X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=57c22fb439439bc3f85c2bbd74af9ec1f87df218;hp=51eaac6e01cab03a64fe1aac1afd2b0898d68d6c;hb=490cdeadaa8c64ed04d06846ba9c782d08a5c4e7;hpb=5b1df9a0feb51097265cdd2baf5dffbd890d2a81

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 51eaac6..57c22fb 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -821,14 +821,24 @@ sub ruleset_insertrule {
 }
 
 sub generate_bridge_chains {
-    my ($ruleset, $bridge) = @_;
+    my ($ruleset, $hostfw_conf, $bridge) = @_;
+
+    my $options = $hostfw_conf->{options} || {};
+    
+    # fixme: what log level should we use here?
+    my $loglevel = get_option_log_level($options, "log_level_out");
 
     if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
 	ruleset_create_chain($ruleset, "$bridge-FW");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP");  # disable interbridge routing
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
+	# disable interbridge routing
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop"); 
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop");
+ 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");  
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");  
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP");  
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP");
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
@@ -1229,6 +1239,9 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
+    } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
+	$opt = lc($1);
+	$value = int($2);
     } else {
 	chomp $line;
 	die "can't parse option '$line'\n"
@@ -1403,18 +1416,18 @@ sub read_local_vm_config {
     return $vmdata;
 };
 
-sub read_vm_firewall_rules {
+sub read_vm_firewall_configs {
     my ($vmdata) = @_;
-    my $rules = {};
+    my $vmfw_configs = {};
     foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
 	my $filename = "/etc/pve/firewall/$vmid.fw";
 	my $fh = IO::File->new($filename, O_RDONLY);
 	next if !$fh;
 
-	$rules->{$vmid} = parse_vm_fw_rules($filename, $fh);
+	$vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh);
     }
 
-    return $rules;
+    return $vmfw_configs;
 }
 
 sub get_option_log_level {
@@ -1442,7 +1455,7 @@ sub generate_std_chains {
     # same as shorewall smurflog.
     if (defined($loglevel)) {
 	$pve_std_chains-> {'PVEFW-smurflog'} = [
-	    "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel",
+	    "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel",
 	    "-j DROP",
 	    ];
     } else {
@@ -1453,7 +1466,7 @@ sub generate_std_chains {
     $loglevel = get_option_log_level($options, 'tcp_flags_log_level');
     if (defined($loglevel)) {
 	$pve_std_chains-> {'PVEFW-logflags'} = [
-	    "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options",
+	    "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options",
 	    "-j DROP",
 	    ];
     } else {
@@ -1498,7 +1511,7 @@ sub read_pvefw_status {
 
 sub compile {
     my $vmdata = read_local_vm_config();
-    my $rules = read_vm_firewall_rules($vmdata);
+    my $vmfw_configs = read_vm_firewall_configs($vmdata);
 
     my $groups_conf = {};
     my $filename = "/etc/pve/firewall/groups.fw";
@@ -1517,7 +1530,7 @@ sub compile {
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
     my $hostfw_options = {};
-    my $hostfw_conf;
+    my $hostfw_conf = {};
 
     $filename = "/etc/pve/local/host.fw";
     if (my $fh = IO::File->new($filename, O_RDONLY)) {
@@ -1527,15 +1540,14 @@ sub compile {
 
     generate_std_chains($ruleset, $hostfw_options);
 
-    my $hostfw_enable = $hostfw_conf && 
-	!(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
+    my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
 
     enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
 
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
 	my $conf = $vmdata->{qemu}->{$vmid};
-	my $vmfw_conf = $rules->{$vmid};
+	my $vmfw_conf = $vmfw_configs->{$vmid};
 	next if !$vmfw_conf;
 	next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
 
@@ -1550,7 +1562,7 @@ sub compile {
 
 	    $bridge .= "v$net->{tag}" if $net->{tag};
 
-	    generate_bridge_chains($ruleset, $bridge);
+	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge);
 
 	    my $macaddr = $net->{macaddr};
 	    generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
@@ -1558,7 +1570,7 @@ sub compile {
 	}
     }
 
-    return $ruleset;
+    return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
 }
 
 sub get_ruleset_status {
@@ -1709,13 +1721,39 @@ sub apply_ruleset {
     die "unable to apply firewall changes\n" if $errors;
 }
 
+sub update_nf_conntrack_max {
+    my ($hostfw_conf) = @_;
+
+    my $max = 65536; # reasonable default
+
+    my $options = $hostfw_conf->{options} || {};
+
+    if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) {
+	$max = $options->{nf_conntrack_max};
+	$max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192
+    }
+
+    my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max";
+    my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize";
+
+    my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max);
+
+    if ($current != $max) {
+	my $hashsize = int($max/4);
+	PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize);
+	PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max);
+    }
+}
+
 sub update {
     my ($start, $verbose) = @_;
 
     my $code = sub {
 	my $status = read_pvefw_status();
 
-	my $ruleset = PVE::Firewall::compile();
+	my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
+
+	update_nf_conntrack_max($hostfw_conf);
 
 	if ($start || $status eq 'active') {