[pve-devel] [PATCH] basic bridge iptables implementation
Alexandre Derumier
aderumier at odiso.com
Fri Jan 31 14:57:04 CET 2014
./pvefw enabletaprules -netid net0 -vmid 110
./pvefw disabletaprules -netid net0 -vmid 110
sample firewall config file
---------------------------
[IN]
ACCEPT net0 - - tcp 22 -
ACCEPT net0 - - icmp - -
[OUT]
ACCEPT net0 - - icmp - -
ACCEPT net0 - - tcp 80 -
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
PVE/Firewall.pm | 174 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
pvefw | 61 +++++++++++++++++++
2 files changed, 235 insertions(+)
diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 6a3f225..190154e 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -8,6 +8,7 @@ use PVE::QemuServer;
use File::Path;
use IO::File;
use Net::IP;
+use PVE::Tools qw(run_command);
use Data::Dumper;
@@ -120,6 +121,179 @@ sub parse_port_name_number_or_range {
my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
+sub iptables {
+ my ($cmd) = @_;
+
+ run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
+}
+
+sub iptables_chain_exist {
+ my ($chain) = @_;
+
+ eval{
+ iptables("-n --list $chain");
+ };
+ return undef if $@;
+
+ return 1;
+}
+
+sub iptables_rule_exist {
+ my ($rule) = @_;
+
+ eval{
+ iptables("-C $rule");
+ };
+ return undef if $@;
+
+ return 1;
+}
+
+sub iptables_add_rule {
+ my ($chain, $rule) = @_;
+
+ my $cmd = "-A $chain";
+
+ $cmd .= " -s $rule->{source}" if $rule->{source};
+ $cmd .= " -d $rule->{dest}" if $rule->{destination};
+ $cmd .= " -p $rule->{proto}" if $rule->{proto};
+ $cmd .= " --dport $rule->{dport}" if $rule->{dport};
+ $cmd .= " --sport $rule->{sport}" if $rule->{sport};
+ $cmd .= " -j $rule->{action}" if $rule->{action};
+
+ iptables($cmd);
+
+}
+
+sub generate_bridge_rules {
+ my ($bridge) = @_;
+
+ #generate main forward chain
+ if(!iptables_chain_exist("proxmoxfw-FORWARD")){
+ iptables("-N proxmoxfw-FORWARD");
+ iptables("-I FORWARD -j proxmoxfw-FORWARD");
+ }
+
+
+
+ #if bridge-direction don't exist
+ if(!iptables_chain_exist($bridge)){
+ eval{
+ iptables("-N $bridge");
+ iptables("-N $bridge-OUT");
+ iptables("-N $bridge-IN");
+
+ iptables("-A proxmoxfw-FORWARD -o $bridge -m physdev --physdev-is-bridged -j $bridge");
+ iptables("-A proxmoxfw-FORWARD -i $bridge -m physdev --physdev-is-bridged -j $bridge");
+ iptables("-A proxmoxfw-FORWARD -i $bridge -j DROP"); #disable interbridge routing
+ iptables("-A proxmoxfw-FORWARD -o $bridge -j DROP"); # disable interbridge routing
+ iptables("-A $bridge -m state --state RELATED,ESTABLISHED -j ACCEPT");
+ iptables("-A $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ iptables("-A $bridge -m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+ iptables("-A $bridge -j ACCEPT");
+ };
+ if ($@){
+ #cleanup if error occur
+ eval{ iptables("-F $bridge-IN"); };
+ eval{ iptables("-X $bridge-IN"); };
+ eval{ iptables("-F $bridge-OUT"); };
+ eval{ iptables("-X $bridge-OUT"); };
+ eval{ iptables("-F $bridge"); };
+ eval{ iptables("-X $bridge"); };
+
+ die "error creating bridge $bridge rules";
+ }
+ }
+}
+
+
+sub generate_tap_rules_direction {
+ my ($iface, $netid, $rules, $bridge, $direction) = @_;
+
+ my $tapchain = "$iface-$direction";
+
+ if(iptables_chain_exist($tapchain)){
+ #we flush the chain (can be improved later)
+ iptables("-F $tapchain");
+ }else{
+ iptables("-N $tapchain");
+ }
+
+ iptables("-A $tapchain -m state --state INVALID -j DROP");
+ iptables("-A $tapchain -m state --state RELATED,ESTABLISHED -j ACCEPT");
+
+ if (scalar(@$rules)) {
+ foreach my $rule (@$rules) {
+ next if $rule->{iface} && $rule->{iface} ne $netid;
