From 9aab3127bdc04bc3e17bcfb0b8461e32694dc098 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 8 Aug 2012 10:47:42 +0200 Subject: [PATCH] read in shorewall macros --- PVE/Firewall.pm | 25 ++++++++++++++++++++++--- pvefw | 22 +++++++++++++++++----- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 2e1f1e2..c9f502a 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -6,6 +6,19 @@ use Data::Dumper; use PVE::Tools; use PVE::QemuServer; +my $macros; +sub get_shorewall_macros { + + return $macros if $macros; + + foreach my $path () { + if ($path =~ m|/macro\.(\S+)$|) { + $macros->{$1} = 1; + } + } + return $macros; +} + my $rule_format = "%-15s %-15s %-15s %-15s %-15s %-15s\n"; @@ -18,8 +31,11 @@ my $generate_input_rule = sub { my $zone = $net->{zone} || die "internal error"; my $zid = $zoneinfo->{$zone}->{id} || die "internal error"; my $tap = $net->{tap} || die "internal error"; - - return sprintf($rule_format, $rule->{action}, $rule->{source}, "$zid:$tap", + + my $action = $rule->{service} ? + "$rule->{service}($rule->{action})" : $rule->{action}; + + return sprintf($rule_format, $action, $rule->{source}, "$zid:$tap", $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-'); }; @@ -32,8 +48,11 @@ my $generate_output_rule = sub { my $zone = $net->{zone} || die "internal error"; my $zid = $zoneinfo->{$zone}->{id} || die "internal error"; my $tap = $net->{tap} || die "internal error"; + + my $action = $rule->{service} ? + "$rule->{service}($rule->{action})" : $rule->{action}; - return sprintf($rule_format, $rule->{action}, "$zid:$tap", $rule->{dest}, + return sprintf($rule_format, $action, "$zid:$tap", $rule->{dest}, $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-'); }; diff --git a/pvefw b/pvefw index fdf7246..1a0631b 100755 --- a/pvefw +++ b/pvefw @@ -33,6 +33,7 @@ $rpcenv->init_request(); $rpcenv->set_language($ENV{LANG}); $rpcenv->set_user('root@pam'); + sub parse_fw_rules { my ($filename, $fh) = @_; @@ -40,6 +41,8 @@ sub parse_fw_rules { my $res = { in => [], out => [] }; + my $macros = PVE::Firewall::get_shorewall_macros(); + while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -58,9 +61,18 @@ sub parse_fw_rules { next; } - if ($action !~ m/^(ACCEPT|DROP)$/) { + my $service; + if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { + # OK + } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { + ($service, $action) = ($1, $2); + if (!$macros->{$service}) { + warn "unknown service '$service'\n"; + next; + } + } else { warn "unknown action '$action'\n"; -# next; + next; } if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) { @@ -85,6 +97,7 @@ sub parse_fw_rules { my $rule = { action => $action, + service => $service, iface => $iface, source => $source, dest => $dest, @@ -121,10 +134,9 @@ sub read_local_vm_config { sub read_vm_firewall_rules { my ($vmdata) = @_; - my $rules = {}; foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $filename = "/etc/pve/$vmid.fw"; + my $filename = "/etc/pve/firewall/$vmid.fw"; my $fh = IO::File->new($filename, O_RDONLY); next if !$fh; @@ -149,7 +161,7 @@ __PACKAGE__->register_method ({ my ($param) = @_; my $vmdata = read_local_vm_config(); - my $rules = read_vm_firewall_rules(); + my $rules = read_vm_firewall_rules($vmdata); # print Dumper($vmdata); -- 2.39.2