X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=440d12b98252aa6a0580b906627ab95a64545cf5;hp=d18809a2ef8a417c276b87ccb5d27e60bd2894ef;hb=2f3d8d7615139301d55ceaacad06a2b18b0420dc;hpb=bb272dd311e39cd0d76a01d28c600363e95bc731 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index d18809a..440d12b 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -4,6 +4,7 @@ use warnings; use strict; use Data::Dumper; use Digest::SHA; +use PVE::ProcFSTools; use PVE::Tools; use PVE::QemuServer; use File::Basename; @@ -623,8 +624,11 @@ sub enable_bridge_firewall { return if $bridge_firewall_enabled; # only once - system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"); - system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables"); + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1"); + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1"); + + # make sure syncookies are enabled (which is default on newer 3.X kernels anyways) + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1"); $bridge_firewall_enabled = 1; } @@ -721,21 +725,21 @@ sub ruleset_generate_rule { return if $rule->{disable}; - my $cmd = ''; + my @cmd = (); - $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; - $cmd .= " -s $rule->{source}" if $rule->{source}; - $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; - $cmd .= " -d $rule->{dest}" if $rule->{dest}; + push @cmd, "-m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; + push @cmd, "-s $rule->{source}" if $rule->{source}; + push @cmd, "-m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; + push @cmd, "-d $rule->{dest}" if $rule->{dest}; if ($rule->{proto}) { - $cmd .= " -p $rule->{proto}"; + push @cmd, "-p $rule->{proto}"; my $multiport = 0; $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1); $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1); - $cmd .= " --match multiport" if $multiport; + push @cmd, "--match multiport" if $multiport; die "multiport: option '--sports' cannot be used together with '--dports'\n" if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); @@ -744,25 +748,25 @@ sub ruleset_generate_rule { if ($rule->{proto} && $rule->{proto} eq 'icmp') { # Note: we use dport to store --icmp-type die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}}); - $cmd .= " -m icmp --icmp-type $rule->{dport}"; + push @cmd, "-m icmp --icmp-type $rule->{dport}"; } else { if ($rule->{nbdport} && $rule->{nbdport} > 1) { if ($multiport == 2) { - $cmd .= " --ports $rule->{dport}"; + push @cmd, "--ports $rule->{dport}"; } else { - $cmd .= " --dports $rule->{dport}"; + push @cmd, "--dports $rule->{dport}"; } } else { - $cmd .= " --dport $rule->{dport}"; + push @cmd, "--dport $rule->{dport}"; } } } if ($rule->{sport}) { if ($rule->{nbsport} && $rule->{nbsport} > 1) { - $cmd .= " --sports $rule->{sport}" if $multiport != 2; + push @cmd, "--sports $rule->{sport}" if $multiport != 2; } else { - $cmd .= " --sport $rule->{sport}"; + push @cmd, "--sport $rule->{sport}"; } } } elsif ($rule->{dport} || $rule->{sport}) { @@ -770,15 +774,18 @@ sub ruleset_generate_rule { warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport}; } - $cmd .= " -m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; + push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; if (my $action = $rule->{action}) { $action = $actions->{$action} if defined($actions->{$action}); $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; - $cmd .= $goto ? " -g $action" : " -j $action"; + push @cmd, $goto ? "-g $action" : "-j $action"; } - ruleset_addrule($ruleset, $chain, $cmd) if $cmd; + if (scalar(@cmd)) { + my $cmdstr = join(' ', @cmd); + ruleset_addrule($ruleset, $chain, $cmdstr); + } } sub ruleset_create_chain { @@ -814,24 +821,30 @@ sub ruleset_insertrule { } sub generate_bridge_chains { - my ($ruleset, $bridge) = @_; + my ($ruleset, $hostfw_conf, $bridge) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ - ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - } + my $options = $hostfw_conf->{options}; + + # fixme: what log level should we use here? + my $loglevel = get_option_log_level($options, "log_level_out"); if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { ruleset_create_chain($ruleset, "$bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing + # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); } if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { @@ -843,11 +856,41 @@ sub generate_bridge_chains { } } +sub ruleset_add_chain_policy { + my ($ruleset, $chain, $policy, $loglevel, $accept_action) = @_; + + if ($policy eq 'ACCEPT') { + + ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT' }, + { ACCEPT => $accept_action}); + + } elsif ($policy eq 'DROP') { + + ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); + + ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel") + if defined($loglevel); + + ruleset_addrule($ruleset, $chain, "-j DROP"); + } elsif ($policy eq 'REJECT') { + ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); + + ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel") + if defined($loglevel); + + ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); + } else { + # should not happen + die "internal error: unknown policy '$policy'"; + } +} + sub generate_tap_rules_direction { - my ($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; + my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; my $lc_direction = lc($direction); - my $rules = $vmfw_conf->{$lc_direction}; + + my $rules = $vmfw_conf->{rules}; my $options = $vmfw_conf->{options}; my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); @@ -871,31 +914,31 @@ sub generate_tap_rules_direction { ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - if ($direction eq 'OUT' && defined($macaddr) && - !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); + if ($direction eq 'OUT') { + if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); + } + ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark } - if ($rules) { - foreach my $rule (@$rules) { - next if $rule->{iface} && $rule->{iface} ne $netid; - # we go to $bridge-IN if accept in out rules - if($rule->{action} =~ m/^(GROUP-(\S+))$/){ - $rule->{action} .= "-$direction"; - # generate empty group rule if don't exist - if(!ruleset_chain_exist($ruleset, $rule->{action})){ - generate_group_rules($ruleset, $group_rules, $2); - } - ruleset_generate_rule($ruleset, $tapchain, $rule); - ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") - if $direction eq 'OUT'; + foreach my $rule (@$rules) { + next if $rule->{iface} && $rule->{iface} ne $netid; + next if $rule->{disable}; + if ($rule->{type} eq 'group') { + my $group_chain = "GROUP-$rule->{action}-$direction"; + if(!ruleset_chain_exist($ruleset, $group_chain)){ + generate_group_rules($ruleset, $groups_conf, $rule->{action}); + } + ruleset_addrule($ruleset, $tapchain, "-j $group_chain"); + ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") + if $direction eq 'OUT'; + } else { + next if $rule->{type} ne $lc_direction; + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $tapchain, $rule, + { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } else { - if ($direction eq 'OUT') { - ruleset_generate_rule($ruleset, $tapchain, $rule, - { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); - } else { - ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); - } + ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); } } } @@ -906,53 +949,25 @@ sub generate_tap_rules_direction { if ($direction eq 'OUT') { $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default } else { - $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default + $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default } - if ($policy eq 'ACCEPT') { - if ($direction eq 'OUT') { - ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK"); - } else { - ruleset_addrule($ruleset, $tapchain, "-j ACCEPT"); - } - } elsif ($policy eq 'DROP') { - - ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop"); - - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $tapchain, "-j DROP"); - } elsif ($policy eq 'REJECT') { - ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject"); - - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject"); - } else { - # should not happen - die "internal error: unknown policy '$policy'"; - } + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action); # plug the tap chain to bridge chain my $physdevdirection = $direction eq 'IN' ? "out" : "in"; my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain"; ruleset_insertrule($ruleset, "$bridge-$direction", $rule); - - if ($direction eq 'OUT'){ - # add tap->host rules - my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain"; - ruleset_addrule($ruleset, "PVEFW-INPUT", $rule); - } } -sub enablehostfw { - my ($ruleset, $rules, $group_rules) = @_; +sub enable_host_firewall { + my ($ruleset, $hostfw_conf, $groups_conf) = @_; # fixme: allow security groups - my $options = $rules->{options}; + my $options = $hostfw_conf->{options}; + my $rules = $hostfw_conf->{rules}; # host inbound firewall my $chain = "PVEFW-HOST-IN"; @@ -967,17 +982,17 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync - if ($rules->{in}) { - foreach my $rule (@{$rules->{in}}) { - # we use RETURN because we need to check also tap rules - ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); - } - } + # we use RETURN because we need to check also tap rules + my $accept_action = 'RETURN'; - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level $loglevel") - if defined($loglevel); + foreach my $rule (@$rules) { + next if $rule->{type} ne 'in'; + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }); + } - ruleset_addrule($ruleset, $chain, "-j DROP"); + # implement input policy + my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default + ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); # host outbound firewall $chain = "PVEFW-HOST-OUT"; @@ -992,37 +1007,36 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync - if ($rules->{out}) { - foreach my $rule (@{$rules->{out}}) { - # we use RETURN because we need to check also tap rules - ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); - } - } + # we use RETURN because we may want to check other thigs later + $accept_action = 'RETURN'; - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level $loglevel") - if defined($loglevel); + foreach my $rule (@$rules) { + next if $rule->{type} ne 'out'; + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }); + } - ruleset_addrule($ruleset, $chain, "-j DROP"); + # implement output policy + $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); } sub generate_group_rules { - my ($ruleset, $group_rules, $group) = @_; + my ($ruleset, $groups_conf, $group) = @_; - my $rules = $group_rules->{$group}; + die "no such security group '$group'\n" if !$groups_conf->{$group}; - die "no such security group '$group'\n" if !$rules; + my $rules = $groups_conf->{$group}->{rules}; my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); - if ($rules->{in}) { - foreach my $rule (@{$rules->{in}}) { - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); - } + foreach my $rule (@$rules) { + next if $rule->{type} ne 'in'; + ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); } $chain = "GROUP-${group}-OUT"; @@ -1030,13 +1044,12 @@ sub generate_group_rules { ruleset_create_chain($ruleset, $chain); ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark - if ($rules->{out}) { - foreach my $rule (@{$rules->{out}}) { - # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to - # check also other tap rules later - ruleset_generate_rule($ruleset, $chain, $rule, - { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }); - } + foreach my $rule (@$rules) { + next if $rule->{type} ne 'out'; + # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to + # check also other tap rules later + ruleset_generate_rule($ruleset, $chain, $rule, + { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }); } } @@ -1052,7 +1065,7 @@ sub parse_fw_rule { my $macros = get_firewall_macros(); my $protocols = get_etc_protocols(); - my ($action, $iface, $source, $dest, $proto, $dport, $sport); + my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport); # we can add single line comments to the end of the rule my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; @@ -1061,34 +1074,43 @@ sub parse_fw_rule { my $disable = 1 if $line =~ s/^\|//; my @data = split(/\s+/, $line); - my $expected_elements = $need_iface ? 7 : 6; + my $expected_elements = $need_iface ? 8 : 7; die "wrong number of rule elements\n" if scalar(@data) > $expected_elements; if ($need_iface) { - ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data + ($type, $action, $iface, $source, $dest, $proto, $dport, $sport) = @data } else { - ($action, $source, $dest, $proto, $dport, $sport) = @data; + ($type, $action, $source, $dest, $proto, $dport, $sport) = @data; } - die "incomplete rule\n" if !$action; + die "incomplete rule\n" if ! ($type && $action); my $macro; my $macro_name; - if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { - # OK - } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) { - # OK - } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { - ($macro_name, $action) = ($1, $2); - my $lc_macro_name = lc($macro_name); - my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name}; - $macro_name = $preferred_name if $preferred_name; - $macro = $macros->{$lc_macro_name}; - die "unknown macro '$macro_name'\n" if !