X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=c858b853bff4dca88e15f2ee7d3dff3e042c53e7;hp=95e00bddc55f9f972c49511f6631f64ad8169312;hb=bf2fa11471823124b257321617924aa6811aecdf;hpb=180da76c1e2cabea4e737fe2320f877c38c6d268

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 95e00bd..c858b85 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1952,105 +1952,8 @@ sub ipt_rule_to_cmds {
     return @iptcmds;
 }
 
-sub ruleset_generate_match {
-    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
-
-    return if defined($rule->{enable}) && !$rule->{enable};
-    return if $rule->{errors};
-
-    return $rule->{match} if defined $rule->{match};
-
-    die "unable to emit macro - internal error" if $rule->{macro}; # should not happen
-
-    my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0;
-    my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0;
-
-    my @cmd = ();
-
-    push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in};
-    push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out};
-
-    my $source = $rule->{source};
-    my $dest = $rule->{dest};
-
-    push @cmd, ipt_gen_src_or_dst_match($source, 's', $ipversion, $cluster_conf, $fw_conf) if $source;
-    push @cmd, ipt_gen_src_or_dst_match($dest, 'd', $ipversion, $cluster_conf, $fw_conf) if $dest;
-
-    if (my $proto = $rule->{proto}) {
-	push @cmd, "-p $proto";
-
-	my $multiport = 0;
-	$multiport++ if $nbdport > 1;
-	$multiport++ if $nbsport > 1;
-
-	push @cmd, "--match multiport" if $multiport;
-
-	die "multiport: option '--sports' cannot be used together with '--dports'\n"
-	    if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
-
-	if ($rule->{dport}) {
-	    if ($proto eq 'icmp') {
-		# Note: we use dport to store --icmp-type
-		die "unknown icmp-type '$rule->{dport}'\n"
-		    if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
-		push @cmd, "-m icmp --icmp-type $rule->{dport}";
-	    } elsif ($proto eq 'icmpv6') {
-		# Note: we use dport to store --icmpv6-type
-		die "unknown icmpv6-type '$rule->{dport}'\n"
-		    if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
-		push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
-	    } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
-		die "protocol $proto does not have ports\n";
-	    } else {
-		if ($nbdport > 1) {
-		    if ($multiport == 2) {
-			push @cmd,  "--ports $rule->{dport}";
-		    } else {
-			push @cmd, "--dports $rule->{dport}";
-		    }
-		} else {
-		    push @cmd, "--dport $rule->{dport}";
-		}
-	    }
-	}
-
-	if ($rule->{sport}) {
-	    die "protocol $proto does not have ports\n"
-		 if !$PROTOCOLS_WITH_PORTS->{$proto};
-	    if ($nbsport > 1) {
-		push @cmd, "--sports $rule->{sport}" if $multiport != 2;
-	    } else {
-		push @cmd, "--sport $rule->{sport}";
-	    }
-	}
-    } elsif ($rule->{dport} || $rule->{sport}) {
-	die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport};
-	die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport};
-    }
-
-    push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
-
-    return scalar(@cmd) ? join(' ', @cmd) : undef;
-}
-
-sub ruleset_generate_action {
-    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
-
-    return $rule->{target} if defined $rule->{target};
-
-    my @cmd = ();
-
-    if (my $action = $rule->{action}) {
-	$action = $actions->{$action} if defined($actions->{$action});
-	$goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
-	push @cmd, $goto ? "-g $action" : "-j $action";
-    }
-
-    return scalar(@cmd) ? join(' ', @cmd) : undef;
-}
-
 sub ruleset_generate_rule {
-    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
+    my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf) = @_;
 
     my $rules;
 
@@ -2070,18 +1973,6 @@ sub ruleset_generate_rule {
     }
 }
 
-sub ruleset_generate_rule_insert {
-    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto) = @_;
-
-    die "implement me" if $rule->{macro}; # not implemented, because not needed so far
-
-    my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto);
-    my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto);
-    if (defined $match && defined $action) {
-	ruleset_insertrule($ruleset, $chain, $match, $action);
-    }
-}
-
 sub ruleset_create_chain {
     my ($ruleset, $chain) = @_;
 
@@ -2294,12 +2185,10 @@ sub ruleset_generate_vm_rules {
 	    eval {
 		if ($direction eq 'OUT') {
 		    rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
-		    ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, undef,
-					  undef, $cluster_conf, $vmfw_conf);
+		    ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, $vmfw_conf);
 		} else {
 		    rule_substitude_action($rule, { ACCEPT => $in_accept , REJECT => "PVEFW-reject" });
-		    ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, undef,
-					  undef, $cluster_conf, $vmfw_conf);
+		    ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, $vmfw_conf);
 		}
 	    };
 	    warn $@ if $@;
@@ -2428,8 +2317,7 @@ sub enable_host_firewall {
 		ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action, $ipversion);
 	    } elsif ($rule->{type} eq 'in') {
 		rule_substitude_action($rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
-		ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, undef,
-				      undef, $cluster_conf, $hostfw_conf);
+		ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, $hostfw_conf);
 	    }
 	};
 	warn $@ if $@;
@@ -2485,8 +2373,7 @@ sub enable_host_firewall {
 		ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action, $ipversion);
 	    } elsif ($rule->{type} eq 'out') {
 		rule_substitude_action($rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
-		ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, undef,
-				      undef, $cluster_conf, $hostfw_conf);
+		ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, $hostfw_conf);
 	    }
 	};
 	warn $@ if $@;
@@ -2532,7 +2419,7 @@ sub generate_group_rules {
 	next if $rule->{type} ne 'in';
 	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
-	ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, undef, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf);
     }
 
     $chain = "GROUP-${group}-OUT";
@@ -2546,8 +2433,7 @@ sub generate_group_rules {
 	# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
 	# check also other tap rules later
 	rule_substitude_action($rule, { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" });
-	ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, undef,
-			      undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf);
     }
 }