X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=7a68642c42cf2ce66c82f2efec382aae01911a9d;hp=440d12b98252aa6a0580b906627ab95a64545cf5;hb=72f63fde6e68abfa9b1b4e35d63f4788086d2c1c;hpb=2f3d8d7615139301d55ceaacad06a2b18b0420dc diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 440d12b..7a68642 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -823,7 +823,7 @@ sub ruleset_insertrule { sub generate_bridge_chains { my ($ruleset, $hostfw_conf, $bridge) = @_; - my $options = $hostfw_conf->{options}; + my $options = $hostfw_conf->{options} || {}; # fixme: what log level should we use here? my $loglevel = get_option_log_level($options, "log_level_out"); @@ -947,9 +947,9 @@ sub generate_tap_rules_direction { my $policy; if ($direction eq 'OUT') { - $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default } else { - $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default + $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; @@ -991,7 +991,7 @@ sub enable_host_firewall { } # implement input policy - my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default + my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); # host outbound firewall @@ -1016,7 +1016,7 @@ sub enable_host_firewall { } # implement output policy - $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); @@ -1212,7 +1212,7 @@ sub parse_vmfw_option { } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); } else { @@ -1236,9 +1236,12 @@ sub parse_hostfw_option { } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); + } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) { + $opt = lc($1); + $value = int($2); } else { chomp $line; die "can't parse option '$line'\n" @@ -1413,18 +1416,18 @@ sub read_local_vm_config { return $vmdata; }; -sub read_vm_firewall_rules { +sub read_vm_firewall_configs { my ($vmdata) = @_; - my $rules = {}; + my $vmfw_configs = {}; foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { my $filename = "/etc/pve/firewall/$vmid.fw"; my $fh = IO::File->new($filename, O_RDONLY); next if !$fh; - $rules->{$vmid} = parse_vm_fw_rules($filename, $fh); + $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh); } - return $rules; + return $vmfw_configs; } sub get_option_log_level { @@ -1508,7 +1511,7 @@ sub read_pvefw_status { sub compile { my $vmdata = read_local_vm_config(); - my $rules = read_vm_firewall_rules($vmdata); + my $vmfw_configs = read_vm_firewall_configs($vmdata); my $groups_conf = {}; my $filename = "/etc/pve/firewall/groups.fw"; @@ -1527,7 +1530,7 @@ sub compile { ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); my $hostfw_options = {}; - my $hostfw_conf; + my $hostfw_conf = {}; $filename = "/etc/pve/local/host.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { @@ -1537,15 +1540,14 @@ sub compile { generate_std_chains($ruleset, $hostfw_options); - my $hostfw_enable = $hostfw_conf && - !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); + my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; - my $vmfw_conf = $rules->{$vmid}; + my $vmfw_conf = $vmfw_configs->{$vmid}; next if !$vmfw_conf; next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); @@ -1568,7 +1570,7 @@ sub compile { } } - return $ruleset; + return wantarray ? ($ruleset, $hostfw_conf) : $ruleset; } sub get_ruleset_status { @@ -1719,13 +1721,39 @@ sub apply_ruleset { die "unable to apply firewall changes\n" if $errors; } +sub update_nf_conntrack_max { + my ($hostfw_conf) = @_; + + my $max = 65536; # reasonable default + + my $options = $hostfw_conf->{options} || {}; + + if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) { + $max = $options->{nf_conntrack_max}; + $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192 + } + + my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max"; + my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize"; + + my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max); + + if ($current != $max) { + my $hashsize = int($max/4); + PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize); + PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max); + } +} + sub update { my ($start, $verbose) = @_; my $code = sub { my $status = read_pvefw_status(); - my $ruleset = PVE::Firewall::compile(); + my ($ruleset, $hostfw_conf) = PVE::Firewall::compile(); + + update_nf_conntrack_max($hostfw_conf); if ($start || $status eq 'active') {