X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=6707e669e3065c6539b120f928a170c7603d0c5f;hp=7e3daada50b171af51aa9c0a1f6b5f385459563f;hb=68c90e210e53b10f63b47da62c06507afc68ef6e;hpb=d1c53b3e0daad6891ad6a97b6e79d03d7e781a78 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 7e3daad..6707e66 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -5,6 +5,7 @@ use strict; use Data::Dumper; use Digest::SHA; use PVE::INotify; +use PVE::JSONSchema qw(get_standard_option); use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools; @@ -13,6 +14,10 @@ use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file); +use Encode; + +my $hostfw_conf_filename = "/etc/pve/local/host.fw"; +my $clusterfw_conf_filename = "/etc/pve/firewall/cluster.fw"; # dynamically include PVE::QemuServer and PVE::OpenVZ # to avoid dependency problems @@ -509,23 +514,20 @@ my $icmp_type_names = { 'address-mask-reply' => 1, }; -sub get_firewall_macros { - - return $pve_fw_parsed_macros if $pve_fw_parsed_macros; +sub init_firewall_macros { $pve_fw_parsed_macros = {}; foreach my $k (keys %$pve_fw_macros) { - my $name = lc($k); - - my $macro = $pve_fw_macros->{$k}; - $pve_fw_preferred_macro_names->{$name} = $k; - $pve_fw_parsed_macros->{$name} = $macro; + my $lc_name = lc($k); + my $macro = $pve_fw_macros->{$k}; + $pve_fw_preferred_macro_names->{$lc_name} = $k; + $pve_fw_parsed_macros->{$k} = $macro; } - - return $pve_fw_parsed_macros; } +init_firewall_macros(); + my $etc_services; sub get_etc_services { @@ -635,15 +637,106 @@ sub parse_port_name_number_or_range { return ($nbports); } +PVE::JSONSchema::register_format('pve-fw-port-spec', \&pve_fw_verify_port_spec); +sub pve_fw_verify_port_spec { + my ($portstr) = @_; + + parse_port_name_number_or_range($portstr); + + return $portstr; +} + +PVE::JSONSchema::register_format('pve-fw-v4addr-spec', \&pve_fw_verify_v4addr_spec); +sub pve_fw_verify_v4addr_spec { + my ($list) = @_; + + parse_address_list($list); + + return $list; +} + +PVE::JSONSchema::register_format('pve-fw-protocol-spec', \&pve_fw_verify_protocol_spec); +sub pve_fw_verify_protocol_spec { + my ($proto) = @_; + + my $protocols = get_etc_protocols(); + + die "unknown protocol '$proto'\n" if $proto && + !(defined($protocols->{byname}->{$proto}) || + defined($protocols->{byid}->{$proto})); + + return $proto; +} + + # helper function for API + +my $rule_properties = { + pos => { + description => "Update rule at position .", + type => 'integer', + minimum => 0, + optional => 1, + }, + digest => { + type => 'string', + optional => 1, + maxLength => 27, + minLength => 27, + }, + type => { + type => 'string', + optional => 1, + enum => ['in', 'out', 'group'], + }, + action => { + type => 'string', + optional => 1, + enum => ['ACCEPT', 'DROP', 'REJECT'], + }, + macro => { + type => 'string', + optional => 1, + maxLength => 128, + }, + iface => get_standard_option('pve-iface', { optional => 1 }), + source => { + type => 'string', format => 'pve-fw-v4addr-spec', + optional => 1, + }, + dest => { + type => 'string', format => 'pve-fw-v4addr-spec', + optional => 1, + }, + proto => { + type => 'string', format => 'pve-fw-protocol-spec', + optional => 1, + }, + enable => { + type => 'boolean', + optional => 1, + }, + sport => { + type => 'string', format => 'pve-fw-port-spec', + optional => 1, + }, + dport => { + type => 'string', format => 'pve-fw-port-spec', + optional => 1, + }, + comment => { + type => 'string', + optional => 1, + }, +}; + sub cleanup_fw_rule { my ($rule, $digest, $pos) = @_; my $r = {}; foreach my $k (keys %$rule) { - next if $k eq 'nbdport'; - next if $k eq 'nbsport'; + next if !$rule_properties->{$k}; my $v = $rule->{$k}; next if !defined($v); $r->{$k} = $v; @@ -654,6 +747,34 @@ sub cleanup_fw_rule { return $r; } +sub add_rule_properties { + my ($properties) = @_; + + foreach my $k (keys %$rule_properties) { + $properties->{$k} = $rule_properties->{$k}; + } + + return $properties; +} + +sub copy_rule_data { + my ($rule, $param) = @_; + + foreach my $k (keys %$rule_properties) { + if (defined(my $v = $param->{$k})) { + if ($v eq '' || $v eq '-') { + delete $rule->{$k}; + } else { + $rule->{$k} = $v; + } + } else { + delete $rule->{$k}; + } + } + return $rule; +} + +# core functions my $bridge_firewall_enabled = 0; sub enable_bridge_firewall { @@ -671,16 +792,16 @@ sub enable_bridge_firewall { my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n"; -sub iptables { - my ($cmd) = @_; +sub iptables_restore_cmdlist { + my ($cmdlist) = @_; - run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {}); + run_command("/sbin/iptables-restore -n", input => $cmdlist); } -sub iptables_restore_cmdlist { +sub ipset_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/iptables-restore -n", input => $cmdlist); + run_command("/usr/sbin/ipset restore", input => $cmdlist); } sub iptables_get_chains { @@ -699,7 +820,7 @@ sub iptables_get_chains { return 1 if $name =~ m/^venet0-\d+-(:?IN|OUT)$/; - return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT|IPS)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; return undef; @@ -707,6 +828,8 @@ sub iptables_get_chains { my $table = ''; + my $hooks = {}; + my $parser = sub { my $line = shift; @@ -728,6 +851,8 @@ sub iptables_get_chains { my ($chain, $sig) = ($1, $2); return if !&$is_pvefw_chain($chain); $res->{$chain} = $sig; + } elsif ($line =~ m/^-A\s+(INPUT|OUTPUT|FORWARD)\s+-j\s+PVEFW-\1$/) { + $hooks->{$1} = 1; } else { # simply ignore the rest return; @@ -736,52 +861,86 @@ sub iptables_get_chains { run_command("/sbin/iptables-save", outfunc => $parser); - return $res; + return wantarray ? ($res, $hooks) : $res; } -sub iptables_chain_exist { - my ($chain) = @_; +sub iptables_chain_digest { + my ($rules) = @_; + my $digest = Digest::SHA->new('sha1'); + foreach my $rule (@$rules) { # order is important + $digest->add($rule); + } + return $digest->b64digest; +} - eval{ - iptables("-n --list $chain"); - }; - return undef if $@; +sub ipset_chain_digest { + my ($rules) = @_; - return 1; + my $digest = Digest::SHA->new('sha1'); + foreach my $rule (sort @$rules) { # note: sorted + $digest->add($rule); + } + return $digest->b64digest; } -sub iptables_rule_exist { - my ($rule) = @_; +sub ipset_get_chains { - eval{ - iptables("-C $rule"); + my $res = {}; + my $chains = {}; + + my $parser = sub { + my $line = shift; + + return if $line =~ m/^#/; + return if $line =~ m/^\s*$/; + if ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) { + my $chain = $1; + $line =~ s/\s+$//; # delete trailing white space + push @{$chains->{$chain}}, $line; + } else { + # simply ignore the rest + return; + } }; - return undef if $@; - return 1; + run_command("/usr/sbin/ipset save", outfunc => $parser); + + # compute digest for each chain + foreach my $chain (keys %$chains) { + $res->{$chain} = ipset_chain_digest($chains->{$chain}); + } + + return $res; } sub ruleset_generate_cmdstr { my ($ruleset, $chain, $rule, $actions, $goto) = @_; - return if $rule->{disable}; + return if defined($rule->{enable}) && !$rule->{enable}; + + die "unable to emit macro - internal error" if $rule->{macro}; # should not happen + + my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}) : 0; + my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}) : 0; + my $nbsource = $rule->{source} ? parse_address_list( $rule->{source}) : 0; + my $nbdest = $rule->{dest} ? parse_address_list($rule->{dest}) : 0; my @cmd = (); push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in}; push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out}; - push @cmd, "-m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; + push @cmd, "-m iprange --src-range" if $nbsource > 1; push @cmd, "-s $rule->{source}" if $rule->{source}; - push @cmd, "-m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; + push @cmd, "-m iprange --dst-range" if $nbdest > 1; push @cmd, "-d $rule->{dest}" if $rule->{dest}; if ($rule->{proto}) { push @cmd, "-p $rule->{proto}"; my $multiport = 0; - $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1); - $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1); + $multiport++ if $nbdport > 1; + $multiport++ if $nbsport > 1; push @cmd, "--match multiport" if $multiport; @@ -794,7 +953,7 @@ sub ruleset_generate_cmdstr { die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}}); push @cmd, "-m icmp --icmp-type $rule->{dport}"; } else { - if ($rule->{nbdport} && $rule->{nbdport} > 1) { + if ($nbdport > 1) { if ($multiport == 2) { push @cmd, "--ports $rule->{dport}"; } else { @@ -807,7 +966,7 @@ sub ruleset_generate_cmdstr { } if ($rule->{sport}) { - if ($rule->{nbsport} && $rule->{nbsport} > 1) { + if ($nbsport > 1) { push @cmd, "--sports $rule->{sport}" if $multiport != 2; } else { push @cmd, "--sport $rule->{sport}"; @@ -829,16 +988,73 @@ sub ruleset_generate_cmdstr { return scalar(@cmd) ? join(' ', @cmd) : undef; } +my $apply_macro = sub { + my ($macro_name, $param) = @_; + + my $macro_rules = $pve_fw_parsed_macros->{$macro_name}; + die "unknown macro '$macro_name'\n" if !