X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=ef54621a5d3a9455bb0bc60a3001b36dc46a9837;hp=88191996ea7f9819f6a8ba84fb0e90cc4e43396f;hb=0362a1adeee64bc70719b4f3d99805b09e8cd63d;hpb=e34d0e5833a1a49833c0f13a88aad7d26d4f4bae

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8819199..ef54621 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1436,7 +1436,12 @@ sub ruleset_chain_add_conn_filters {
 }
 
 sub ruleset_chain_add_input_filters {
-    my ($ruleset, $chain, $options) = @_;
+    my ($ruleset, $chain, $options, $cluster_conf, $loglevel) = @_;
+
+    if ($cluster_conf->{ipset}->{blacklist}){
+	ruleset_addlog($ruleset, $chain, 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
+	ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j DROP");
+    }
 
     if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
 	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
@@ -1649,7 +1654,7 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
 
     ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
-    ruleset_chain_add_input_filters($ruleset, $chain, $options);
+    ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
 
     ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
@@ -1661,6 +1666,7 @@ sub enable_host_firewall {
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'in';
+	$rule->{iface_in} = $rule->{iface} if $rule->{iface};
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
@@ -1688,6 +1694,7 @@ sub enable_host_firewall {
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'out';
+	$rule->{iface_out} = $rule->{iface} if $rule->{iface};
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
@@ -1777,7 +1784,7 @@ sub parse_fw_rule {
 	    die "unknown action '$action'\n";
 	}
     } elsif ($type eq 'group') {
-	die "wrong number of rule elements\n" if scalar(@data) != 3;
+	die "wrong number of rule elements\n" if scalar(@data) > 3;
 	die "groups disabled\n" if !$allow_groups;
 
 	die "invalid characters in group name\n" if $action !~ m/^${security_group_name_pattern}$/;
@@ -1853,7 +1860,7 @@ sub parse_hostfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|nosmurfs|tcpflags|optimize):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@@ -2578,17 +2585,12 @@ sub compile {
 
     ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", "ACCEPT");
 
-    if ($cluster_conf->{ipset}->{blacklist}){
-	ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set PVEFW-blacklist src -j DROP");
-    }
-
     ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT");
     ruleset_addrule($ruleset, "PVEFW-INPUT", "-i venet0 -j PVEFW-VENET-OUT");
 
     ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
-    ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $hostfw_options);
+    ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $hostfw_options, $cluster_conf, $loglevel);
 
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN");
 
@@ -2596,7 +2598,7 @@ sub compile {
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT");
 
     ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
-    ruleset_chain_add_input_filters($ruleset, "PVEFW-VENET-IN", $hostfw_options);
+    ruleset_chain_add_input_filters($ruleset, "PVEFW-VENET-IN", $hostfw_options, $cluster_conf, $loglevel);
 
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN");
 
@@ -2618,7 +2620,7 @@ sub compile {
 	foreach my $netid (keys %$conf) {
 	    next if $netid !~ m/^net(\d+)$/;
 	    my $net = PVE::QemuServer::parse_net($conf->{$netid});
-	    next if !$net;
+	    next if !$net->{firewall};
 	    my $iface = "tap${vmid}i$1";
 
 	    my $macaddr = $net->{macaddr};