan) = @_;
+
+	my $zone =  'z' . $bridge;
+
+	return $zone if $zoneinfo->{$zone};
+
+	$zoneinfo->{$zone} = {
+	    type => 'bridge',
+	    bridge => $bridge,
+	};
+
+	return &$register_bridge("${bridge}v${vlan}") if defined($vlan);
+	
+	return $zone;
+    };
+
+    my $register_bridge_port = sub {
+	my ($bridge, $vlan, $vmzone, $tap) = @_;
+
+	my $bridge_zone = &$register_bridge($bridge, $vlan);
+	my $zone = $bridge_zone . $vmzone;
+
+	if (!$zoneinfo->{$zone}) {
+	    $zoneinfo->{$zone} = {
+		type => 'bport',
+		bridge_zone => $bridge_zone,
+		ifaces => {},
+	    };
+	}
+
+	$zoneinfo->{$zone}->{ifaces}->{$tap} = 1;
+	
+	return $zone;
+    };
+
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
 	$netinfo->{$vmid} = {};
 	my $conf = $vmdata->{qemu}->{$vmid};
 	foreach my $opt (keys %$conf) {
 	    next if $opt !~ m/^net(\d+)$/;
-	    my $netid = $1;
+	    my $netnum = $1;
 	    my $net = PVE::QemuServer::parse_net($conf->{$opt});
 	    next if !$net;
 	    die "implement me" if !$net->{bridge};
-	    my $bridge = $net->{bridge};
-	    $bridges->{$bridge} = 1;
-	    $zoneinfo->{$bridge}->{type} = 'ipv4';
-	    $zoneinfo->{$bridge}->{ifaces}->{$bridge} = 1;
-	    if (defined($net->{tag})) {
-		$bridge = $bridge .= "v$net->{tag}";
-		$bridges->{$bridge} = 1;
-		$zoneinfo->{$bridge}->{type} = 'ipv4';
-		$zoneinfo->{$bridge}->{ifaces}->{$bridge} = 1;
-	    }
 
-	    my $zone = $bridge . ($conf->{zone} || "vm$vmid");
-	    $net->{zone} = $zone;
-	    $zoneinfo->{$zone}->{type} = 'bport';
-	    $zoneinfo->{$zone}->{bridge} = $bridge;
-	    $zoneinfo->{$zone}->{ifaces}->{"tap${vmid}i${netid}"} = 1;
-	    $netinfo->{$vmid}->{$netid} = $net;
+	    my $vmzone = $conf->{zone} || "vm$vmid";
+	    $net->{tap} = "tap${vmid}i${netnum}";
+	    $maclist->{$net->{tap}} = $net->{macaddr} || die "internal error";
+	    $net->{zone} = &$register_bridge_port($net->{bridge}, $net->{tag}, $vmzone, $net->{tap});
+	    $netinfo->{$vmid}->{$opt} = $net;
 	}
     }
 
     #print Dumper($netinfo);
 
-    # TODO: zone names have length limit, so we need to
+    # NOTE: zone names have length limit, so we need to
     # translate them into shorter names 
 
+    my $zoneid = 0;
+    my $zonemap = { fw => 'fw' };
+
+    my $lookup_zonename = sub {
+	my ($zone) = @_;
+
+	return $zonemap->{$zone} if defined($zonemap->{$zone});
+	$zonemap->{$zone} = 'z' . $zoneid++;
+
+	return $zonemap->{$zone};
+    };
+
+    foreach my $z (sort keys %$zoneinfo) {
+	$zoneinfo->{$z}->{id} = &$lookup_zonename($z);
+    }
+
     # dump zone file
 
-    print "DUMP: zones\n";
-    my $format = "%-15s %-10s %s\n";
-    printf($format, '#ZONE', 'TYPE', 'OPTIONS');
+    my $out;
 
+    my $format = "%-15s %-10s %-15s %s\n";
+    $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS', '');
+    
     foreach my $z (sort keys %$zoneinfo) {
-	printf($format, $z, $zoneinfo->{$z}->{type}, '');
+	my $zid = $zoneinfo->{$z}->{id};
+	if ($zoneinfo->{$z}->{type} eq 'firewall') {
+	    $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type}, '' , "# $z");
+	} elsif ($zoneinfo->{$z}->{type} eq 'bridge') {
+	    $out .= sprintf($format, $zid, 'ipv4', '', "# $z");
+	} elsif ($zoneinfo->{$z}->{type} eq 'bport') {
+	    my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error";
+	    my $bzid = $zoneinfo->{$bridge_zone}->{id} || die "internal error";
+	    $out .= sprintf($format, "$zid:$bzid", 'bport', '', "# $z");
+	} else {
+	    die "internal error";
+	}
     }
 
