X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=c95beddc9249dffa324e3d95a090751222ed9975;hp=c4bc30879d00addabf05bc47a671561e24078bdf;hb=44cb379d0abf6049cb19ab0e0bbe091a94767791;hpb=88733a748c21283a6f1168f88a679056c68325c9 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index c4bc308..c95bedd 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -814,7 +814,7 @@ sub copy_opject_with_digest { $sha->add($k, ':', $v, "\n"); } - my $digest = $sha->b64digest; + my $digest = $sha->hexdigest; $res->{digest} = $digest; @@ -838,7 +838,7 @@ sub copy_list_with_digest { push @$res, $data; } - my $digest = $sha->b64digest; + my $digest = $sha->hexdigest; foreach my $entry (@$res) { $entry->{digest} = $digest; @@ -1102,7 +1102,7 @@ sub iptables_get_chains { return 1 if $name =~ m/^venet0-\d+-(:?IN|OUT)$/; - return 1 if $name =~ m/^vmbr\d+(v\d+)?-(:?FW|IN|OUT|IPS)$/; + return 1 if $name =~ m/^fwbr\d+(v\d+)?-(:?FW|IN|OUT|IPS)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; return undef; @@ -1401,49 +1401,6 @@ sub ruleset_addlog { ruleset_addrule($ruleset, $chain, $logrule); } -sub generate_bridge_chains { - my ($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config) = @_; - - my $options = $hostfw_conf->{options} || {}; - - die "error: detected direct route to bridge '$bridge'\n" - if !$options->{allow_bridge_route} && $routing_table->{$bridge}; - - if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { - ruleset_create_chain($ruleset, "$bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-in -j $bridge-FW"); - } - - if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { - ruleset_create_chain($ruleset, "$bridge-OUT"); - - if($options->{optimize}){ - foreach my $interface (@{$bridges_config->{$bridge}}) { - ruleset_addrule($ruleset, "$bridge-OUT", "-m physdev --physdev-is-bridged --physdev-in $interface -g PVEFW-SET-ACCEPT-MARK"); - } - } - - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-in -j $bridge-OUT"); - ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-in -j $bridge-OUT"); - } - - if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { - ruleset_create_chain($ruleset, "$bridge-IN"); - - if($options->{optimize}){ - foreach my $interface (@{$bridges_config->{$bridge}}) { - ruleset_addrule($ruleset, "$bridge-IN", "-m physdev --physdev-is-bridged --physdev-out $interface -j ACCEPT"); - } - } - - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j $bridge-IN"); - ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT"); - # accept traffic to unmanaged bridge ports - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j ACCEPT "); - } -} - sub ruleset_add_chain_policy { my ($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action) = @_; @@ -1571,21 +1528,16 @@ sub generate_nfqueue { } sub ruleset_generate_vm_ipsrules { - my ($ruleset, $options, $direction, $iface, $bridge) = @_; + my ($ruleset, $options, $direction, $iface) = @_; if ($options->{ips} && $direction eq 'IN') { my $nfqueue = generate_nfqueue($options); - if (!ruleset_chain_exist($ruleset, "$bridge-IPS")) { + if (!ruleset_chain_exist($ruleset, "PVEFW-IPS")) { ruleset_create_chain($ruleset, "PVEFW-IPS"); } - if (!ruleset_chain_exist($ruleset, "$bridge-IPS")) { - ruleset_create_chain($ruleset, "$bridge-IPS"); - ruleset_insertrule($ruleset, "PVEFW-IPS", "-o $bridge -m physdev --physdev-is-out -j $bridge-IPS"); - } - - ruleset_addrule($ruleset, "$bridge-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue"); + ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue"); } } @@ -1623,7 +1575,7 @@ sub generate_venet_rules_direction { # plug into FORWARD, INPUT and OUTPUT chain if ($direction eq 'OUT') { - ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", { + ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", { action => $chain, source => $ip, iface_in => 'venet0'}); @@ -1633,7 +1585,7 @@ sub generate_venet_rules_direction { source => $ip, iface_in => 'venet0'}); } else { - ruleset_generate_rule($ruleset, "PVEFW-FORWARD", { + ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", { action => $chain, dest => $ip, iface_out => 'venet0'}); @@ -1646,7 +1598,7 @@ sub generate_venet_rules_direction { } sub generate_tap_rules_direction { - my ($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_; + my ($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_; my $lc_direction = lc($direction); @@ -1662,7 +1614,7 @@ sub generate_tap_rules_direction { ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options); - ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface, $bridge); + ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface); # implement policy my $policy; @@ -1679,11 +1631,11 @@ sub generate_tap_rules_direction { # plug the tap chain to bridge chain if ($direction eq 'IN') { - ruleset_addrule($ruleset, "$bridge-IN", - "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain"); + ruleset_addrule($ruleset, "PVEFW-FWBR-IN", + "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain"); } else { - ruleset_addrule($ruleset, "$bridge-OUT", - "-m physdev --physdev-in $iface -j $tapchain"); + ruleset_addrule($ruleset, "PVEFW-FWBR-OUT", + "-m physdev --physdev-is-bridged --physdev-in $iface -j $tapchain"); } } @@ -1913,7 +1865,7 @@ sub parse_hostfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|nosmurfs|tcpflags|optimize):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { @@ -2234,22 +2186,6 @@ sub read_local_vm_config { return $vmdata; }; -sub read_bridges_config { - - my $bridgehash = {}; - - dir_glob_foreach('/sys/class/net', 'vmbr(\d+)', sub { - my ($bridge) = @_; - - dir_glob_foreach("/sys/class/net/$bridge/brif", '((eth|bond)(\d+)(\.(\d+))?)', sub { - my ($interface) = @_; - push @{$bridgehash->{$bridge}}, $interface; - }); - }); - - return $bridgehash; -}; - sub load_vmfw_conf { my ($vmid) = @_; @@ -2360,7 +2296,7 @@ sub save_vmfw_conf { my $options = $vmfw_conf->{options}; $raw .= &$format_options($options) if scalar(keys %$options); - my $rules = $vmfw_conf->{rules}; + my $rules = $vmfw_conf->{rules} || []; if (scalar(@$rules)) { $raw .= "[RULES]\n\n"; $raw .= &$format_rules($rules, 1); @@ -2519,34 +2455,6 @@ sub read_pvefw_status { return $status; } -# fixme: move to pve-common PVE::ProcFSTools -sub read_proc_net_route { - my $filename = "/proc/net/route"; - - my $res = {}; - - my $fh = IO::File->new ($filename, "r"); - return $res if !$fh; - - my $int_to_quad = sub { - return join '.' => map { ($_[0] >> 8*(3-$_)) % 256 } (3, 2, 1, 0); - }; - - while (defined(my $line = <$fh>)) { - next if $line =~/^Iface\s+Destination/; # skip head - my ($iface, $dest, $gateway, $metric, $mask, $mtu) = (split(/\s+/, $line))[0,1,2,6,7,8]; - push @{$res->{$iface}}, { - dest => &$int_to_quad(hex($dest)), - gateway => &$int_to_quad(hex($gateway)), - mask => &$int_to_quad(hex($mask)), - metric => $metric, - mtu => $mtu, - }; - } - - return $res; -} - sub load_clusterfw_conf { my $cluster_conf = {}; @@ -2639,10 +2547,6 @@ sub compile { my $vmdata = read_local_vm_config(); my $vmfw_configs = read_vm_firewall_configs($vmdata); - my $routing_table = read_proc_net_route(); - - my $bridges_config = read_bridges_config(); - my $ipset_ruleset = {}; generate_ipset_chains($ipset_ruleset, $cluster_conf); @@ -2652,6 +2556,18 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); ruleset_create_chain($ruleset, "PVEFW-FORWARD"); + + ruleset_create_chain($ruleset, "PVEFW-VENET-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT"); + + ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN"); + + ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT"); + + ruleset_create_chain($ruleset, "PVEFW-VENET-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN"); my $hostfw_options = $hostfw_conf->{options} || {}; @@ -2689,18 +2605,11 @@ sub compile { next if !$net; my $iface = "tap${vmid}i$1"; - my $bridge = $net->{bridge}; - next if !$bridge; # fixme: ? - - $bridge .= "v$net->{tag}" if $net->{tag}; - - generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config); - my $macaddr = $net->{macaddr}; generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, - $vmfw_conf, $vmid, $bridge, 'IN'); + $vmfw_conf, $vmid, 'IN'); generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, - $vmfw_conf, $vmid, $bridge, 'OUT'); + $vmfw_conf, $vmid, 'OUT'); } } @@ -2722,37 +2631,17 @@ sub compile { my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value}); foreach my $netid (keys %$netif) { my $d = $netif->{$netid}; - my $bridge = $d->{bridge}; - if (!$bridge) { - warn "no bridge device for CT $vmid iface '$netid'\n"; - next; # fixme? - } - - generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config); my $macaddr = $d->{mac}; my $iface = $d->{host_ifname}; generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, - $vmfw_conf, $vmid, $bridge, 'IN'); + $vmfw_conf, $vmid, 'IN'); generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, - $vmfw_conf, $vmid, $bridge, 'OUT'); + $vmfw_conf, $vmid, 'OUT'); } } } - # fixme: should we really block inter-bridge traffic? - - # always allow traffic from containers? - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN"); - - # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop"); - ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-o vmbr+"); - ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-i vmbr+"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP"); - return ($ruleset, $ipset_ruleset); }