+ #we use RETURN in out rules
+ $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
+ iptables_add_rule($tapchain, $rule);
+ }
+ }
+
+ iptables("-A $tapchain -j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
+ iptables("-A $tapchain -j DROP");
+
+ generate_bridge_rules($bridge);
+
+ #plug the tap chain to bridge chain
+ my $physdevdirection = $direction eq 'IN' ? "out":"in";
+ my $rule = "$bridge-$direction -m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
+
+ if(!iptables_rule_exist($rule)){
+ iptables("-A $rule");
+ }
+}
+
+sub generate_tap_rules {
+ my ($net, $netid, $vmid) = @_;
+
+ my $filename = "/etc/pve/firewall/$vmid.fw";
+ my $fh = IO::File->new($filename, O_RDONLY);
+ return if !$fh;
+
+ #generate bridge rules
+ my $bridge = $net->{bridge};
+
+ #generate tap chain
+ my $rules = parse_fw_rules($filename, $fh);
+
+ my $inrules = $rules->{in};
+ my $outrules = $rules->{out};
+
+ my $iface = "tap".$vmid."i".$1 if $netid =~ m/net(\d+)/;
+
+ generate_tap_rules_direction($iface, $netid, $inrules, $bridge, 'IN');
+ generate_tap_rules_direction($iface, $netid, $outrules, $bridge, 'OUT');
+}
+
+sub flush_tap_rules {
+ my ($net, $netid, $vmid) = @_;
+
+ my $bridge = $net->{bridge};
+ my $iface = "tap".$vmid."i".$1 if $netid =~ m/net(\d+)/;
+
+ flush_tap_rules_direction($iface, $bridge, 'IN');
+ flush_tap_rules_direction($iface, $bridge, 'OUT');
+}
+
+sub flush_tap_rules_direction {
+ my ($iface, $bridge, $direction) = @_;
+
+ my $tapchain = "$iface-$direction";
+
+ if(iptables_chain_exist($tapchain)){
+ iptables("-F $tapchain");
+
+ my $physdevdirection = $direction eq 'IN' ? "out":"in";
+ my $rule = "$bridge-$direction -m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
+ if(iptables_rule_exist($rule)){
+ iptables("-D $rule");
+ }
+ iptables("-X $tapchain");
+ }
+}
+
my $generate_input_rule = sub {
my ($zoneinfo, $rule, $net, $netid) = @_;
diff --git a/pvefw b/pvefw
index b10895e..9ba1adf 100755
--- a/pvefw
+++ b/pvefw
@@ -29,6 +29,65 @@ $rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root at pam');
+__PACKAGE__->register_method({
+ name => 'enabletaprules',
+ path => 'enabletaprules',
+ method => 'POST',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ vmid => get_standard_option('pve-vmid'),
+ netid => {
+ type => 'string',
+ },
+
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ # test if VM exists
+ my $vmid = $param->{vmid};
+ my $netid = $param->{netid};
+
+ my $conf = PVE::QemuServer::load_config($vmid);
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+
+ PVE::Firewall::generate_tap_rules($net, $netid, $vmid);
+
+ return undef;
+ }});
+
+__PACKAGE__->register_method({
+ name => 'disabletaprules',
+ path => 'disabletaprules',
+ method => 'POST',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ vmid => get_standard_option('pve-vmid'),
+ netid => {
+ type => 'string',
+ },
+
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ # test if VM exists
+ my $vmid = $param->{vmid};
+ my $netid = $param->{netid};
+
+ my $conf = PVE::QemuServer::load_config($vmid);
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+
+ PVE::Firewall::flush_tap_rules($net, $netid, $vmid);
+
+ return undef;
+ }});
__PACKAGE__->register_method ({
name => 'compile',
@@ -133,6 +192,8 @@ my $cmddef = {
restart => [ __PACKAGE__, 'restart', []],
stop => [ __PACKAGE__, 'stop', []],
clear => [ __PACKAGE__, 'clear', []],
+ enabletaprules => [ __PACKAGE__, 'enabletaprules', []],
+ disabletaprules => [ __PACKAGE__, 'disabletaprules', []],
};
my $cmd = shift;
--
1.7.10.4
More information about the pve-devel
mailing list