X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=336aedbd72cacd417e7533257495eb3f9aa9dba5;hp=a20b995350baa35c0bac4c2d753e36871923acbd;hb=c14dacdfd975121912c387acafefc081d6c6606e;hpb=009ee3ac58d8a0e88f7c5f734ce7267f2e5efea7 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index a20b995..336aedb 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -7,7 +7,7 @@ use Data::Dumper; use Digest::SHA; use PVE::INotify; use PVE::Exception qw(raise raise_param_exc); -use PVE::JSONSchema qw(get_standard_option); +use PVE::JSONSchema qw(register_standard_option get_standard_option); use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools qw($IPV4RE); @@ -39,13 +39,32 @@ PVE::JSONSchema::register_format('IPv4orCIDR', \&pve_verify_ipv4_or_cidr); sub pve_verify_ipv4_or_cidr { my ($cidr, $noerr) = @_; - if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$! && (!$1 || (($2 > 7) && ($2 <= 32)))) { - return $cidr; + if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) { + return $cidr if Net::IP->new($cidr); + return undef if $noerr; + die Net::IP::Error() . "\n"; } return undef if $noerr; die "value does not look like a valid IP address or CIDR network\n"; } +PVE::JSONSchema::register_standard_option('ipset-name', { + description => "IP set name.", + type => 'string', + pattern => '[A-Za-z][A-Za-z0-9\-\_]+', + minLength => 2, + maxLength => 20, +}); + +my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+'; + +PVE::JSONSchema::register_standard_option('pve-security-group-name', { + description => "Security Group name.", + type => 'string', + pattern => $security_group_pattern, + minLength => 2, + maxLength => 20, +}); my $feature_ipset_nomatch = 0; eval { @@ -685,7 +704,7 @@ sub get_etc_protocols { sub parse_address_list { my ($str) = @_; - return if $str !~ m/^(\+)(\S+)$/; # ipset ref + return if $str =~ m/^(\+)(\S+)$/; # ipset ref my $count = 0; my $iprange = 0; @@ -784,9 +803,12 @@ my $rule_properties = { enum => ['in', 'out', 'group'], }, action => { + description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.", type => 'string', optional => 1, - enum => ['ACCEPT', 'DROP', 'REJECT'], + pattern => $security_group_pattern, + maxLength => 20, + minLength => 2, }, macro => { type => 'string', @@ -933,7 +955,7 @@ sub verify_rule { raise_param_exc({ type => "security groups not allowed"}) if !$allow_groups; raise_param_exc({ action => "invalid characters in security group name"}) - if $rule->{action} !~ m/^[A-Za-z0-9_\-]+$/; + if $rule->{action} !~ m/^${security_group_pattern}$/; } else { raise_param_exc({ type => "unknown rule type '$type'"}); } @@ -1731,7 +1753,7 @@ sub parse_fw_rule { die "wrong number of rule elements\n" if scalar(@data) != 3; die "groups disabled\n" if !$allow_groups; - die "invalid characters in group name\n" if $action !~ m/^[A-Za-z0-9_\-]+$/; + die "invalid characters in group name\n" if $action !~ m/^${security_group_pattern}$/; } else { die "unknown rule type '$type'\n"; } @@ -1975,6 +1997,7 @@ sub parse_cluster_fw_rules { if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) { $section = 'groups'; $group = lc($1); + $res->{$section}->{$group} = []; next; } @@ -1986,6 +2009,7 @@ sub parse_cluster_fw_rules { if ($line =~ m/^\[ipset\s+(\S+)\]\s*$/i) { $section = 'ipset'; $group = lc($1); + $res->{$section}->{$group} = []; next; } @@ -2020,15 +2044,15 @@ sub parse_cluster_fw_rules { # we can add single line comments to the end of the rule my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//; - $line =~ m/^(\!)?\s*((?:\d+)\.(?:\d+)\.(?:\d+)\.(?:\d+))(?:\/(\d+))?\s*$/; + $line =~ m/^(\!)?\s*(\S+)\s*$/; my $nomatch = $1; my $cidr = $2; - $cidr .= "/$3" if defined($3) && $3 != 32; - - if (!Net::IP->new($cidr)) { - my $err = Net::IP::Error(); - warn "$prefix: $cidr - $err\n"; + $cidr =~ s|/32$||; + + eval { pve_verify_ipv4_or_cidr($cidr); }; + if (my $err = $@) { + warn "$prefix: $cidr - $err"; next; } @@ -2111,7 +2135,7 @@ my $format_rules = sub { my $raw = ''; foreach my $rule (@$rules) { - if ($rule->{type} eq 'in' || $rule->{type} eq 'out') { + if ($rule->{type} eq 'in' || $rule->{type} eq 'out' || $rule->{type} eq 'group') { $raw .= '|' if defined($rule->{enable}) && !$rule->{enable}; $raw .= uc($rule->{type}); if ($rule->{macro}) { @@ -2120,16 +2144,20 @@ my $format_rules = sub { $raw .= " " . $rule->{action}; } $raw .= " " . ($rule->{iface} || '-') if $need_iface; - $raw .= " " . ($rule->{source} || '-'); - $raw .= " " . ($rule->{dest} || '-'); - $raw .= " " . ($rule->{proto} || '-'); - $raw .= " " . ($rule->{dport} || '-'); - $raw .= " " . ($rule->{sport} || '-'); + + if ($rule->{type} ne 'group') { + $raw .= " " . ($rule->{source} || '-'); + $raw .= " " . ($rule->{dest} || '-'); + $raw .= " " . ($rule->{proto} || '-'); + $raw .= " " . ($rule->{dport} || '-'); + $raw .= " " . ($rule->{sport} || '-'); + } + $raw .= " # " . encode('utf8', $rule->{comment}) if $rule->{comment} && $rule->{comment} !~ m/^\s*$/; $raw .= "\n"; } else { - die "implement me '$rule->{type}'"; + die "unknown rule type '$rule->{type}'"; } } @@ -2271,8 +2299,15 @@ sub generate_ipset { push @{$ipset_ruleset->{$name}}, "create $name hash:net family inet hashsize $hashsize maxelem $hashsize"; + # remove duplicates + my $nethash = {}; foreach my $entry (@$options) { - my $cidr = $entry->{cidr}; + $nethash->{$entry->{cidr}} = $entry; + } + + foreach my $cidr (sort keys %$nethash) { + my $entry = $nethash->{$cidr}; + my $cmd = "add $name $cidr"; if ($entry->{nomatch}) { if ($feature_ipset_nomatch) { @@ -2648,6 +2683,13 @@ sub get_ipset_cmdlist { my $active_chains = ipset_get_chains(); my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose); + # remove stale _swap chains + foreach my $chain (keys %$active_chains) { + if ($chain =~ m/^PVEFW-\S+_swap$/) { + $cmdlist .= "destroy $chain\n"; + } + } + foreach my $chain (sort keys %$ruleset) { my $stat = $statushash->{$chain}; die "internal error" if !$stat;