use PVE::Tools;
use PVE::QemuServer;
+my $macros;
+sub get_shorewall_macros {
+
+ return $macros if $macros;
+
+ foreach my $path (</usr/share/shorewall/macro.*>) {
+ if ($path =~ m|/macro\.(\S+)$|) {
+ $macros->{$1} = 1;
+ }
+ }
+ return $macros;
+}
+
my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n";
my $zone = $net->{zone} || die "internal error";
my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
my $tap = $net->{tap} || die "internal error";
-
- return sprintf($rule_format, $rule->{action}, $rule->{source}, "$zid:$tap",
+
+ my $action = $rule->{service} ?
+ "$rule->{service}($rule->{action})" : $rule->{action};
+
+ return sprintf($rule_format, $action, $rule->{source}, "$zid:$tap",
$rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
};
my $zone = $net->{zone} || die "internal error";
my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
my $tap = $net->{tap} || die "internal error";
+
+ my $action = $rule->{service} ?
+ "$rule->{service}($rule->{action})" : $rule->{action};
- return sprintf($rule_format, $rule->{action}, "$zid:$tap", $rule->{dest},
+ return sprintf($rule_format, $action, "$zid:$tap", $rule->{dest},
$rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
};
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');
+
sub parse_fw_rules {
my ($filename, $fh) = @_;
my $res = { in => [], out => [] };
+ my $macros = PVE::Firewall::get_shorewall_macros();
+
while (defined(my $line = <$fh>)) {
next if $line =~ m/^#/;
next if $line =~ m/^\s*$/;
next;
}
- if ($action !~ m/^(ACCEPT|DROP)$/) {
+ my $service;
+ if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
+ # OK
+ } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
+ ($service, $action) = ($1, $2);
+ if (!$macros->{$service}) {
+ warn "unknown service '$service'\n";
+ next;
+ }
+ } else {
warn "unknown action '$action'\n";
-# next;
+ next;
}
if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {
my $rule = {
action => $action,
+ service => $service,
iface => $iface,
source => $source,
dest => $dest,
sub read_vm_firewall_rules {
my ($vmdata) = @_;
-
my $rules = {};
foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
- my $filename = "/etc/pve/$vmid.fw";
+ my $filename = "/etc/pve/firewall/$vmid.fw";
my $fh = IO::File->new($filename, O_RDONLY);
next if !$fh;
my ($param) = @_;
my $vmdata = read_local_vm_config();
- my $rules = read_vm_firewall_rules();
+ my $rules = read_vm_firewall_rules($vmdata);
# print Dumper($vmdata);