X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=a0374ff7eada0714cef0626570fac0e824142562;hp=7a68642c42cf2ce66c82f2efec382aae01911a9d;hb=954f24b10939dd0812bc6741c083ba4f586f934a;hpb=72f63fde6e68abfa9b1b4e35d63f4788086d2c1c diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 7a68642..a0374ff 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -4,9 +4,12 @@ use warnings; use strict; use Data::Dumper; use Digest::SHA; +use PVE::INotify; +use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools; use PVE::QemuServer; +use PVE::OpenVZ; # dependeny problem?! use File::Basename; use File::Path; use IO::File; @@ -15,6 +18,8 @@ use PVE::Tools qw(run_command lock_file); use Data::Dumper; +my $nodename = PVE::INotify::nodename(); + my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status"; @@ -658,6 +663,9 @@ sub iptables_get_chains { return 1 if $name =~ m/^PVEFW-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; + + return 1 if $name =~ m/^veth\d+.\d+-(:?IN|OUT)$/; # fixme: dev name is configurable + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; @@ -1399,26 +1407,39 @@ sub run_locked { sub read_local_vm_config { my $openvz = {}; - my $qemu = {}; - my $list = PVE::QemuServer::config_list(); + my $vmdata = { openvz => $openvz, qemu => $qemu }; - foreach my $vmid (keys %$list) { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; + my $vmlist = PVE::Cluster::get_vmlist(); + return $vmdata if !$vmlist || !$vmlist->{ids}; + my $ids = $vmlist->{ids}; + + foreach my $vmid (keys %$ids) { + next if !$vmid; # skip VE0 + my $d = $ids->{$vmid}; + next if !$d->{node} || $d->{node} ne $nodename; + next if !$d->{type}; + if ($d->{type} eq 'openvz') { + my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $openvz->{$vmid} = $conf; + } + } elsif ($d->{type} eq 'qemu') { + my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $qemu->{$vmid} = $conf; + } } } - - my $vmdata = { openvz => $openvz, qemu => $qemu }; - + return $vmdata; }; sub read_vm_firewall_configs { my ($vmdata) = @_; my $vmfw_configs = {}; + foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { my $filename = "/etc/pve/firewall/$vmid.fw"; my $fh = IO::File->new($filename, O_RDONLY); @@ -1519,8 +1540,6 @@ sub compile { $groups_conf = parse_group_fw_rules($filename, $fh); } - #print Dumper($rules); - my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); @@ -1570,6 +1589,37 @@ sub compile { } } + # generate firewall rules for OpenVZ containers + foreach my $vmid (keys %{$vmdata->{openvz}}) { + my $conf = $vmdata->{openvz}->{$vmid}; + + my $vmfw_conf = $vmfw_configs->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); + + if ($conf->{ip_address} && $conf->{ip_address}->{value}) { + my $ip = $conf->{ip_address}->{value}; + die "implement me"; + } + + if ($conf->{netif} && $conf->{netif}->{value}) { + my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value}); + print Dumper($netif); + foreach my $netid (keys %$netif) { + my $d = $netif->{$netid}; + my $bridge = $d->{bridge}; + if (!$bridge) { + warn "no bridge device for CT $vmid iface '$netid'\n"; + next; # fixme? + } + my $macaddr = $d->{host_mac}; + my $iface = $d->{host_ifname}; + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + } + } + } + return wantarray ? ($ruleset, $hostfw_conf) : $ruleset; }