$macro; + $type = lc($type); + + if ($type eq 'in' || $type eq 'out') { + if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { + # OK + } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { + ($macro_name, $action) = ($1, $2); + my $lc_macro_name = lc($macro_name); + my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name}; + $macro_name = $preferred_name if $preferred_name; + $macro = $macros->{$lc_macro_name}; + die "unknown macro '$macro_name'\n" if !$macro; + } else { + die "unknown action '$action'\n"; + } + } elsif ($type eq 'group') { + die "wrong number of rule elements\n" if scalar(@data) != 3; + die "groups disabled\n" if !$allow_groups; + + die "invalid characters in group name\n" if $action !~ m/^[A-Za-z0-9_\-]+$/; } else { - die "unknown action '$action'\n"; + die "unknown rule type '$type'\n"; } if ($need_iface) { @@ -1117,6 +1139,7 @@ sub parse_fw_rule { my $rules = []; my $param = { + type => $type, disable => $disable, comment => $comment, action => $action, @@ -1227,7 +1250,7 @@ sub parse_hostfw_option { sub parse_vm_fw_rules { my ($filename, $fh) = @_; - my $res = { in => [], out => [], options => {}}; + my $res = { rules => [], options => {}}; my $section; @@ -1275,7 +1298,7 @@ sub parse_vm_fw_rules { sub parse_host_fw_rules { my ($filename, $fh) = @_; - my $res = { in => [], out => [], options => {}}; + my $res = { rules => [], options => {}}; my $section; @@ -1300,7 +1323,6 @@ sub parse_host_fw_rules { if ($section eq 'options') { eval { - print "PARSE:$line\n"; my ($opt, $value) = parse_hostfw_option($line); $res->{options}->{$opt} = $value; }; @@ -1327,7 +1349,7 @@ sub parse_group_fw_rules { my $section; my $group; - my $res = { in => [], out => [] }; + my $res = { rules => [] }; while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; @@ -1336,9 +1358,9 @@ sub parse_group_fw_rules { my $linenr = $fh->input_line_number(); my $prefix = "$filename (line $linenr)"; - if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) { - $section = lc($1); - $group = lc($2); + if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) { + $section = 'rules'; + $group = lc($1); next; } if (!$section || !$group) { @@ -1430,7 +1452,7 @@ sub generate_std_chains { # same as shorewall smurflog. if (defined($loglevel)) { $pve_std_chains-> {'PVEFW-smurflog'} = [ - "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel", + "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel", "-j DROP", ]; } else { @@ -1441,7 +1463,7 @@ sub generate_std_chains { $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); if (defined($loglevel)) { $pve_std_chains-> {'PVEFW-logflags'} = [ - "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options", + "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options", "-j DROP", ]; } else { @@ -1488,10 +1510,10 @@ sub compile { my $vmdata = read_local_vm_config(); my $rules = read_vm_firewall_rules($vmdata); - my $group_rules = {}; + my $groups_conf = {}; my $filename = "/etc/pve/firewall/groups.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { - $group_rules = parse_group_fw_rules($filename, $fh); + $groups_conf = parse_group_fw_rules($filename, $fh); } #print Dumper($rules); @@ -1500,22 +1522,25 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); + ruleset_create_chain($ruleset, "PVEFW-FORWARD"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - my $host_options = {}; - my $host_rules; + my $hostfw_options = {}; + my $hostfw_conf; $filename = "/etc/pve/local/host.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { - $host_rules = parse_host_fw_rules($filename, $fh); - $host_options = $host_rules->{options}; + $hostfw_conf = parse_host_fw_rules($filename, $fh); + $hostfw_options = $hostfw_conf->{options}; } - generate_std_chains($ruleset, $host_options); + generate_std_chains($ruleset, $hostfw_options); - my $hotsfw_enable = $host_rules && !(defined($host_options->{enable}) && ($host_options->{enable} == 0)); + my $hostfw_enable = $hostfw_conf && + !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); - enablehostfw($ruleset, $host_rules, $group_rules) if $hotsfw_enable; + enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { @@ -1535,20 +1560,14 @@ sub compile { $bridge .= "v$net->{tag}" if $net->{tag}; - - generate_bridge_chains($ruleset, $bridge); + generate_bridge_chains($ruleset, $hostfw_conf, $bridge); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); } } - if ($hotsfw_enable) { - # allow traffic from lo (ourself) - ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT"); - } - return $ruleset; }