X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewallSimulator.pm;h=4f46b742b8980ca0f73714856c7643126743f4b5;hp=73f01d3e8860ec46a9d73d4182e73b7a6ac7a10a;hb=75a12a9d84e749011676edc8a52afd6c685bbae2;hpb=814de8329c79035df58f41e80c58dc979619f85a diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm index 73f01d3..4f46b74 100644 --- a/src/PVE/FirewallSimulator.pm +++ b/src/PVE/FirewallSimulator.pm @@ -7,10 +7,26 @@ use PVE::Firewall; use File::Basename; use Net::IP; -my $mark; +# dynamically include PVE::QemuServer and PVE::LXC +# to avoid dependency problems +my $have_qemu_server; +eval { + require PVE::QemuServer; + $have_qemu_server = 1; +}; + +my $have_lxc; +eval { + require PVE::LXC; + $have_lxc = 1; +}; + +my $mark = 0; my $trace; my $debug = 0; +my $NUMBER_RE = qr/0x[0-9a-fA-F]+|\d+/; + sub debug { my $new_value = shift; @@ -18,7 +34,7 @@ sub debug { return $debug; } - + sub reset_trace { $trace = ''; } @@ -37,6 +53,14 @@ sub add_trace { } } +$SIG{'__WARN__'} = sub { + my $err = $@; + my $t = $_[0]; + chomp $t; + add_trace("$t\n"); + $@ = $err; +}; + sub nf_dev_match { my ($devre, $dev) = @_; @@ -45,21 +69,40 @@ sub nf_dev_match { } sub ipset_match { - my ($ipsetname, $ipset, $ipaddr) = @_; + my ($ipset_ruleset, $ipsetname, $ipaddr) = @_; + + my $ipset = $ipset_ruleset->{$ipsetname}; + die "no such ipset '$ipsetname'" if !$ipset; my $ip = Net::IP->new($ipaddr); - foreach my $entry (@$ipset) { - next if $entry =~ m/^create/; # simply ignore - if ($entry =~ m/add \S+ (\S+)$/) { - my $test = Net::IP->new($1); - if ($test->overlaps($ip)) { - add_trace("IPSET $ipsetname match $ipaddr\n"); - return 1; + my $first = $ipset->[0]; + if ($first =~ m/^create\s+\S+\s+list:/) { + foreach my $entry (@$ipset) { + next if $entry =~ m/^create/; # simply ignore + if ($entry =~ m/add \S+ (\S+)$/) { + return 1 if ipset_match($ipset_ruleset, $1, $ipaddr); + } else { + die "implement me"; + } + } + return 0; + } elsif ($first =~ m/^create\s+\S+\s+hash:net/) { + foreach my $entry (@$ipset) { + next if $entry =~ m/^create/; # simply ignore + if ($entry =~ m/add \S+ (\S+)$/) { + my $test = Net::IP->new($1); + if ($test->overlaps($ip)) { + add_trace("IPSET $ipsetname match $ipaddr\n"); + return 1; + } + } else { + die "implement me"; } - } else { - die "implement me"; } + return 0; + } else { + die "unknown ipset type '$first' - not implemented\n"; } return 0; @@ -68,7 +111,7 @@ sub ipset_match { sub rule_match { my ($ipset_ruleset, $chain, $rule, $pkg) = @_; - $rule =~ s/^-A $chain // || die "got strange rule: $rule"; + $rule =~ s/^-A $chain +// || die "got strange rule: $rule"; while (length($rule)) { @@ -77,39 +120,41 @@ sub rule_match { return undef if $cstate eq 'INVALID'; # no match return undef if $cstate eq 'RELATED,ESTABLISHED'; # no match - + next if $cstate =~ m/NEW/; - - die "please implement cstate test '$cstate'"; + + die "cstate test '$cstate' not implemented\n"; } if ($rule =~ s/^-m addrtype --src-type (\S+)\s*//) { my $atype = $1; - die "missing srctype" if !$pkg->{srctype}; + die "missing source address type (srctype)\n" + if !$pkg->{srctype}; return undef if $atype ne $pkg->{srctype}; } if ($rule =~ s/^-m addrtype --dst-type (\S+)\s*//) { my $atype = $1; - die "missing dsttype" if !$pkg->{dsttype}; + die "missing destination address type (dsttype)\n" + if !