run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist");
}
+sub ebtables_restore_cmdlist {
+ my ($cmdlist) = @_;
+
+ run_command("/sbin/ebtables-restore", input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
+}
+
sub iptables_get_chains {
my ($iptablescmd) = @_;
return $res;
}
+sub ebtables_get_chains {
+
+ my $res = {};
+ my $chains = {};
+
+ my $parser = sub {
+ my $line = shift;
+ return if $line =~ m/^#/;
+ return if $line =~ m/^\s*$/;
+ if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
+ my $chain = $1;
+ $line =~ s/\s+$//;
+ push @{$chains->{$chain}}, $line;
+ } elsif ($line =~ m/^(?:\S+)\s(tap\d+i\d+-(:?IN|OUT))\s(?:\S+).*/) {
+ my $chain = $1;
+ $line =~ s/\s+$//;
+ push @{$chains->{$chain}}, $line;
+ } elsif ($line =~ m/^(?:\S+)\s(veth\d+i\d+-(:?IN|OUT))\s(?:\S+).*/) {
+ my $chain = $1;
+ $line =~ s/\s+$//;
+ push @{$chains->{$chain}}, $line;
+ } else {
+ # simply ignore the rest
+ return;
+ }
+ };
+
+ run_command("/sbin/ebtables-save", outfunc => $parser);
+
+ # compute digest for each chain
+ foreach my $chain (keys %$chains) {
+ $res->{$chain} = iptables_chain_digest($chains->{$chain});
+ }
+ return $res;
+}
+
# substitude action of rule according to action hash
sub rule_substitude_action {
my ($rule, $actions) = @_;
return wantarray ? ($cmdlist, $changes) : $cmdlist;
}
+sub get_ebtables_cmdlist {
+ my ($ruleset, $verbose) = @_;
+
+ my $changes = 0;
+ my $cmdlist = "*filter\n";
+
+ my ($active_chains, $hooks) = ebtables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
+
+ # create chains first
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ die "internal error" if !$stat;
+ $cmdlist .= ":$chain ACCEPT\n";
+ }
+
+ if ($ruleset->{FORWARD}) {
+ $cmdlist .= "-A FORWARD -j PVEFW-FORWARD\n";
+ }
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ die "internal error" if !$stat;
+ $changes = 1 if ($stat->{action} ne 'exists');
+
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $cmdlist .= "$cmd\n";
+ }
+ }
+
+ return wantarray ? ($cmdlist, $changes) : $cmdlist;
+}
+
sub get_ipset_cmdlist {
my ($ruleset, $verbose) = @_;
}
sub apply_ruleset {
- my ($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $verbose) = @_;
+ my ($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $ebtables_ruleset, $verbose) = @_;
enable_bridge_firewall();
my ($cmdlist, $changes) = get_ruleset_cmdlist($ruleset, $verbose);
my ($cmdlistv6, $changesv6) = get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables");
+ my ($ebtables_cmdlist, $ebtables_changes) = get_ebtables_cmdlist($ebtables_ruleset, $verbose);
if ($verbose) {
if ($ipset_changes) {
print "ip6tables changes:\n";
print $cmdlistv6;
}
+
+ if ($ebtables_changes) {
+ print "ebtables changes:\n";
+ print $ebtables_cmdlist;
+ }
}
my $tmpfile = "$pve_fw_status_dir/ipsetcmdlist1";
ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
+ ebtables_restore_cmdlist($ebtables_cmdlist);
+
+ $tmpfile = "$pve_fw_status_dir/ebtablescmdlist";
+ PVE::Tools::file_set_contents($tmpfile, $ebtables_cmdlist || '');
+
# test: re-read status and check if everything is up to date
my $active_chains = iptables_get_chains();
my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, 0);
}
}
+ my $active_ebtables_chains = ebtables_get_chains();
+ my $ebtables_statushash = get_ruleset_status($ebtables_ruleset, $active_ebtables_chains, \&iptables_chain_digest, 0);
+
+ foreach my $chain (sort keys %$ebtables_ruleset) {
+ my $stat = $ebtables_statushash->{$chain};
+ if ($stat->{action} ne 'exists') {
+ warn "ebtables : unable to update chain '$chain'\n";
+ $errors = 1;
+ }
+ }
+
die "unable to apply firewall changes\n" if $errors;
update_nf_conntrack_max($hostfw_conf);
my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf);
- apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6);
+ apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
};
run_locked($code);
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables");
++ my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset, $verbose);
- $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6) ? 1 : 0;
+ $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) ? 1 : 0;
}
return $res;
print "\nip6tables cmdlist:\n";
my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables");
- if ($ipset_changes || $ruleset_changes || $ruleset_changesv6) {
+ print "\nebtables cmdlist:\n";
+ my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset, $verbose);
+
+ if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) {
print "detected changes\n";
} else {
print "no changes\n";
projects / pve-firewall.git / commitdiff