$macro_rules; # should not happen + + my $rules = []; + + foreach my $templ (@$macro_rules) { + my $rule = {}; + my $param_used = {}; + foreach my $k (keys %$templ) { + my $v = $templ->{$k}; + if ($v eq 'PARAM') { + $v = $param->{$k}; + $param_used->{$k} = 1; + } elsif ($v eq 'DEST') { + $v = $param->{dest}; + $param_used->{dest} = 1; + } elsif ($v eq 'SOURCE') { + $v = $param->{source}; + $param_used->{source} = 1; + } + + die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); + $rule->{$k} = $v; + } + foreach my $k (keys %$param) { + next if $k eq 'macro'; + next if !defined($param->{$k}); + next if $param_used->{$k}; + if (defined($rule->{$k})) { + die "parameter '$k' already define in macro (value = '$rule->{$k}')\n" + if $rule->{$k} ne $param->{$k}; + } else { + $rule->{$k} = $param->{$k}; + } + } + push @$rules, $rule; + } + + return $rules; +}; + sub ruleset_generate_rule { my ($ruleset, $chain, $rule, $actions, $goto) = @_; - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $rule, $actions, $goto)) { - ruleset_addrule($ruleset, $chain, $cmdstr); + my $rules; + + if ($rule->{macro}) { + $rules = &$apply_macro($rule->{macro}, $rule); + } else { + $rules = [ $rule ]; + } + + foreach my $tmp (@$rules) { + if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto)) { + ruleset_addrule($ruleset, $chain, $cmdstr); + } } } + sub ruleset_generate_rule_insert { my ($ruleset, $chain, $rule, $actions, $goto) = @_; + die "implement me" if $rule->{macro}; # not implemented, because not needed so far + if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $rule, $actions, $goto)) { ruleset_insertrule($ruleset, $chain, $cmdstr); } @@ -962,13 +1178,20 @@ sub ruleset_create_vm_chain { my ($ruleset, $chain, $options, $macaddr, $direction) = @_; ruleset_create_chain($ruleset, $chain); + my $accept = generate_nfqueue($options); if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); } if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { - ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK', + proto => 'udp', sport => 68, dport => 67 }); + } else { + ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT', + proto => 'udp', sport => 67, dport => 68 }); + } } if ($options->{tcpflags}) { @@ -976,46 +1199,98 @@ sub ruleset_create_vm_chain { } ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + if($direction eq 'OUT'){ + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK"); + }else{ + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + } if ($direction eq 'OUT') { if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); } ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark } + + } sub ruleset_generate_vm_rules { - my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction) = @_; + my ($ruleset, $rules, $cluster_conf, $chain, $netid, $direction, $options) = @_; my $lc_direction = lc($direction); foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; - next if $rule->{disable}; + next if !$rule->{enable}; if ($rule->{type} eq 'group') { my $group_chain = "GROUP-$rule->{action}-$direction"; if(!ruleset_chain_exist($ruleset, $group_chain)){ - generate_group_rules($ruleset, $groups_conf, $rule->{action}); + generate_group_rules($ruleset, $cluster_conf, $rule->{action}); } ruleset_addrule($ruleset, $chain, "-j $group_chain"); - ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN") - if $direction eq 'OUT'; + if ($direction eq 'OUT'){ + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN"); + }else{ + my $accept = generate_nfqueue($options); + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $accept"); + } + } else { next if $rule->{type} ne $lc_direction; if ($direction eq 'OUT') { ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } else { - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); + my $accept = generate_nfqueue($options); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }); + } + } + } +} + +sub generate_nfqueue { + my ($options) = @_; + + my $action = ""; + if($options->{ips}){ + $action = "NFQUEUE"; + if($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) { + if(defined($3) && defined($1)) { + $action .= " --queue-balance $1:$3"; + }elsif (defined($1)) { + $action .= " --queue-num $1"; } } + $action .