Because we also have cluster wide rules
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
[RULES]
IN SSH(ACCEPT) vmbr0
[RULES]
IN SSH(ACCEPT) vmbr0
log_level_in: info
log_level_out: info
log_level_in: info
log_level_out: info
-# default policy
-policy_in: DROP
-policy_out: ACCEPT
-
# allow more connections (default is 65536)
nf_conntrack_max: 196608
# allow more connections (default is 65536)
nf_conntrack_max: 196608
# fixme: allow security groups
my $options = $hostfw_conf->{options};
# fixme: allow security groups
my $options = $hostfw_conf->{options};
+ my $cluster_options = $cluster_conf->{options};
my $rules = $hostfw_conf->{rules};
# host inbound firewall
my $rules = $hostfw_conf->{rules};
# host inbound firewall
}
# implement input policy
}
# implement input policy
- my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+ my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
# host outbound firewall
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
# host outbound firewall
}
# implement output policy
}
# implement output policy
- $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+ $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
$opt = lc($1);
$value = $2 ? lc($3) : '';
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
$opt = lc($1);
$value = $2 ? lc($3) : '';
- } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
- $opt = lc($1);
- $value = uc($3);
} elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
$opt = lc($1);
$value = int($2);
if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
+ } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+ $opt = lc($1);
+ $value = uc($3);
} else {
chomp $line;
die "can't parse option '$line'\n"
} else {
chomp $line;
die "can't parse option '$line'\n"