X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=1319bfbed3af437d6fe8c87851150eba9325e4a1;hp=3b67186ed35c18ca7ed62c0f2001c5dbb0e649bb;hb=033a15b372734fcfb390c3b747f67bfa4643dabd;hpb=0e8af63ddb8a58ff2cda9d8595478a673f563d06

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 3b67186..1319bfb 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -214,7 +214,10 @@ my $pve_fw_macros = {
     ],
     'Ceph' => [
         "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Deamons)",
+	# Legacy port for protocol v1
         { action => 'PARAM', proto => 'tcp', dport => '6789' },
+	# New port for protocol v2
+        { action => 'PARAM', proto => 'tcp', dport => '3300' },
         { action => 'PARAM', proto => 'tcp', dport => '6800:7300' },
     ],
     'CVS' => [
@@ -1748,25 +1751,25 @@ sub enable_bridge_firewall {
 sub iptables_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/iptables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
+    run_command(['iptables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
 }
 
 sub ip6tables_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/ip6tables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
+    run_command(['ip6tables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
 }
 
 sub ipset_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist");
+    run_command(['ipset', 'restore'], input => $cmdlist, errmsg => "ipset_restore_cmdlist");
 }
 
 sub ebtables_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/ebtables-restore", input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
+    run_command(['ebtables-restore'], input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
 }
 
 sub iptables_get_chains {
@@ -1825,7 +1828,7 @@ sub iptables_get_chains {
 	}
     };
 
-    run_command("/sbin/$iptablescmd-save", outfunc => $parser);
+    run_command(["$iptablescmd-save"], outfunc => $parser);
 
     return wantarray ? ($res, $hooks) : $res;
 }
@@ -1869,7 +1872,7 @@ sub ipset_get_chains {
 	}
     };
 
-    run_command("/sbin/ipset save", outfunc => $parser);
+    run_command(['ipset', 'save'], outfunc => $parser);
 
     # compute digest for each chain
     foreach my $chain (keys %$chains) {
@@ -1900,7 +1903,7 @@ sub ebtables_get_chains {
 	}
     };
 
-    run_command("/sbin/ebtables-save", outfunc => $parser);
+    run_command(['ebtables-save'], outfunc => $parser);
     # compute digest for each chain and store rules as well
     foreach my $chain (keys %$chains) {
 	$res->{$chain}->{rules} = $chains->{$chain};
@@ -2360,10 +2363,10 @@ sub generate_tap_rules_direction {
     my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
 	if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
 
-    # create chain with mac and ip filter
-    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
-
     if ($options->{enable}) {
+	# create chain with mac and ip filter
+	ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
+
 	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion, $vmid);
 
 	ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
@@ -3589,19 +3592,19 @@ sub compile_iptables_filter {
 	eval {
 	    my $conf = $vmdata->{qemu}->{$vmid};
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
-	    return if !$vmfw_conf;
+	    return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
 
 	    foreach my $netid (sort keys %$conf) {
 		next if $netid !~ m/^net(\d+)$/;
 		my $net = PVE::QemuServer::parse_net($conf->{$netid});
 		next if !$net->{firewall};
-		my $iface = "tap${vmid}i$1";
 
+		my $iface = "tap${vmid}i$1";
 		my $macaddr = $net->{macaddr};
 		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'IN', $ipversion);
+		                             $vmfw_conf, $vmid, 'IN', $ipversion);
 		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'OUT', $ipversion);
+		                             $vmfw_conf, $vmid, 'OUT', $ipversion);
 	    }
 	};
 	warn $@ if $@; # just to be sure - should not happen
@@ -3609,29 +3612,28 @@ sub compile_iptables_filter {
 
     # generate firewall rules for LXC containers
     foreach my $vmid (sort keys %{$vmdata->{lxc}}) {
-        eval {
-            my $conf = $vmdata->{lxc}->{$vmid};
-            my $vmfw_conf = $vmfw_configs->{$vmid};
-            return if !$vmfw_conf;
-
-            if ($vmfw_conf->{options}->{enable}) {
-		foreach my $netid (sort keys %$conf) {
-                    next if $netid !~ m/^net(\d+)$/;
-                    my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
-                    next if !$net->{firewall};
-                    my $iface = "veth${vmid}i$1";
-		    my $macaddr = $net->{hwaddr};
-                    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-                                                 $vmfw_conf, $vmid, 'IN', $ipversion);
-                    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-                                                 $vmfw_conf, $vmid, 'OUT', $ipversion);
-		}
-            }
-        };
-        warn $@ if $@; # just to be sure - should not happen
+	eval {
+	    my $conf = $vmdata->{lxc}->{$vmid};
+	    my $vmfw_conf = $vmfw_configs->{$vmid};
+	    return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
+
+	    foreach my $netid (sort keys %$conf) {
+		next if $netid !~ m/^net(\d+)$/;
+		my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
+		next if !$net->{firewall};
+
+		my $iface = "veth${vmid}i$1";
+		my $macaddr = $net->{hwaddr};
+		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+		                             $vmfw_conf, $vmid, 'IN', $ipversion);
+		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+		                             $vmfw_conf, $vmid, 'OUT', $ipversion);
+	    }
+	};
+	warn $@ if $@; # just to be sure - should not happen
     }
 
-    if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
+    if (ruleset_chain_exist($ruleset, "PVEFW-IPS")){
 	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED", "-j PVEFW-IPS");
     }
 
@@ -4033,8 +4035,8 @@ sub get_ebtables_cmdlist {
 
     foreach my $chain (sort keys %$statushash) {
 	my $stat = $statushash->{$chain};
-	next if ($stat->{action} eq 'delete');
 	$changes = 1 if ($stat->{action} !~ 'ignore|exists');
+	next if ($stat->{action} eq 'delete');
 
 	foreach my $cmd (@{$statushash->{$chain}->{'rules'}}) {
 	    if ($chain eq 'FORWARD' && $cmd eq $append_pve_to_forward) {
@@ -4259,7 +4261,7 @@ sub update_nf_conntrack_logging {
 	my $tmpfile = "$pve_fw_status_dir/log_nf_conntrack";
 	PVE::Tools::file_set_contents($tmpfile, $value);
 
-	PVE::Tools::run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);
+	run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);
 	$log_nf_conntrack_enabled = $value;
     }
 }