read in shorewall macros

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 2e1f1e214283ef39b4dfbe494f096f9c77a21d63..c9f502a25598daaee50978a8a0a80526881d5fd8 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -6,6 +6,19 @@ use Data::Dumper;
 use PVE::Tools;
 use PVE::QemuServer;
 
 use PVE::Tools;
 use PVE::QemuServer;
 

+my $macros;
+sub get_shorewall_macros {
+
+    return $macros if $macros;
+
+    foreach my $path (</usr/share/shorewall/macro.*>) {
+       if ($path =~ m|/macro\.(\S+)$|) {
+           $macros->{$1} = 1;
+       }
+    }
+    return $macros;
+}
+

 
 my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n";
 
 
 my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n";
 


@@ -18,8 +31,11 @@ my $generate_input_rule = sub {
     my $zone = $net->{zone} || die "internal error";
     my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
     my $tap = $net->{tap} || die "internal error";
     my $zone = $net->{zone} || die "internal error";
     my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
     my $tap = $net->{tap} || die "internal error";

-    
-    return sprintf($rule_format, $rule->{action}, $rule->{source}, "$zid:$tap", 
+
+    my $action = $rule->{service} ? 
+       "$rule->{service}($rule->{action})" : $rule->{action};
+
+    return sprintf($rule_format, $action, $rule->{source}, "$zid:$tap", 

                   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
 };
 
                   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
 };
 


@@ -32,8 +48,11 @@ my $generate_output_rule = sub {
     my $zone = $net->{zone} || die "internal error";
     my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
     my $tap = $net->{tap} || die "internal error";
     my $zone = $net->{zone} || die "internal error";
     my $zid = $zoneinfo->{$zone}->{id} || die "internal error";
     my $tap = $net->{tap} || die "internal error";

+
+    my $action = $rule->{service} ? 
+       "$rule->{service}($rule->{action})" : $rule->{action};

     
     

-    return sprintf($rule_format, $rule->{action}, "$zid:$tap", $rule->{dest}, 
+    return sprintf($rule_format, $action, "$zid:$tap", $rule->{dest}, 

                   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
 };
 
                   $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-');
 };
 

diff --git a/pvefw b/pvefw
index fdf72468e109e072d1837fa84907bcba4ec48ba8..1a0631b4bf9870b42d6e96de6a11bbd7d6d7b4a0 100755 (executable)
--- a/pvefw
+++ b/pvefw
@@ -33,6 +33,7 @@ $rpcenv->init_request();
 $rpcenv->set_language($ENV{LANG});
 $rpcenv->set_user('root@pam');
 
 $rpcenv->set_language($ENV{LANG});
 $rpcenv->set_user('root@pam');
 

+

 sub parse_fw_rules {
     my ($filename, $fh) = @_;
 
 sub parse_fw_rules {
     my ($filename, $fh) = @_;
 


@@ -40,6 +41,8 @@ sub parse_fw_rules {
 
     my $res = { in => [], out => [] };
 
 
     my $res = { in => [], out => [] };
 

+    my $macros = PVE::Firewall::get_shorewall_macros();
+

     while (defined(my $line = <$fh>)) {
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;
     while (defined(my $line = <$fh>)) {
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;


@@ -58,9 +61,18 @@ sub parse_fw_rules {
            next;
        }
 
            next;
        }
 

-       if ($action !~ m/^(ACCEPT|DROP)$/) {
+       my $service;
+       if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
+           # OK
+       } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
+           ($service, $action) = ($1, $2);
+           if (!$macros->{$service}) {
+               warn "unknown service '$service'\n";
+               next;
+           }
+       } else {

            warn "unknown action '$action'\n";
            warn "unknown action '$action'\n";

-#          next;
+           next;

        }
 
        if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {
        }
 
        if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {


@@ -85,6 +97,7 @@ sub parse_fw_rules {
 
        my $rule = {
            action => $action,
 
        my $rule = {
            action => $action,

+           service => $service,

            iface => $iface,
            source => $source,
            dest => $dest,
            iface => $iface,
            source => $source,
            dest => $dest,


@@ -121,10 +134,9 @@ sub read_local_vm_config {
 
 sub read_vm_firewall_rules {
     my ($vmdata) = @_;
 
 sub read_vm_firewall_rules {
     my ($vmdata) = @_;

-

     my $rules = {};
     foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
     my $rules = {};
     foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {

-       my $filename = "/etc/pve/$vmid.fw";
+       my $filename = "/etc/pve/firewall/$vmid.fw";

        my $fh = IO::File->new($filename, O_RDONLY);
        next if !$fh;
 
        my $fh = IO::File->new($filename, O_RDONLY);
        next if !$fh;
 


@@ -149,7 +161,7 @@ __PACKAGE__->register_method ({
        my ($param) = @_;
 
        my $vmdata = read_local_vm_config();
        my ($param) = @_;
 
        my $vmdata = read_local_vm_config();

-       my $rules = read_vm_firewall_rules();
+       my $rules = read_vm_firewall_rules($vmdata);

 
        # print Dumper($vmdata);
 
 
        # print Dumper($vmdata);