$pkg->{dsttype}; return undef if $atype ne $pkg->{dsttype}; } if ($rule =~ s/^-i (\S+)\s*//) { my $devre = $1; - die "missing iface_in" if !$pkg->{iface_in}; + die "missing interface (iface_in)\n" if !$pkg->{iface_in}; return undef if !nf_dev_match($devre, $pkg->{iface_in}); next; } if ($rule =~ s/^-o (\S+)\s*//) { my $devre = $1; - die "missing iface_out" if !$pkg->{iface_out}; + die "missing interface (iface_out)\n" if !$pkg->{iface_out}; return undef if !nf_dev_match($devre, $pkg->{iface_out}); next; } - if ($rule =~ s/^-p (tcp|udp)\s*//) { + if ($rule =~ s/^-p (tcp|udp|igmp|icmp)\s*//) { die "missing proto" if !$pkg->{proto}; return undef if $pkg->{proto} ne $1; # no match next; @@ -133,7 +178,7 @@ sub rule_match { return undef if !$ip->overlaps(Net::IP->new($pkg->{source})); # no match next; } - + if ($rule =~ s/^-d (\S+)\s*//) { die "missing destination" if !$pkg->{dest}; my $ip = Net::IP->new($1); @@ -141,19 +186,22 @@ sub rule_match { next; } - if ($rule =~ s/^-m set --match-set (\S+) src\s*//) { + if ($rule =~ s/^-m set (!\s+)?--match-set (\S+) src\s*//) { die "missing source" if !$pkg->{source}; - my $ipset = $ipset_ruleset->{$1}; - die "no such ip set '$1'" if !$ipset; - return undef if !ipset_match($1, $ipset, $pkg->{source}); + my $neg = $1; + my $ipset_name = $2; + if ($neg) { + return undef if ipset_match($ipset_ruleset, $ipset_name, $pkg->{source}); + } else { + return undef if !ipset_match($ipset_ruleset, $ipset_name, $pkg->{source}); + } next; } if ($rule =~ s/^-m set --match-set (\S+) dst\s*//) { die "missing destination" if !$pkg->{dest}; - my $ipset = $ipset_ruleset->{$1}; - die "no such ip set '$1'" if !$ipset; - return undef if !ipset_match($1, $ipset, $pkg->{dest}); + my $ipset_name = $1; + return undef if !ipset_match($ipset_ruleset, $ipset_name, $pkg->{dest}); next; } @@ -177,15 +225,17 @@ sub rule_match { next; } - if ($rule =~ s/^-m mark --mark (\d+)\s*//) { - return undef if !defined($mark) || $mark != $1; + if ($rule =~ s@^-m mark --mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*@@) { + my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2); + return undef if ($mark & $mask) != $value; next; } # final actions - if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) { - $mark = $1; + if ($rule =~ s@^-j MARK --set-mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*$@@) { + my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2); + $mark = ($mark & ~$mask) | $value; return undef; } @@ -198,7 +248,7 @@ sub rule_match { } if ($rule =~ s/^-j NFLOG --nflog-prefix \"[^\"]+\"$//) { - return undef; + return undef; } last; @@ -211,7 +261,7 @@ sub ruleset_simulate_chain { my ($ruleset, $ipset_ruleset, $chain, $pkg) = @_; add_trace("ENTER chain $chain\n"); - + my $counter = 0; if ($chain eq 'PVEFW-Drop') { @@ -239,7 +289,7 @@ sub ruleset_simulate_chain { next; } add_trace("MATCH: $rule\n"); - + if ($action eq 'ACCEPT' || $action eq 'DROP' || $action eq 'REJECT') { add_trace("TERMINATE chain $chain: $action\n"); return ($action, $counter); @@ -286,6 +336,8 @@ sub copy_packet { sub route_packet { my ($ruleset, $ipset_ruleset, $pkg, $from_info, $target, $start_state) = @_; + $pkg->{ipversion} = 4; # fixme: allow ipv6 + my $route_state = $start_state; my $physdev_in; @@ -312,12 +364,7 @@ sub route_packet { $pkg->{iface_out} = $target->{bridge} || die 'internal error'; $chain = 'PVEFW-OUTPUT'; $next_route_state = $target->{iface} || die 