X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=d62fb113a329d809ccc39bb377a2d03f7bb11114;hp=7e3daada50b171af51aa9c0a1f6b5f385459563f;hb=b47ecc889a8db369a6324feebffabbe49d5516e6;hpb=d1c53b3e0daad6891ad6a97b6e79d03d7e781a78

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e3daad..d62fb11 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -13,6 +13,7 @@ use File::Path;
 use IO::File;
 use Net::IP;
 use PVE::Tools qw(run_command lock_file);
+use Encode;
 
 # dynamically include PVE::QemuServer and PVE::OpenVZ 
 # to avoid dependency problems
@@ -764,7 +765,7 @@ sub iptables_rule_exist {
 sub ruleset_generate_cmdstr {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
-    return if $rule->{disable};
+    return if defined($rule->{enable}) && !$rule->{enable};
 
     my @cmd = ();
 
@@ -836,6 +837,7 @@ sub ruleset_generate_rule {
 	ruleset_addrule($ruleset, $chain, $cmdstr);
     }
 }
+
 sub ruleset_generate_rule_insert {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
@@ -962,13 +964,20 @@ sub ruleset_create_vm_chain {
     my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
 
     ruleset_create_chain($ruleset, $chain);
+    my $accept = generate_nfqueue($options);
 
     if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
 	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
     }
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
-	ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT");
+	if ($direction eq 'OUT') {
+	    ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK', 
+						      proto => 'udp', sport => 68, dport => 67 });
+	} else {
+	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT', 
+						      proto => 'udp', sport => 67, dport => 68 });
+	}
     }
 
     if ($options->{tcpflags}) {
@@ -976,42 +985,75 @@ sub ruleset_create_vm_chain {
     }
 
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
-    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+    if($direction eq 'OUT'){
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK");
 
+    }else{
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
+    }
     if ($direction eq 'OUT') {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
 	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
 	}
 	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
     }
+
+
 }
 
 sub ruleset_generate_vm_rules {
-    my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction) = @_;
+    my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction, $options) = @_;
 
     my $lc_direction = lc($direction);
 
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
-	next if $rule->{disable};
+	next if !$rule->{enable};
 	if ($rule->{type} eq 'group') {
 	    my $group_chain = "GROUP-$rule->{action}-$direction"; 
 	    if(!ruleset_chain_exist($ruleset, $group_chain)){
 		generate_group_rules($ruleset, $groups_conf, $rule->{action});
 	    }
 	    ruleset_addrule($ruleset, $chain, "-j $group_chain");
-	    ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN")
-		if $direction eq 'OUT';
+	    if ($direction eq 'OUT'){
+		ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN");
+	    }else{
+		my $accept = generate_nfqueue($options);
+		ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $accept");
+	    }
+
 	} else {
 	    next if $rule->{type} ne $lc_direction;
 	    if ($direction eq 'OUT') {
 		ruleset_generate_rule($ruleset, $chain, $rule, 
 				      { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
 	    } else {
-		ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" });
+		my $accept = generate_nfqueue($options);
+		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" });
+	    }
+	}
+    }
+}
+
+sub generate_nfqueue {
+    my ($options) = @_;
+
+    my $action = "";
+    if($options->{ips}){
+	$action = "NFQUEUE";
+	if($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) {
+	    if(defined($3) && defined($1)) {
+		$action .= " --queue-balance $1:$3";
+	    }elsif (defined($1)) {
+		$action .= " --queue-num $1";
 	    }
 	}
+	$action .= " --queue-bypass";
+    }else{
+	$action = "ACCEPT";
     }
+
+    return $action;
 }
 
 sub generate_venet_rules_direction {
@@ -1041,7 +1083,8 @@ sub generate_venet_rules_direction {
 	$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     }
 
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
+    my $accept = generate_nfqueue($options);
+    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
     ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action);
 
     # plug into FORWARD, INPUT and OUTPUT chain
@@ -1082,7 +1125,7 @@ sub generate_tap_rules_direction {
 
     ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
 
-    ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction);
+    ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction, $options);
 
     # implement policy
     my $policy;
@@ -1093,7 +1136,8 @@ sub generate_tap_rules_direction {
 	$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     }
 
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
+    my $accept = generate_nfqueue($options);
+    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
     ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
 
     # plug the tap chain to bridge chain
@@ -1120,6 +1164,14 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+    }
+
+    if ($options->{tcpflags}) {
+	ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+    }
+
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
@@ -1170,18 +1222,18 @@ sub enable_host_firewall {
 
 sub generate_group_rules {
     my ($ruleset, $groups_conf, $group) = @_;
-
-    die "no such security group '$group'\n" if !$groups_conf->{$group};
+    die "no such security group '$group'\n" if !$groups_conf->{rules}->{$group};
 
     my $rules = $groups_conf->{rules}->{$group};
 
     my $chain = "GROUP-${group}-IN";
 
     ruleset_create_chain($ruleset, $chain);
+    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
-	ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" });
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
     }
 