= " --queue-bypass"; + }else{ + $action = "ACCEPT"; + } + + return $action; +} + +sub ruleset_generate_vm_ipsrules { + my ($ruleset, $options, $direction, $iface, $bridge) = @_; + + if ($options->{ips} && $direction eq 'IN') { + my $nfqueue = generate_nfqueue($options); + + if (!ruleset_chain_exist($ruleset, "$bridge-IPS")) { + ruleset_create_chain($ruleset, "PVEFW-IPS"); + } + + if (!ruleset_chain_exist($ruleset, "$bridge-IPS")) { + ruleset_create_chain($ruleset, "$bridge-IPS"); + ruleset_insertrule($ruleset, "PVEFW-IPS", "-o $bridge -m physdev --physdev-is-out -j $bridge-IPS"); + } + + ruleset_addrule($ruleset, "$bridge-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue"); } } sub generate_venet_rules_direction { - my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_; + my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction) = @_; parse_address_list($ip); # make sure we have a valid $ip list @@ -1030,7 +1305,7 @@ sub generate_venet_rules_direction { ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction); - ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $chain, 'venet', $direction); + ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction); # implement policy my $policy; @@ -1041,7 +1316,8 @@ sub generate_venet_rules_direction { $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + my $accept = generate_nfqueue($options); + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept; ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action); # plug into FORWARD, INPUT and OUTPUT chain @@ -1069,7 +1345,7 @@ sub generate_venet_rules_direction { } sub generate_tap_rules_direction { - my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_; + my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_; my $lc_direction = lc($direction); @@ -1082,7 +1358,9 @@ sub generate_tap_rules_direction { ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction); - ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction); + ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options); + + ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface, $bridge); # implement policy my $policy; @@ -1093,7 +1371,8 @@ sub generate_tap_rules_direction { $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + my $accept = generate_nfqueue($options); + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept; ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action); # plug the tap chain to bridge chain @@ -1107,7 +1386,7 @@ sub generate_tap_rules_direction { } sub enable_host_firewall { - my ($ruleset, $hostfw_conf, $groups_conf) = @_; + my ($ruleset, $hostfw_conf, $cluster_conf) = @_; # fixme: allow security groups @@ -1120,6 +1399,14 @@ sub enable_host_firewall { my $loglevel = get_option_log_level($options, "log_level_in"); + if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if ($options->{tcpflags}) { + ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); + } + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); @@ -1169,19 +1456,19 @@ sub enable_host_firewall { } sub generate_group_rules { - my ($ruleset, $groups_conf, $group) = @_; + my ($ruleset, $cluster_conf, $group) = @_; + die "no such security group '$group'\n" if !$cluster_conf->{groups}->{$group}; - die "no such security group '$group'\n" if !$groups_conf->{$group}; - - my $rules = $groups_conf->{rules}->{$group}; + my $rules = $cluster_conf->{groups}->{$group}; my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } $chain = "GROUP-${group}-OUT"; @@ -1207,16 +1494,15 @@ for (my $i = 0; $i < $MAX_NETS; $i++) { sub parse_fw_rule { my ($line, $need_iface, $allow_groups) = @_; - my $macros = get_firewall_macros(); - my $protocols = get_etc_protocols(); - my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport); # we can add single line comments to the end of the rule - my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; + my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//; # we can disable a rule when prefixed with '|' - my $disable = 1 if $line =~ s/^\|//; + my $enable = 1; + + $enable = 0 if $line =~ s/^\|//; my @data = split(/\s+/, $line); my $expected_elements = $need_iface ? 8 : 7; @@ -1232,7 +1518,6 @@ sub parse_fw_rule { die "incomplete rule\n" if ! ($type && $action); my $macro; - my $macro_name; $type = lc($type); @@ -1240,12 +1525,10 @@ sub parse_fw_rule { if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { # OK } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { - ($macro_name, $action) = ($1, $2); - my $lc_macro_name = lc($macro_name); - my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name}; - $macro_name = $preferred_name if $preferred_name; - $macro = $macros->{$lc_macro_name}; - die "unknown macro '$macro_name'\n" if !$macro; + $action = $2; + my $preferred_name = $pve_fw_preferred_macro_names->{lc($1)}; + die "unknown macro '$1'\n" if !$preferred_name; + $macro = $preferred_name; } else { die "unknown action '$action'\n"; } @@ -1263,9 +1546,7 @@ sub parse_fw_rule { } $proto = undef if $proto && $proto eq '-'; - die "unknown protokol '$proto'\n" if $proto && - !