-    print "#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n";
+    $out .= sprintf("#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n");
+
+    PVE::Tools::file_set_contents("$targetdir/zones", $out);
+
+    # dump interfaces
 
-    print "\n";
-    print "DUMP: interfaces\n";
+    $format = "%-15s %-20s %-10s %-15s %s\n";
+    $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS', '');
+
+    my $maclist_format = "%-15s %-15s %-15s\n";
+    my $macs = sprintf($maclist_format, '#DISPOSITION', 'INTERFACE', 'MACZONE');
 
-    $format = "%-15s %-20s %-10s %s\n";
-    printf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS');
     foreach my $z (sort keys %$zoneinfo) {
-	my $ifaces = $zoneinfo->{$z}->{ifaces};
-	foreach my $iface (sort keys %$ifaces) {
-	    my $broadcast =  $zoneinfo->{$z}->{type} eq 'ipv4' ? 'detect' : '';
-	    my $options =  $bridges->{$iface} ? 'bridge' : '';
-	    my $bridge = $zoneinfo->{$z}->{bridge} || '';
-	    my $iftxt = $zoneinfo->{$z}->{bridge} ? "$zoneinfo->{$z}->{bridge}:$iface" : $iface;
-	    printf($format, $z, $iftxt, $broadcast, $options);
+	my $zid = $zoneinfo->{$z}->{id};
+	if ($zoneinfo->{$z}->{type} eq 'firewall') {
+	    # do nothing;
+	} elsif ($zoneinfo->{$z}->{type} eq 'bridge') {
+	    my $bridge = $zoneinfo->{$z}->{bridge} || die "internal error";
+	    $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge,optional', "# $z");
+
+	} elsif ($zoneinfo->{$z}->{type} eq 'bport') {
+	    my $ifaces = $zoneinfo->{$z}->{ifaces};
+	    foreach my $iface (sort keys %$ifaces) {
+		my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error";
+		my $bridge = $zoneinfo->{$bridge_zone}->{bridge} || die "internal error";
+		my $iftxt = "$bridge:$iface";
+		$out .= sprintf($format, $zid, $iftxt, '-', 'maclist', "# $z");
+		$macs .= sprintf($maclist_format, 'ACCEPT', $iface, $maclist->{$iface});
+	    }
+	} else {
+	    die "internal error";
 	}
     }
 
-    print "#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n";
+    $out .= sprintf("#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n");
+
+    PVE::Tools::file_set_contents("$targetdir/interfaces", $out);
+
+    # dump maclist
+    PVE::Tools::file_set_contents("$targetdir/maclist", $macs);
+
+    # dump policy
+
+    $format = "%-15s %-15s %-15s %s\n";
+    $out = sprintf($format, '#SOURCE', 'DEST', 'POLICY', 'LOG');
+    #$out .= sprintf($format, 'fw', 'all', 'ACCEPT', '');
+    $out .= sprintf($format, 'all', 'all', 'REJECT', 'info');
+
+    PVE::Tools::file_set_contents("$targetdir/policy", $out);
 
-    print "\n";
+    # dump rules
+    $out = '';
+
+    $out = sprintf($rule_format, '#ACTION', 'SOURCE', 'DEST', 'PROTO', 'DPORT', 'SPORT');
+    foreach my $vmid (sort keys %$rules) {
+	if (my $inrules = $rules->{$vmid}->{in}) {
+	    foreach my $rule (@$inrules) {
+		foreach my $netid (keys %{$netinfo->{$vmid}}) {
+		    my $net = $netinfo->{$vmid}->{$netid};
+		    next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+		    $out .= &$generate_input_rule($zoneinfo, $rule, $net, $netid);
+		}
+	    }
+	}
+
+	if (my $outrules = $rules->{$vmid}->{out}) {
+	    foreach my $rule (@$outrules) {
+		foreach my $netid (keys %{$netinfo->{$vmid}}) {
+		    my $net = $netinfo->{$vmid}->{$netid};
+		    next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+		    $out .= &$generate_output_rule($zoneinfo, $rule, $net, $netid);
+		}
+	    }
+	}
+    }
 
+    PVE::Tools::file_set_contents("$targetdir/rules", $out);
 
 }