X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=bb151faaeb560c780db9f5f283ff6cf5a17c5db2;hp=072e056e0705bf2d15baa81dfe1875939e4e1531;hb=d18c1e2b2cd5c7fc1c20e5835f8881412765c583;hpb=92e976b302212feb038640009f43baaa0dd76650

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 072e056..bb151fa 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4,6 +4,7 @@ use warnings;
 use strict;
 use Data::Dumper;
 use Digest::SHA;
+use PVE::ProcFSTools;
 use PVE::Tools;
 use PVE::QemuServer;
 use File::Basename;
@@ -623,8 +624,11 @@ sub enable_bridge_firewall {
 
     return if $bridge_firewall_enabled; # only once
 
-    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
-    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
+
+    # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
 
     $bridge_firewall_enabled = 1;
 }
@@ -721,21 +725,21 @@ sub ruleset_generate_rule {
 
     return if $rule->{disable};
 
-    my $cmd = '';
+    my @cmd = ();
 
-    $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
-    $cmd .= " -s $rule->{source}" if $rule->{source};
-    $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
-    $cmd .= " -d $rule->{dest}" if $rule->{dest};
+    push @cmd, "-m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
+    push @cmd, "-s $rule->{source}" if $rule->{source};
+    push @cmd, "-m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
+    push @cmd, "-d $rule->{dest}" if $rule->{dest};
 
     if ($rule->{proto}) {
-	$cmd .= " -p $rule->{proto}";
+	push @cmd, "-p $rule->{proto}";
 
 	my $multiport = 0;
 	$multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1);
 	$multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1);
 
-	$cmd .= " --match multiport" if $multiport;
+	push @cmd, "--match multiport" if $multiport;
 
 	die "multiport: option '--sports' cannot be used together with '--dports'\n" 
 	    if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
@@ -744,25 +748,25 @@ sub ruleset_generate_rule {
 	    if ($rule->{proto} && $rule->{proto} eq 'icmp') {
 		# Note: we use dport to store --icmp-type
 		die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}});
-		$cmd .= " -m icmp --icmp-type $rule->{dport}";
+		push @cmd, "-m icmp --icmp-type $rule->{dport}";
 	    } else {
 		if ($rule->{nbdport} && $rule->{nbdport} > 1) {
 		    if ($multiport == 2) {
-			$cmd .= " --ports $rule->{dport}";
+			push @cmd,  "--ports $rule->{dport}";
 		    } else {
-			$cmd .= " --dports $rule->{dport}";
+			push @cmd, "--dports $rule->{dport}";
 		    }
 		} else {
-		    $cmd .= " --dport $rule->{dport}";
+		    push @cmd, "--dport $rule->{dport}";
 		}
 	    }
 	}
 
 	if ($rule->{sport}) {
 	    if ($rule->{nbsport} && $rule->{nbsport} > 1) {
-		$cmd .= " --sports $rule->{sport}" if $multiport != 2;
+		push @cmd, "--sports $rule->{sport}" if $multiport != 2;
 	    } else {
-		$cmd .= " --sport $rule->{sport}";
+		push @cmd, "--sport $rule->{sport}";
 	    }
 	}
     } elsif ($rule->{dport} || $rule->{sport}) {
@@ -770,15 +774,18 @@ sub ruleset_generate_rule {
 	warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport};
     }
 
-    $cmd .= " -m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
+    push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
 
     if (my $action = $rule->{action}) {
 	$action = $actions->{$action} if defined($actions->{$action}); 
 	$goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
-	$cmd .= $goto ? " -g $action" : " -j $action";
+	push @cmd, $goto ? "-g $action" : "-j $action";
     }
 
-    ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
+    if (scalar(@cmd)) {
+	my $cmdstr = join(' ', @cmd);
+	ruleset_addrule($ruleset, $chain, $cmdstr);
+    }
 }
 
 sub ruleset_create_chain {
@@ -946,7 +953,7 @@ sub generate_tap_rules_direction {
     }
 }
 
-sub enablehostfw {
+sub enable_host_firewall {
     my ($ruleset, $hostfw_conf, $groups_conf) = @_;
 
     # fixme: allow security groups
@@ -1521,7 +1528,7 @@ sub compile {
     my $hostfw_enable = $hostfw_conf && 
 	!(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
 
-    enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
+    enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
 
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {