[pve-devel] [PATCH 06/19] skip group rules generation if rule ipversion don't match iptables version

Alexandre Derumier aderumier at odiso.com
Wed Jul 16 01:14:22 CEST 2014


we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables

if rule ipversion is undef, we apply to both iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 6c8ae7b..962e85b 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1664,12 +1664,12 @@ sub ruleset_create_vm_chain {
 }
 
 sub ruleset_add_group_rule {
-    my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action) = @_;
+    my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action, $ipversion) = @_;
 
     my $group = $rule->{action};
     my $group_chain = "GROUP-$group-$direction";
     if(!ruleset_chain_exist($ruleset, $group_chain)){
-	generate_group_rules($ruleset, $cluster_conf, $group);
+	generate_group_rules($ruleset, $cluster_conf, $group, $ipversion);
     }
 
     if ($direction eq 'OUT' && $rule->{iface_out}) {
@@ -1697,7 +1697,7 @@ sub ruleset_generate_vm_rules {
 
 	if ($rule->{type} eq 'group') {
 	    ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
-				   $direction eq 'OUT' ? 'RETURN' : $in_accept);
+				   $direction eq 'OUT' ? 'RETURN' : $in_accept, $ipversion);
 	} else {
 	    next if $rule->{type} ne $lc_direction;
 	    eval {
@@ -1843,7 +1843,7 @@ sub generate_tap_rules_direction {
 }
 
 sub enable_host_firewall {
-    my ($ruleset, $hostfw_conf, $cluster_conf) = @_;
+    my ($ruleset, $hostfw_conf, $cluster_conf, $ipversion) = @_;
 
     my $options = $hostfw_conf->{options};
     my $cluster_options = $cluster_conf->{options};
@@ -1874,7 +1874,7 @@ sub enable_host_firewall {
 
 	eval {
 	    if ($rule->{type} eq 'group') {
-		ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
+		ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action, $ipversion);
 	    } elsif ($rule->{type} eq 'in') {
 		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
 				      undef, $cluster_conf, $hostfw_conf);
@@ -1927,7 +1927,7 @@ sub enable_host_firewall {
 	$rule->{iface_out} = $rule->{iface} if $rule->{iface};
 	eval {
 	    if ($rule->{type} eq 'group') {
-		ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action);
+		ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action, $ipversion);
 	    } elsif ($rule->{type} eq 'out') {
 		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
 				      undef, $cluster_conf, $hostfw_conf);
@@ -1958,7 +1958,7 @@ sub enable_host_firewall {
 }
 
 sub generate_group_rules {
-    my ($ruleset, $cluster_conf, $group) = @_;
+    my ($ruleset, $cluster_conf, $group, $ipversion) = @_;
 
     my $rules = $cluster_conf->{groups}->{$group};
 
@@ -1974,6 +1974,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
+	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
@@ -1984,6 +1985,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'out';
+	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
 	# check also other tap rules later
 	ruleset_generate_rule($ruleset, $chain, $rule,
@@ -2863,7 +2865,7 @@ sub compile_iptables_filter {
     my $ipset_ruleset = {};
 
     if ($hostfw_enable && $ipversion eq 4) {
-	eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
+	eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion); };
 	warn $@ if $@; # just to be sure - should not happen
     }
 
-- 
1.7.10.4



More information about the pve-devel mailing list