From f8b12fffb88e199f4641278bbd66efb1e99ac389 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Thu, 15 May 2014 11:01:35 +0200 Subject: [PATCH] fix security groups for VMs And add resgression tests for those fixes. --- src/PVE/Firewall.pm | 19 +++++++++---------- test/test-group1/100.fw | 8 +++++--- test/test-group1/tests | 8 ++++++++ 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index e766604..bd17ee6 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1484,12 +1484,11 @@ sub ruleset_add_group_rule { if(!ruleset_chain_exist($ruleset, $group_chain)){ generate_group_rules($ruleset, $cluster_conf, $group); } - if ($rule->{iface}) { - if ($direction eq 'OUT') { - ruleset_addrule($ruleset, $chain, "-o $rule->{iface} -j $group_chain"); - } else { - ruleset_addrule($ruleset, $chain, "-i $rule->{iface} -j $group_chain"); - } + + if ($direction eq 'OUT' && $rule->{iface_out}) { + ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out} -j $group_chain"); + } elsif ($direction eq 'IN' && $rule->{iface_in}) { + ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in} -j $group_chain"); } else { ruleset_addrule($ruleset, $chain, "-j $group_chain"); } @@ -1676,14 +1675,14 @@ sub enable_host_firewall { # add host rules first, so that cluster wide rules can be overwritten foreach my $rule (@$rules, @$cluster_rules) { + $rule->{iface_in} = $rule->{iface} if $rule->{iface}; if ($rule->{type} eq 'group') { ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action); } elsif ($rule->{type} eq 'in') { - $rule->{iface_in} = $rule->{iface} if $rule->{iface}; ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf); - delete $rule->{iface_in}; } + delete $rule->{iface_in}; } # implement input policy @@ -1709,14 +1708,14 @@ sub enable_host_firewall { # add host rules first, so that cluster wide rules can be overwritten foreach my $rule (@$rules, @$cluster_rules) { + $rule->{iface_out} = $rule->{iface} if $rule->{iface}; if ($rule->{type} eq 'group') { ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action); } elsif ($rule->{type} eq 'out') { - $rule->{iface_out} = $rule->{iface} if $rule->{iface}; ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf); - delete $rule->{iface_out}; } + delete $rule->{iface_out}; } # implement output policy diff --git a/test/test-group1/100.fw b/test/test-group1/100.fw index bc0af4b..7b2581a 100644 --- a/test/test-group1/100.fw +++ b/test/test-group1/100.fw @@ -1,6 +1,8 @@ [RULES] -IN ACCEPT - - - tcp 22 -IN ACCEPT - - - tcp 80 +IN ACCEPT - 192.168.2.1 - tcp 22 +IN ACCEPT - 192.168.2.1 - tcp 80 +IN ACCEPT - 127.0.0.1 - tcp 80 -GROUP group2 \ No newline at end of file +IN ACCEPT net0 192.168.5.0/24 - tcp 22 +GROUP group2 net0 \ No newline at end of file diff --git a/test/test-group1/tests b/test/test-group1/tests index d7413cc..d9e327b 100644 --- a/test/test-group1/tests +++ b/test/test-group1/tests @@ -1,3 +1,6 @@ +{ from => 'outside', to => 'vm100', source => '192.168.4.1', dport => 22, action => 'DROP' } +{ from => 'outside', to => 'vm100', source => '192.168.3.1', dport => 22, action => 'ACCEPT' } + { from => 'host', source => '192.168.2.1', dport => 22, action => 'ACCEPT' } { from => 'host', source => '192.168.2.1', dport => 443, action => 'REJECT' } { from => 'host', source => '192.168.2.1', dport => 80, action => 'REJECT' } @@ -6,3 +9,8 @@ { to => 'host', source => '127.0.0.1', dport => 22, action => 'DROP' } { to => 'host', source => '192.168.2.1', dport => 22, action => 'ACCEPT' } { to => 'host', source => '192.168.2.1', dport => 80, action => 'REJECT' } + +{ to => 'vm100', source => '192.168.3.1', dport => 22, action => 'ACCEPT' } +{ to => 'vm100', source => '192.168.4.1', dport => 22, action => 'DROP' } + + -- 2.39.2