X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=e0e7a67da806e9fc88023874882bf3ec03f4bc00;hp=87bd7995f3bc4e53797ae74ab5402f835aa1628f;hb=12cc9946363b9667f6bb2625f88090e205b47de3;hpb=d6796543e56014b810a75041742a874534f7bb47

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 87bd799..e0e7a67 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -839,6 +839,7 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
 	ruleset_create_chain($ruleset, "$bridge-OUT");
 	ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+	ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
@@ -850,6 +851,35 @@ sub generate_bridge_chains {
     }
 }
 
+sub ruleset_add_chain_policy {
+    my ($ruleset, $chain, $policy, $loglevel, $accept_action) = @_;
+
+    if ($policy eq 'ACCEPT') {
+
+	ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT' },
+			      { ACCEPT =>  $accept_action});
+
+    } elsif ($policy eq 'DROP') {
+
+	ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop");
+
+	ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel")
+	    if defined($loglevel);
+
+	ruleset_addrule($ruleset, $chain, "-j DROP");
+    } elsif ($policy eq 'REJECT') {
+	ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject");
+
+	ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel")
+	    if defined($loglevel);
+
+	ruleset_addrule($ruleset, $chain, "-g PVEFW-reject");
+    } else {
+	# should not happen
+	die "internal error: unknown policy '$policy'";
+    }
+}
+
 sub generate_tap_rules_direction {
     my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_;
 
@@ -879,9 +909,11 @@ sub generate_tap_rules_direction {
     ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
-    if ($direction eq 'OUT' && defined($macaddr) && 
-	!(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
-	ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+    if ($direction eq 'OUT') {
+	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
+	    ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+	}
+	ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark
     }
 
     foreach my $rule (@$rules) {
@@ -915,42 +947,13 @@ sub generate_tap_rules_direction {
 	$policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
     }
 
-    if ($policy eq 'ACCEPT') {
-	if ($direction eq 'OUT') {
-	    ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK");
-	} else {
-	    ruleset_addrule($ruleset, $tapchain, "-j ACCEPT");
-	}
-    } elsif ($policy eq 'DROP') {
-
-	ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop");
-
-	ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level $loglevel")
-	    if defined($loglevel);
-
-	ruleset_addrule($ruleset, $tapchain, "-j DROP");
-    } elsif ($policy eq 'REJECT') {
-	ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject");
-
-	ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level $loglevel")
-	    if defined($loglevel);
-
-	ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject");
-    } else {
-	# should not happen
-	die "internal error: unknown policy '$policy'";
-    }
+    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
+    ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action);
 
     # plug the tap chain to bridge chain
     my $physdevdirection = $direction eq 'IN' ? "out" : "in";
     my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
     ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
-
-    if ($direction eq 'OUT'){
-	# add tap->host rules
-	my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
-	ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
-    }
 }
 
 sub enable_host_firewall {
@@ -974,16 +977,17 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
 
+    # we use RETURN because we need to check also tap rules
+    my $accept_action = 'RETURN';
+
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
-	# we use RETURN because we need to check also tap rules
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" });
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
     }
 
-    ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level $loglevel")
-	if defined($loglevel);
-
-    ruleset_addrule($ruleset, $chain, "-j DROP");
+    # implement input policy
+    my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+    ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     # host outbound firewall
     $chain = "PVEFW-HOST-OUT";
@@ -998,16 +1002,17 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
 
+    # we use RETURN because we may want to check other thigs later
+    $accept_action = 'RETURN';
+
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'out';
-	# we use RETURN because we need to check also tap rules
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" });
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
     }
 
-    ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level $loglevel")
-	if defined($loglevel);
-
-    ruleset_addrule($ruleset, $chain, "-j DROP");
+    # implement output policy
+    $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+    ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
     ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");