(defined($protocols->{byname}->{$proto}) || - defined($protocols->{byid}->{$proto})); + pve_fw_verify_protocol_spec($proto) if $proto; $source = undef if $source && $source eq '-'; $dest = undef if $dest && $dest eq '-'; @@ -1273,73 +1554,25 @@ sub parse_fw_rule { $dport = undef if $dport && $dport eq '-'; $sport = undef if $sport && $sport eq '-'; - my $nbsource = undef; - my $nbdest = undef; - - $nbsource = parse_address_list($source) if $source; - $nbdest = parse_address_list($dest) if $dest; + parse_port_name_number_or_range($dport) if defined($dport); + parse_port_name_number_or_range($sport) if defined($sport); + + parse_address_list($source) if $source; + parse_address_list($dest) if $dest; - my $rules = []; - - my $param = { + return { type => $type, - disable => $disable, + enable => $enable, comment => $comment, action => $action, + macro => $macro, iface => $iface, source => $source, dest => $dest, - nbsource => $nbsource, - nbdest => $nbdest, proto => $proto, dport => $dport, sport => $sport, }; - - if ($macro) { - foreach my $templ (@$macro) { - my $rule = {}; - my $param_used = {}; - foreach my $k (keys %$templ) { - my $v = $templ->{$k}; - if ($v eq 'PARAM') { - $v = $param->{$k}; - $param_used->{$k} = 1; - } elsif ($v eq 'DEST') { - $v = $param->{dest}; - $param_used->{dest} = 1; - } elsif ($v eq 'SOURCE') { - $v = $param->{source}; - $param_used->{source} = 1; - } - - die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); - $rule->{$k} = $v; - } - foreach my $k (keys %$param) { - next if !defined($param->{$k}); - next if $param_used->{$k}; - if (defined($rule->{$k})) { - die "parameter '$k' already define in macro (value = '$rule->{$k}')\n" - if $rule->{$k} ne $param->{$k}; - } else { - $rule->{$k} = $param->{$k}; - } - } - push @$rules, $rule; - } - } else { - push @$rules, $param; - } - - foreach my $rule (@$rules) { - $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) - if defined($rule->{dport}); - $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) - if defined($rule->{sport}); - } - - return $rules; } sub parse_vmfw_option { @@ -1349,7 +1582,7 @@ sub parse_vmfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags|ips):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { @@ -1358,6 +1591,9 @@ sub parse_vmfw_option { } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); + } elsif ($line =~ m/^(ips_queues):\s*((\d+)(:(\d+))?)\s*$/i) { + $opt = lc($1); + $value = $2; } else { chomp $line; die "can't parse option '$line'\n" @@ -1373,7 +1609,7 @@ sub parse_hostfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { @@ -1393,6 +1629,22 @@ sub parse_hostfw_option { return ($opt, $value); } +sub parse_clusterfw_option { + my ($line) = @_; + + my ($opt, $value); + + if ($line =~ m/^(enable):\s*(0|1)\s*$/i) { + $opt = lc($1); + $value = int($2); + } else { + chomp $line; + die "can't parse option '$line'\n" + } + + return ($opt, $value); +} + sub parse_vm_fw_rules { my ($filename, $fh) = @_; @@ -1400,7 +1652,11 @@ sub parse_vm_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1428,16 +1684,18 @@ sub parse_vm_fw_rules { next; } - my $rules; - eval { $rules = parse_fw_rule($line, 1, 1); }; + my $rule; + eval { $rule = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { warn "$prefix: $err"; next; } - push @{$res->{$section}}, @$rules; + push @{$res->{$section}}, $rule; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1448,7 +1706,11 @@ sub parse_host_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1476,26 +1738,28 @@ sub parse_host_fw_rules { next; } - my $rules; - eval { $rules = parse_fw_rule($line, 1, 1); }; + my $rule; + eval { $rule = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { warn "$prefix: $err"; next; } - - push @{$res->{$section}}, @$rules; + + push @{$res->{$section}}, $rule; } + $res->{digest} = $digest->b64digest; + return $res; } -sub parse_group_fw_rules { +sub parse_cluster_fw_rules { my ($filename, $fh) = @_; my $section; my $group; - my $res = { rules => {} }; + my $res = { rules => [], options => {}, groups => {}, ipset => {} }; my $digest = Digest::SHA->new('sha1'); @@ -1508,28 +1772,76 @@ sub parse_group_fw_rules { my $linenr = $fh->input_line_number(); my $prefix = "$filename (line $linenr)"; + if ($line =~ m/^\[options\]$/i) { + $section = 'options'; + next; + } + if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) { - $section = 'rules'; + $section = 'groups'; $group = lc($1); next; } - if (!$section || !