X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=dd149ccb391415bea225fe1f460a7090a8bffb34;hp=6309b81e0223aa3ad674d20ce926ad813e59ff94;hb=2d404ffc7fe2b2134dff553079c412a7a4096491;hpb=181390b09fe8efba63aff2b03959535d4641b8c9

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 6309b81..dd149cc 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -6,6 +6,7 @@ use Data::Dumper;
 use Digest::SHA;
 use PVE::Tools;
 use PVE::QemuServer;
+use File::Basename;
 use File::Path;
 use IO::File;
 use Net::IP;
@@ -14,6 +15,20 @@ use PVE::Tools qw(run_command lock_file);
 use Data::Dumper;
 
 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
+my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status";
+
+my $default_log_level = 'info';
+
+my $log_level_hash = {
+    debug => 7,
+    info => 6,
+    notice => 5,
+    warning => 4,
+    err => 3,
+    crit => 2,
+    alert => 1,
+    emerg => 0,
+};
 
 # imported/converted from: /usr/share/shorewall/macro.*
 my $pve_fw_macros = {
@@ -417,11 +432,6 @@ my $pve_std_chains = {
 	# Drop DNS replies
 	{ action => 'DROP', proto => 'udp', sport => 53 },
     ],
-    'PVEFW-logflags' => [
-	# same as shorewall logflags action. (fixme: enable/disable logging)
-	"-j LOG --log-prefix \"logflags-dropped:\" --log-level 4 --log-ip-options",
-	"-j DROP",
-    ],
     'PVEFW-tcpflags' => [
 	# same as shorewall tcpflags action.
 	# Packets arriving on this interface are checked for som illegal combinations of TCP flags
@@ -431,11 +441,6 @@ my $pve_std_chains = {
 	"-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags",
 	"-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags",
     ],
-    'PVEFW-smurflog' => [
-	# same as shorewall smurflog. (fixme: enable/disable logging)
-	"-j LOG --log-prefix \"smurfs-dropped\" --log-level 4",
-	"-j DROP",
-    ],
     'PVEFW-smurfs' => [
 	# same as shorewall smurfs action
 	# Filter packets for smurfs (packets with a broadcast address as the source).
@@ -1151,7 +1156,7 @@ sub parse_fw_rule {
     return $rules;
 }
 
-sub parse_fw_option {
+sub parse_vmfw_option {
     my ($line) = @_;
 
     my ($opt, $value);
@@ -1170,6 +1175,30 @@ sub parse_fw_option {
     return ($opt, $value);
 }
 
+sub parse_hostfw_option {
+    my ($line) = @_;
+
+    my ($opt, $value);
+
+    my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
+
+    if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+	$opt = lc($1);
+	$value = int($2);
+    } elsif ($line =~ m/^(tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
+	$opt = lc($1);
+	$value = $2 ? lc($3) : '';
+    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+	$opt = lc($1);
+	$value = uc($3);
+    } else {
+	chomp $line;
+	die "can't parse option '$line'\n"
+    }
+
+    return ($opt, $value);
+}
+
 sub parse_vm_fw_rules {
     my ($filename, $fh) = @_;
 
@@ -1198,7 +1227,7 @@ sub parse_vm_fw_rules {
 
 	if ($section eq 'options') {
 	    eval {
-		my ($opt, $value) = parse_fw_option($line);
+		my ($opt, $value) = parse_vmfw_option($line);
 		$res->{options}->{$opt} = $value;
 	    };
 	    warn "$prefix: $@" if $@;
@@ -1221,7 +1250,7 @@ sub parse_vm_fw_rules {
 sub parse_host_fw_rules {
     my ($filename, $fh) = @_;
 
-    my $res = { in => [], out => [] };
+    my $res = { in => [], out => [], options => {}};
 
     my $section;
 
@@ -1232,8 +1261,9 @@ sub parse_host_fw_rules {
 	my $linenr = $fh->input_line_number();
 	my $prefix = "$filename (line $linenr)";
 
-	if ($line =~ m/^\[(in|out)\]\s*$/i) {
+	if ($line =~ m/^\[(\S+)\]\s*$/i) {
 	    $section = lc($1);
+	    warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section};
 	    next;
 	}
 	if (!$section) {
@@ -1241,6 +1271,18 @@ sub parse_host_fw_rules {
 	    next;
 	}
 
+	next if !$res->{$section}; # skip undefined section
+
+	if ($section eq 'options') {
+	    eval {
+		print "PARSE:$line\n";
+		my ($opt, $value) = parse_hostfw_option($line);
+		$res->{options}->{$opt} = $value;
+	    };
+	    warn "$prefix: $@" if $@;
+	    next;
+	}
+
 	my $rules;
 	eval { $rules = parse_fw_rule($line, 1, 1); };
 	if (my $err = $@) {
@@ -1338,8 +1380,48 @@ sub read_vm_firewall_rules {
     return $rules;
 }
 
