X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=db1eae36655f8522dd8c8d9d3b7f043d0fd30e52;hp=7e2287e5908732c2b7844f9857c3b9fde4a64460;hb=12be0dfe9fc44906a8650a355baa1b601e6a3c0d;hpb=84025e9943d236414fbd869b89cb2e8e17af3208 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 7e2287e..db1eae3 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1049,12 +1049,13 @@ sub parse_port_name_number_or_range { my @elements = split(/,/, $str); die "extraneous commas in list\n" if $str ne join(',', @elements); foreach my $item (@elements) { - if ($item =~ m/^(\d+):(\d+)$/) { + if ($item =~ m/^([0-9]+):([0-9]+)$/) { $count += 2; my ($port1, $port2) = ($1, $2); die "invalid port '$port1'\n" if $port1 > 65535; die "invalid port '$port2'\n" if $port2 > 65535; - } elsif ($item =~ m/^(\d+)$/) { + die "backwards range '$port1:$port2' not allowed, did you mean '$port2:$port1'?\n" if $port1 > $port2; + } elsif ($item =~ m/^([0-9]+)$/) { $count += 1; my $port = $1; die "invalid port '$port'\n" if $port > 65535; @@ -1180,6 +1181,12 @@ our $cluster_option_properties = { minimum => 0, optional => 1, }, + ebtables => { + description => "Enable ebtables rules cluster wide.", + type => 'boolean', + default => 1, + optional => 1, + }, policy_in => { description => "Input policy.", type => 'string', @@ -2312,7 +2319,7 @@ sub generate_tap_rules_direction { if ($direction eq 'OUT') { $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default } else { - $policy = $options->{policy_in} || 'DROP'; # allow nothing by default + $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } my $accept = generate_nfqueue($options); @@ -2658,7 +2665,7 @@ sub parse_clusterfw_option { if (($value > 1) && ((time() - $value) > 60)) { $value = 0 } - } elsif ($line =~ m/^(ebtables_enable):\s*(0|1)\s*$/i) { + } elsif ($line =~ m/^(ebtables):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { @@ -3651,7 +3658,7 @@ sub compile_ipsets { sub compile_ebtables_filter { my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose) = @_; - if (!($cluster_conf->{options}->{ebtables_enable} // 1)) { + if (!($cluster_conf->{options}->{ebtables} // 1)) { return {}; } @@ -3666,13 +3673,13 @@ sub compile_ebtables_filter { ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-o fwln+', '-j PVEFW-FWBR-OUT'); # generate firewall rules for QEMU VMs - foreach my $vmid (keys %{$vmdata->{qemu}}) { + foreach my $vmid (sort keys %{$vmdata->{qemu}}) { eval { my $conf = $vmdata->{qemu}->{$vmid}; my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf; - foreach my $netid (keys %$conf) { + foreach my $netid (sort keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$netid}); next if !$net->{firewall}; @@ -3687,14 +3694,14 @@ sub compile_ebtables_filter { } # generate firewall rules for LXC containers - foreach my $vmid (keys %{$vmdata->{lxc}}) { + foreach my $vmid (sort keys %{$vmdata->{lxc}}) { eval { my $conf = $vmdata->{lxc}->{$vmid}; my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf || !$vmfw_conf->{options}->{enable}; - foreach my $netid (keys %$conf) { + foreach my $netid (sort keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid}); next if !$net->{firewall}; @@ -3778,11 +3785,12 @@ sub get_ruleset_status { foreach my $chain (sort keys %$active_chains) { next if defined($ruleset->{$chain}); my $action = 'delete'; + my $sig = $active_chains->{$chain}; if (defined($change_only_regex)) { $action = 'ignore' if ($chain !~ m/$change_only_regex/); $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules}; + $sig = $sig->{sig}; } - my $sig = $active_chains->{$chain}->{sig}; $statushash->{$chain}->{action} = $action; $statushash->{$chain}->{sig} = $sig; print "$action $chain ($sig)\n" if $verbose; @@ -3860,7 +3868,7 @@ sub get_ruleset_cmdlist { return wantarray ? ($cmdlist, $changes) : $cmdlist; } -my $pve_ebtables_chainname_regex = qr/PVEFW-\S+|(?:tab|veth)\d+i\d+-(?:IN|OUT)/; +my $pve_ebtables_chainname_regex = qr/PVEFW-\S+|(?:tap|veth)\d+i\d+-(?:IN|OUT)/; sub get_ebtables_cmdlist { my ($ruleset, $verbose) = @_;