$group) { - warn "$prefix: skip line - no section"; + + if ($line =~ m/^\[rules\]$/i) { + $section = 'rules'; + next; + } + + if ($line =~ m/^\[netgroup\s+(\S+)\]\s*$/i) { + $section = 'ipset'; + $group = lc($1); next; } - my $rules; - eval { $rules = parse_fw_rule($line, 0, 0); }; - if (my $err = $@) { - warn "$prefix: $err"; + if (!$section) { + warn "$prefix: skip line - no section"; next; } - push @{$res->{$section}->{$group}}, @$rules; + if ($section eq 'options') { + eval { + my ($opt, $value) = parse_clusterfw_option($line); + $res->{options}->{$opt} = $value; + }; + warn "$prefix: $@" if $@; + } elsif ($section eq 'rules') { + my $rule; + eval { $rule = parse_fw_rule($line, 1, 1); }; + if (my $err = $@) { + warn "$prefix: $err"; + next; + } + push @{$res->{$section}}, $rule; + } elsif ($section eq 'groups') { + my $rule; + eval { $rule = parse_fw_rule($line, 0, 0); }; + if (my $err = $@) { + warn "$prefix: $err"; + next; + } + push @{$res->{$section}->{$group}}, $rule; + } elsif ($section eq 'ipset') { + chomp $line; + $line =~ m/^(\!)?(\s)?((\d+)\.(\d+)\.(\d+)\.(\d+)(\/(\d+))?)/; + my $nomatch = $1; + my $ip = $3; + + if(!$ip){ + warn "$prefix: $line is not an valid ip address"; + next; + } + if (!Net::IP->new($ip)) { + warn "$prefix: $line is not an valid ip address"; + next; + } + $ip .= " nomatch" if $nomatch; + + push @{$res->{$section}->{$group}}, $ip; + } } $res->{digest} = $digest->b64digest; - return $res; } @@ -1581,16 +1893,87 @@ sub read_local_vm_config { return $vmdata; }; +sub load_vmfw_conf { + my ($vmid) = @_; + + my $vmfw_conf = {}; + + my $filename = "/etc/pve/firewall/$vmid.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $vmfw_conf = parse_vm_fw_rules($filename, $fh); + } + + return $vmfw_conf; +} + +my $format_rules = sub { + my ($rules, $need_iface) = @_; + + my $raw = ''; + + foreach my $rule (@$rules) { + if ($rule->{type} eq 'in' || $rule->{type} eq 'out') { + $raw .= '|' if defined($rule->{enable}) && !$rule->{enable}; + $raw .= uc($rule->{type}); + $raw .= " " . $rule->{action}; + $raw .= " " . ($rule->{iface} || '-') if $need_iface; + $raw .= " " . ($rule->{source} || '-'); + $raw .= " " . ($rule->{dest} || '-'); + $raw .= " " . ($rule->{proto} || '-'); + $raw .= " " . ($rule->{dport} || '-'); + $raw .= " " . ($rule->{sport} || '-'); + $raw .= " # " . encode('utf8', $rule->{comment}) + if $rule->{comment} && $rule->{comment} !~ m/^\s*$/; + $raw .= "\n"; + } else { + die "implement me '$rule->{type}'"; + } + } + + return $raw; +}; + +my $format_options = sub { + my ($options) = @_; + + my $raw = ''; + + $raw .= "[OPTIONS]\n\n"; + foreach my $opt (keys %$options) { + $raw .= "$opt: $options->{$opt}\n"; + } + $raw .= "\n"; + + return $raw; +}; + +sub save_vmfw_conf { + my ($vmid, $vmfw_conf) = @_; + + my $raw = ''; + + my $options = $vmfw_conf->{options}; + $raw .= &$format_options($options) if scalar(keys %$options); + + my $rules = $vmfw_conf->{rules}; + if (scalar(@$rules)) { + $raw .= "[RULES]\n\n"; + $raw .= &$format_rules($rules, 1); + $raw .= "\n"; + } + + my $filename = "/etc/pve/firewall/$vmid.fw"; + PVE::Tools::file_set_contents($filename, $raw); +} + sub read_vm_firewall_configs { my ($vmdata) = @_; my $vmfw_configs = {}; foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $filename = "/etc/pve/firewall/$vmid.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - next if !$fh; - - $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh); + my $vmfw_conf = load_vmfw_conf($vmid); + next if !$vmfw_conf->{options}; # skip if file does not exists + $vmfw_configs->{$vmid} = $vmfw_conf; } return $vmfw_configs; @@ -1643,6 +2026,39 @@ sub generate_std_chains { } } +sub generate_ipset_chains { + my ($ipset_ruleset, $fw_conf) = @_; + + foreach my $ipset (keys %{$fw_conf->{ipset}}) { + generate_ipset($ipset_ruleset, $ipset, $fw_conf->{ipset}->{$ipset}); + } +} + +sub generate_ipset { + my ($ipset_ruleset, $name, $options) = @_; + + my $hashsize = scalar(@$options); + if ($hashsize <= 64) { + $hashsize = 64; + } else { + $hashsize = round_powerof2($hashsize); + } + + push @{$ipset_ruleset->{$name}}, "create $name hash:net family inet hashsize $hashsize maxelem $hashsize"; + + foreach my $ip (@$options) { + push @{$ipset_ruleset->{$name}}, "add $name $ip"; + } +} + +sub round_powerof2 { + my ($int) = @_; + + $int--; + $int |= $int >> $_ foreach (1,2,4,8,16); + return ++$int; +} + sub save_pvefw_status { my ($status) = @_; @@ -1695,15 +2111,68 @@ sub read_proc_net_route { return $res; } -sub load_security_groups { +sub load_clusterfw_conf { - my $groups_conf = {}; - my $filename = "/etc/pve/firewall/groups.fw"; - if (my $fh = IO::File->new($filename, O_RDONLY)) { - $groups_conf = parse_group_fw_rules($filename, $fh); + my $cluster_conf = {}; + if (my $fh = IO::File->new($clusterfw_conf_filename, O_RDONLY)) { + $cluster_conf = parse_cluster_fw_rules($clusterfw_conf_filename, $fh); } - return $groups_conf; + return $cluster_conf; +} + +sub save_clusterfw_conf { + my ($cluster_conf) = @_; + + my $raw = ''; + + my $options = $cluster_conf->{options}; + $raw .