     $chain = "GROUP-${group}-OUT";
@@ -1213,10 +1265,12 @@ sub parse_fw_rule {
     my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport);
 
     # we can add single line comments to the end of the rule
-    my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//;
+    my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
 
     # we can disable a rule when prefixed with '|'
-    my $disable = 1 if  $line =~ s/^\|//;
+    my $enable = 1;
+
+    $enable = 0 if $line =~ s/^\|//;
 
     my @data = split(/\s+/, $line);
     my $expected_elements = $need_iface ? 8 : 7;
@@ -1283,7 +1337,7 @@ sub parse_fw_rule {
 
     my $param = {
 	type => $type,
-	disable => $disable,
+	enable => $enable,
 	comment => $comment,
 	action => $action,
 	iface => $iface,
@@ -1349,7 +1403,7 @@ sub parse_vmfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags|ips):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
@@ -1358,6 +1412,9 @@ sub parse_vmfw_option {
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
+    } elsif ($line =~ m/^(ips_queues):\s*((\d+)(:(\d+))?)\s*$/i) {
+	$opt = lc($1);
+	$value = $2;
     } else {
 	chomp $line;
 	die "can't parse option '$line'\n"
@@ -1400,7 +1457,11 @@ sub parse_vm_fw_rules {
 
     my $section;
 
+    my $digest = Digest::SHA->new('sha1');
+
     while (defined(my $line = <$fh>)) {
+	$digest->add($line);
+
 	next if $line =~ m/^#/;
 	next if $line =~ m/^\s*$/;
 
@@ -1438,6 +1499,8 @@ sub parse_vm_fw_rules {
 	push @{$res->{$section}}, @$rules;
     }
 
+    $res->{digest} = $digest->b64digest;
+
     return $res;
 }
 
@@ -1448,7 +1511,11 @@ sub parse_host_fw_rules {
 
     my $section;
 
+    my $digest = Digest::SHA->new('sha1');
+
     while (defined(my $line = <$fh>)) {
+	$digest->add($line);
+
 	next if $line =~ m/^#/;
 	next if $line =~ m/^\s*$/;
 
@@ -1486,6 +1553,8 @@ sub parse_host_fw_rules {
 	push @{$res->{$section}}, @$rules;
     }
 
+    $res->{digest} = $digest->b64digest;
+
     return $res;
 }
 
@@ -1581,16 +1650,27 @@ sub read_local_vm_config {
     return $vmdata;
 };
 
+sub load_vmfw_conf {
+    my ($vmid) = @_;
+
+    my $vmfw_conf = {};
+
+    my $filename = "/etc/pve/firewall/$vmid.fw";
+    if (my $fh = IO::File->new($filename, O_RDONLY)) {
+	$vmfw_conf = parse_vm_fw_rules($filename, $fh);
+    }
+
+    return $vmfw_conf;
+}
+
 sub read_vm_firewall_configs {
     my ($vmdata) = @_;
     my $vmfw_configs = {};
 
     foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
-	my $filename = "/etc/pve/firewall/$vmid.fw";
-	my $fh = IO::File->new($filename, O_RDONLY);
-	next if !$fh;
-
-	$vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh);
+	my $vmfw_conf = load_vmfw_conf($vmid);
+	next if !$vmfw_conf->{options}; # skip if file does not exists
+	$vmfw_configs->{$vmid} = $vmfw_conf;
     }
 
     return $vmfw_configs;
@@ -1706,6 +1786,16 @@ sub load_security_groups {
     return $groups_conf;
 }
 
+sub load_hostfw_conf {
+
+    my $hostfw_conf = {};
+    my $filename = "/etc/pve/local/host.fw";
+    if (my $fh = IO::File->new($filename, O_RDONLY)) {
+	$hostfw_conf = parse_host_fw_rules($filename, $fh);
+    }
+    return $hostfw_conf;
+}
+
 sub compile {
     my $vmdata = read_local_vm_config();
     my $vmfw_configs = read_vm_firewall_configs($vmdata);
@@ -1721,14 +1811,8 @@ sub compile {
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-    my $hostfw_options = {};
-    my $hostfw_conf = {};
-
-    my $filename = "/etc/pve/local/host.fw";
-    if (my $fh = IO::File->new($filename, O_RDONLY)) {
-	$hostfw_conf = parse_host_fw_rules($filename, $fh);
-	$hostfw_options = $hostfw_conf->{options};
-    }
+    my $hostfw_conf = load_hostfw_conf();
+    my $hostfw_options = $hostfw_conf->{options} || {};
 
     generate_std_chains($ruleset, $hostfw_options);
 
@@ -1800,9 +1884,6 @@ sub compile {
 	}
     }
 
-    # fixme: this is an optimization? if so, we should also drop INVALID packages?
-    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");