+sub get_option_log_level {
+    my ($options, $k) = @_;
+
+    my $v = $options->{$k};
+    return $v = $default_log_level if !defined($v);
+
+    return undef if $v eq '' || $v eq 'nolog';
+
+    $v = $log_level_hash->{$v} if defined($log_level_hash->{$v});
+
+    return $v if ($v >= 0) && ($v <= 7);
+
+    warn "unknown log level ($k = '$v')\n";
+
+    return undef;
+}
+
 sub generate_std_chains {
-    my ($ruleset) = @_;
+    my ($ruleset, $options) = @_;
+    
+    my $loglevel = get_option_log_level($options, 'smurf_log_level');
+
+    # same as shorewall smurflog.
+    if (defined($loglevel)) {
+	$pve_std_chains-> {'PVEFW-smurflog'} = [
+	    "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel",
+	    "-j DROP",
+	    ];
+    } else {
+	$pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ];
+    }
+
+    # same as shorewall logflags action.
+    $loglevel = get_option_log_level($options, 'tcp_flags_log_level');
+    if (defined($loglevel)) {
+	$pve_std_chains-> {'PVEFW-logflags'} = [
+	    "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options",
+	    "-j DROP",
+	    ];
+    } else {
+	$pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ];
+    }
 
     foreach my $chain (keys %$pve_std_chains) {
 	ruleset_create_chain($ruleset, $chain);
@@ -1353,6 +1435,30 @@ sub generate_std_chains {
     }
 }
 
+sub save_pvefw_status {
+    my ($status) = @_;
+
+    die "unknown status '$status' - internal error"
+	if $status !~ m/^(stopped|active)$/;
+
+    mkdir dirname($pve_fw_status_filename);
+    PVE::Tools::file_set_contents($pve_fw_status_filename, $status);
+}
+
+sub read_pvefw_status {
+
+    my $status = 'unknown';
+
+    return 'stopped' if ! -f $pve_fw_status_filename;
+
+    eval {
+	$status = PVE::Tools::file_get_contents($pve_fw_status_filename);
+    };
+    warn $@ if $@;
+
+    return $status;
+}
+
 sub compile {
     my $vmdata = read_local_vm_config();
     my $rules = read_vm_firewall_rules($vmdata);
@@ -1371,17 +1477,20 @@ sub compile {
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-    generate_std_chains($ruleset);
+    my $host_options = {};
+    my $host_rules;
 
-    my $enable_hostfw = 0;
     $filename = "/etc/pve/local/host.fw";
     if (my $fh = IO::File->new($filename, O_RDONLY)) {
-	my $host_rules = parse_host_fw_rules($filename, $fh);
+	$host_rules = parse_host_fw_rules($filename, $fh);
+	$host_options = $host_rules->{options};
+    }
 
-	$enable_hostfw = 1;
+    generate_std_chains($ruleset, $host_options);
 
-	enablehostfw($ruleset, $host_rules, $group_rules);
-    }
+    my $hotsfw_enable = $host_rules && !(defined($host_options->{enable}) && ($host_options->{enable} == 0));
+
+    enablehostfw($ruleset, $host_rules, $group_rules) if $hotsfw_enable;
 
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
@@ -1410,7 +1519,7 @@ sub compile {
 	}
     }
 
-    if ($enable_hostfw) {
+    if ($hotsfw_enable) {
 	# allow traffic from lo (ourself)
 	ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT");
     }
@@ -1474,11 +1583,9 @@ sub print_sig_rule {
     return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
 }
 
-sub apply_ruleset {
+sub get_rulset_cmdlist {
     my ($ruleset, $verbose) = @_;
 
-    enable_bridge_firewall();
-
     my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
 
     my $statushash = get_ruleset_status($ruleset, $verbose);
@@ -1539,12 +1646,22 @@ sub apply_ruleset {
 
     $cmdlist .= "COMMIT\n";
 
+    return $cmdlist;
+}
+
+sub apply_ruleset {
+    my ($ruleset, $verbose) = @_;
+
+    enable_bridge_firewall();
+
+    my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
+
     print $cmdlist if $verbose;
 
     iptables_restore_cmdlist($cmdlist);
 
     # test: re-read status and check if everything is up to date
-    $statushash = get_ruleset_status($ruleset);
+    my $statushash = get_ruleset_status($ruleset);
 
     my $errors;
     foreach my $chain (sort keys %$ruleset) {
@@ -1558,4 +1675,26 @@ sub apply_ruleset {
     die "unable to apply firewall changes\n" if $errors;
 }
 
+sub update {
+    my ($start, $verbose) = @_;
+
+    my $code = sub {
+	my $status = read_pvefw_status();
+
+	my $ruleset = PVE::Firewall::compile();
+
+	if ($start || $status eq 'active') {
+
+	    save_pvefw_status('active')	if ($status ne 'active');
+
+	    PVE::Firewall::apply_ruleset($ruleset, $verbose);
+	} else {
+	    print "Firewall not active (status = $status)\n" if $verbose;
+	}
+    };
+
+    run_locked($code);
+}
+
+
 1;