= &$format_options($options) if scalar(keys %$options); + + # fixme: save ipset + + my $rules = $cluster_conf->{rules}; + if (scalar(@$rules)) { + $raw .= "[RULES]\n\n"; + $raw .= &$format_rules($rules, 1); + $raw .= "\n"; + } + + foreach my $group (sort keys %{$cluster_conf->{groups}}) { + my $rules = $cluster_conf->{groups}->{$group}; + $raw .= "[group $group]\n\n"; + $raw .= &$format_rules($rules, 0); + $raw .= "\n"; + } + + PVE::Tools::file_set_contents($clusterfw_conf_filename, $raw); +} + +sub load_hostfw_conf { + + my $hostfw_conf = {}; + if (my $fh = IO::File->new($hostfw_conf_filename, O_RDONLY)) { + $hostfw_conf = parse_host_fw_rules($hostfw_conf_filename, $fh); + } + return $hostfw_conf; +} + +sub save_hostfw_conf { + my ($hostfw_conf) = @_; + + my $raw = ''; + + my $options = $hostfw_conf->{options}; + $raw .= &$format_options($options) if scalar(keys %$options); + + my $rules = $hostfw_conf->{rules}; + if (scalar(@$rules)) { + $raw .= "[RULES]\n\n"; + $raw .= &$format_rules($rules, 1); + $raw .= "\n"; + } + + PVE::Tools::file_set_contents($hostfw_conf_filename, $raw); } sub compile { @@ -1712,7 +2181,10 @@ sub compile { my $routing_table = read_proc_net_route(); - my $groups_conf = load_security_groups(); + my $cluster_conf = load_clusterfw_conf(); + + my $ipset_ruleset = {}; + generate_ipset_chains($ipset_ruleset, $cluster_conf); my $ruleset = {}; @@ -1721,20 +2193,14 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - my $hostfw_options = {}; - my $hostfw_conf = {}; - - my $filename = "/etc/pve/local/host.fw"; - if (my $fh = IO::File->new($filename, O_RDONLY)) { - $hostfw_conf = parse_host_fw_rules($filename, $fh); - $hostfw_options = $hostfw_conf->{options}; - } + my $hostfw_conf = load_hostfw_conf(); + my $hostfw_options = $hostfw_conf->{options} || {}; generate_std_chains($ruleset, $hostfw_options); my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); - enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; + enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf) if $hostfw_enable; # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { @@ -1757,9 +2223,9 @@ sub compile { generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, 'OUT'); } } @@ -1774,8 +2240,8 @@ sub compile { if ($conf->{ip_address} && $conf->{ip_address}->{value}) { my $ip = $conf->{ip_address}->{value}; - generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'IN'); - generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'OUT'); + generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN'); + generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT'); } if ($conf->{netif} && $conf->{netif}->{value}) { @@ -1792,16 +2258,20 @@ sub compile { my $macaddr = $d->{mac}; my $iface = $d->{host_ifname}; - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, 'OUT'); } } } - # fixme: this is an optimization? if so, we should also drop INVALID packages? - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + if($hostfw_options->{optimize}){ + + my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT"; + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP"); + } # fixme: what log level should we use here? my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); @@ -1819,22 +2289,17 @@ sub compile { ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP"); - return wantarray ? ($ruleset, $hostfw_conf) : $ruleset; + return wantarray ? ($ruleset, $hostfw_conf, $ipset_ruleset) : $ruleset; } sub get_ruleset_status { - my ($ruleset, $verbose) = @_; - - my $active_chains = iptables_get_chains(); + my ($ruleset, $active_chains, $digest_fn, $verbose) = @_; my $statushash = {}; foreach my $chain (sort keys %$ruleset) { - my $digest = Digest::SHA->new('sha1'); - foreach my $cmd (@{$ruleset->{$chain}}) { - $digest->add("$cmd\n"); - } - my $sig = $digest->b64digest; + my $sig = &$digest_fn($ruleset->{$chain}); + $statushash->{$chain}->{sig} = $sig; my $oldsig = $active_chains->{$chain}; @@ -1865,12 +2330,6 @@ sub get_ruleset_status { return $statushash; } -sub print_ruleset { - my ($ruleset) = @_; - - get_ruleset_status($ruleset, 1); -} - sub print_sig_rule { my ($chain, $sig) = @_; @@ -1878,12 +2337,13 @@ sub print_sig_rule { return "-A $chain -m comment --comment \"PVESIG:$sig\"\n"; } -sub get_rulset_cmdlist { +sub get_ruleset_cmdlist { my ($ruleset, $verbose) = @_; my $cmdlist = "*filter\n"; # we pass this to iptables-restore; - - my $statushash = get_ruleset_status($ruleset, $verbose); + + my ($active_chains, $hooks) = iptables_get_chains(); + my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose); # create missing chains first foreach my $chain (sort keys %$ruleset) { @@ -1894,18 +2354,10 @@ sub get_rulset_cmdlist { $cmdlist .