'internal error'; - } elsif ($target->{type} eq 'ct') { - $pkg->{iface_in} = 'lo'; - $pkg->{iface_out} = 'venet0'; - $chain = 'PVEFW-OUTPUT'; - $next_route_state = 'venet-in'; - } elsif ($target->{type} eq 'vm') { + } elsif ($target->{type} eq 'vm' || $target->{type} eq 'ct') { $pkg->{iface_in} = 'lo'; $pkg->{iface_out} = $target->{bridge} || die 'internal error'; $chain = 'PVEFW-OUTPUT'; @@ -326,40 +373,6 @@ sub route_packet { die "implement me"; } - } elsif ($route_state eq 'venet-out') { - - if ($target->{type} eq 'host') { - - $chain = 'PVEFW-INPUT'; - $pkg->{iface_in} = 'venet0'; - $pkg->{iface_out} = 'lo'; - $next_route_state = 'host'; - - } elsif ($target->{type} eq 'bport') { - - $chain = 'PVEFW-FORWARD'; - $pkg->{iface_in} = 'venet0'; - $pkg->{iface_out} = $target->{bridge} || die 'internal error'; - $next_route_state = $target->{iface} || die 'internal error'; - - } elsif ($target->{type} eq 'vm') { - - $chain = 'PVEFW-FORWARD'; - $pkg->{iface_in} = 'venet0'; - $pkg->{iface_out} = $target->{bridge} || die 'internal error'; - $next_route_state = 'fwbr-in'; - - } elsif ($target->{type} eq 'ct') { - - $chain = 'PVEFW-FORWARD'; - $pkg->{iface_in} = 'venet0'; - $pkg->{iface_out} = 'venet0'; - $next_route_state = 'venet-in'; - - } else { - die "implement me"; - } - } elsif ($route_state eq 'fwbr-out') { $chain = 'PVEFW-FORWARD'; @@ -369,7 +382,7 @@ sub route_packet { $pkg->{iface_out} = $from_info->{fwbr} || die 'internal error'; $pkg->{physdev_in} = $from_info->{tapdev} || die 'internal error'; $pkg->{physdev_out} = $from_info->{fwln} || die 'internal error'; - + } elsif ($route_state eq 'fwbr-in') { $chain = 'PVEFW-FORWARD'; @@ -380,7 +393,7 @@ sub route_packet { $pkg->{physdev_out} = $target->{tapdev} || die 'internal error'; } elsif ($route_state =~ m/^vmbr\d+$/) { - + die "missing physdev_in - internal error?" if !$physdev_in; $pkg->{physdev_in} = $physdev_in; @@ -402,14 +415,7 @@ sub route_packet { } $next_route_state = $target->{iface}; - } elsif ($target->{type} eq 'ct') { - - $chain = 'PVEFW-FORWARD'; - $pkg->{iface_in} = $route_state; - $pkg->{iface_out} = 'venet0'; - $next_route_state = 'venet-in'; - - } elsif ($target->{type} eq 'vm') { + } elsif ($target->{type} eq 'vm' || $target->{type} eq 'ct') { $chain = 'PVEFW-FORWARD'; $pkg->{iface_in} = $route_state; @@ -437,7 +443,7 @@ sub route_packet { my ($res, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $chain, $pkg); $rule_check_counter += $ctr; return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT'; - } + } $route_state = $next_route_state; @@ -448,32 +454,36 @@ sub route_packet { } sub extract_ct_info { - my ($vmdata, $vmid) = @_; + my ($vmdata, $vmid, $netnum) = @_; my $info = { type => 'ct', vmid => $vmid }; - my $conf = $vmdata->{openvz}->{$vmid} || die "no such CT '$vmid'"; - if ($conf->{ip_address}) { - $info->{ip_address} = $conf->{ip_address}->{value}; - } else { - die "implement me"; - } + my $conf = $vmdata->{lxc}->{$vmid} || die "no such CT '$vmid'"; + my $net = PVE::LXC::Config->parse_lxc_network($conf->{"net$netnum"}); + $info->{macaddr} = $net->{hwaddr} || die "unable to get mac address"; + $info->{bridge} = $net->{bridge} || die "unable to get bridge"; + $info->{fwbr} = "fwbr${vmid}i$netnum"; + $info->{tapdev} = "veth${vmid}i$netnum"; + $info->{fwln} = "fwln${vmid}i$netnum"; + $info->{fwpr} = "fwpr${vmid}p$netnum"; + $info->{ip_address} = $net->{ip} || die "unable to get ip address"; + return $info; } sub extract_vm_info { - my ($vmdata, $vmid) = @_; + my ($vmdata, $vmid, $netnum) = @_; my $info = { type => 'vm', vmid => $vmid }; my $conf = $vmdata->{qemu}->{$vmid} || die "no such VM '$vmid'"; - my $net = PVE::QemuServer::parse_net($conf->{net0}); + my $net = PVE::QemuServer::parse_net($conf->{"net$netnum"}); $info->{macaddr} = $net->{macaddr} || die "unable to get mac address"; $info->{bridge} = $net->{bridge} || die "unable to get bridge"; - $info->{fwbr} = "fwbr${vmid}i0"; - $info->{tapdev} = "tap${vmid}i0"; - $info->{fwln} = "fwln${vmid}i0"; - $info->{fwpr} = "fwpr${vmid}p0"; + $info->{fwbr} = "fwbr${vmid}i$netnum"; + $info->{tapdev} = "tap${vmid}i$netnum"; + $info->{fwln} = "fwln${vmid}i$netnum"; + $info->{fwpr} = "fwpr${vmid}p$netnum"; return $info; } @@ -484,9 +494,9 @@ sub simulate_firewall { my $from = $test->{from} || die "missing 'from' field"; my $to = $test->{to} || die "missing 'to' field"; my $action = $test->{action} || die "missing 'action'"; - + my $testid = $test->{id}; - + die "from/to needs to be different" if $from eq $to; my $pkg = { @@ -532,18 +542,17 @@ sub simulate_firewall { $from_info->{iface} = 'tapXYZ'; $start_state = 'from-bport'; } elsif ($from =~ m/^ct(\d+)$/) { + return 'SKIPPED' if !$have_lxc; my $vmid = $1; - $from_info = extract_ct_info($vmdata, $vmid); - if ($from_info->{ip_address}) { - $pkg->{source} = $from_info->{ip_address} if !defined($pkg->{source}); - $start_state = 'venet-out'; - } else { - die "implement me"; - } - } elsif ($from =~ m/^vm(\d+)$/) { + $from_info = extract_ct_info($vmdata, $vmid, 0); + $start_state = 'fwbr-out'; + $pkg->{mac_source} = $from_info->{macaddr}; + } elsif ($from =~ m/^vm(\d+)(i(\d))?$/) { + return 'SKIPPED' if !$have_qemu_server; my $vmid = $1; - $from_info = extract_vm_info($vmdata, $vmid); - $start_state = 'fwbr-out'; + my $netnum = $3 || 0; + $from_info = extract_vm_info($vmdata, $vmid, $netnum); + $start_state = 'fwbr-out'; $pkg->{mac_source} = $from_info->{macaddr}; } else { die "unable to parse \"from => '$from'\"\n"; @@ -568,18 +577,14 @@ sub simulate_firewall { $target->{bridge} = 'vmbr0'; $target->{iface} = 'tapXYZ'; } elsif ($to =~ m/^ct(\d+)$/) { + return 'SKIPPED' if !$have_lxc; my $vmid = $1; - $target = extract_ct_info($vmdata, $vmid); - $target->{iface} = 'venet-in'; - - if ($target->{ip_address}) { - $pkg->{dest} = $target->{ip_address}; - } else { - die "implement me"; - } + $target = extract_ct_info($vmdata, $vmid, 0); + $target->{iface} = $target->{tapdev}; } elsif ($to =~ m/^vm(\d+)$/) { + return 'SKIPPED' if !$have_qemu_server; my $vmid = $1; - $target = extract_vm_info($vmdata, $vmid); + $target = extract_vm_info($vmdata, $vmid, 0); $target->{iface} = $target->{tapdev}; } else { die "unable to parse \"to => '$to'\"\n"; @@ -588,16 +593,16 @@ sub simulate_firewall { $pkg->{source} = '100.100.1.2' if !defined($pkg->{source}); $pkg->{dest} = '100.200.3.4' if !defined($pkg->{dest}); - my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg, + my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg, $from_info, $target, $start_state); add_trace("IPT statistics: invocation = $ic, checks = $rc\n"); - + return $res if $action eq 'QUERY'; die "test failed ($res != $action)\n" if $action ne $res; - return undef; + return undef; } 1;