= ":$chain - [0:0]\n"; } - my $rule = "INPUT -j PVEFW-INPUT"; - if (!PVE::Firewall::iptables_rule_exist($rule)) { - $cmdlist .= "-A $rule\n"; - } - $rule = "OUTPUT -j PVEFW-OUTPUT"; - if (!PVE::Firewall::iptables_rule_exist($rule)) { - $cmdlist .= "-A $rule\n"; - } - - $rule = "FORWARD -j PVEFW-FORWARD"; - if (!PVE::Firewall::iptables_rule_exist($rule)) { - $cmdlist .= "-A $rule\n"; + foreach my $h (qw(INPUT OUTPUT FORWARD)) { + if (!$hooks->{$h}) { + $cmdlist .= "-A $h -j PVEFW-$h\n"; + } } foreach my $chain (sort keys %$ruleset) { @@ -1939,26 +2391,93 @@ sub get_rulset_cmdlist { $cmdlist .= "-X $chain\n"; } + my $changes = $cmdlist ne "*filter\n" ? 1 : 0; + $cmdlist .= "COMMIT\n"; - return $cmdlist; + return wantarray ? ($cmdlist, $changes) : $cmdlist; +} + +sub get_ipset_cmdlist { + my ($ruleset, $verbose) = @_; + + my $cmdlist = ""; + + my $delete_cmdlist = ""; + + my $active_chains = ipset_get_chains(); + my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose); + + foreach my $chain (sort keys %$ruleset) { + my $stat = $statushash->{$chain}; + die "internal error" if !$stat; + + if ($stat->{action} eq 'create') { + foreach my $cmd (@{$ruleset->{$chain}}) { + $cmdlist .= "$cmd\n"; + } + } + + if ($stat->{action} eq 'update') { + my $chain_swap = $chain."_swap"; + + foreach my $cmd (@{$ruleset->{$chain}}) { + $cmd =~ s/$chain/$chain_swap/; + $cmdlist .= "$cmd\n"; + } + $cmdlist .= "swap $chain_swap $chain\n"; + $cmdlist .= "flush $chain_swap\n"; + $cmdlist .= "destroy $chain_swap\n"; + } + + } + + foreach my $chain (keys %$statushash) { + next if $statushash->{$chain}->{action} ne 'delete'; + + $delete_cmdlist .= "flush $chain\n"; + $delete_cmdlist .= "destroy $chain\n"; + } + + my $changes = ($cmdlist || $delete_cmdlist) ? 1 : 0; + + return ($cmdlist, $delete_cmdlist, $changes); } sub apply_ruleset { - my ($ruleset, $hostfw_conf, $verbose) = @_; + my ($ruleset, $hostfw_conf, $ipset_ruleset, $verbose) = @_; enable_bridge_firewall(); update_nf_conntrack_max($hostfw_conf); - my $cmdlist = get_rulset_cmdlist($ruleset, $verbose); + my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) = + get_ipset_cmdlist($ipset_ruleset, undef, $verbose); - print $cmdlist if $verbose; + my ($cmdlist, $changes) = get_ruleset_cmdlist($ruleset, $verbose); + + if ($verbose) { + if ($ipset_changes) { + print "ipset changes:\n"; + print $ipset_create_cmdlist if $ipset_create_cmdlist; + print $ipset_delete_cmdlist if $ipset_delete_cmdlist; + } + + if ($changes) { + print "iptables changes:\n"; + print $cmdlist; + } + } + + ipset_restore_cmdlist($ipset_create_cmdlist); iptables_restore_cmdlist($cmdlist); + ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist; + # test: re-read status and check if everything is up to date - my $statushash = get_ruleset_status($ruleset); + my $active_chains = iptables_get_chains(); + my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, 0); my $errors; foreach my $chain (sort keys %$ruleset) { @@ -1996,19 +2515,42 @@ sub update_nf_conntrack_max { } } +sub remove_pvefw_chains { + + my ($chash, $hooks) = iptables_get_chains(); + my $cmdlist = "*filter\n"; + + foreach my $h (qw(INPUT OUTPUT FORWARD)) { + if ($hooks->{$h}) { + $cmdlist .= "-D $h -j PVEFW-$h\n"; + } + } + + foreach my $chain (keys %$chash) { + $cmdlist .= "-F $chain\n"; + } + + foreach my $chain (keys %$chash) { + $cmdlist .= "-X $chain\n"; + } + $cmdlist .= "COMMIT\n"; + + iptables_restore_cmdlist($cmdlist); +} + sub update { my ($start, $verbose) = @_; my $code = sub { my $status = read_pvefw_status(); - my ($ruleset, $hostfw_conf) = PVE::Firewall::compile(); + my ($ruleset, $hostfw_conf, $ipset_ruleset) = compile(); if ($start || $status eq 'active') { save_pvefw_status('active') if ($status ne 'active'); - apply_ruleset($ruleset, $hostfw_conf, $verbose); + apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $verbose); } else { print "Firewall not active (status = $status)\n" if $verbose; }