[pve-devel] [PATCH 2/4] use accept instead return and remove marks

Fri May 9 09:46:45 CEST 2014

We can now do ACCEPT everywhere, and no need to use marks

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   35 +++++++++++------------------------
 1 file changed, 11 insertions(+), 24 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 36b9323..70b9d22 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1480,7 +1480,7 @@ sub ruleset_create_vm_chain {
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
 	if ($direction eq 'OUT') {
-	    ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK',
+	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT',
 						      proto => 'udp', sport => 68, dport => 67 });
 	} else {
 	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT',
@@ -1494,7 +1494,7 @@ sub ruleset_create_vm_chain {
 
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     if ($direction eq 'OUT') {
-	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK");
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     } else {
 	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
     }
@@ -1503,7 +1503,6 @@ sub ruleset_create_vm_chain {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
 	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
 	}
-	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
     }
 }
 
@@ -1524,10 +1523,8 @@ sub ruleset_generate_vm_rules {
 	    }
 	    ruleset_addrule($ruleset, $chain, "-j $group_chain");
 	    if ($direction eq 'OUT'){
-		ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN");
 	    }else{
 		my $accept = generate_nfqueue($options);
-		ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $accept");
 	    }
 
 	} else {
@@ -1535,7 +1532,7 @@ sub ruleset_generate_vm_rules {
 	    eval {
 		if ($direction eq 'OUT') {
 		    ruleset_generate_rule($ruleset, $chain, $rule,
-					  { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, 
+					  { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, 
 					  undef, $cluster_conf);
 		} else {
 		    ruleset_generate_rule($ruleset, $chain, $rule, 
@@ -1615,7 +1612,7 @@ sub generate_venet_rules_direction {
     }
 
     my $accept = generate_nfqueue($options);
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+    my $accept_action = $direction eq 'OUT' ? "ACCEPT" : $accept;
     ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action);
 
     # plug into FORWARD, INPUT and OUTPUT chain
@@ -1671,7 +1668,7 @@ sub generate_tap_rules_direction {
     }
 
     my $accept = generate_nfqueue($options);
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+    my $accept_action = $direction eq 'OUT' ? "ACCEPT" : $accept;
     ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
 
     # plug the tap chain to bridge chain
@@ -1713,18 +1710,15 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
 
-    # we use RETURN because we need to check also tap rules
-    my $accept_action = 'RETURN';
-
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'in';
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
     # implement input policy
     my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
-    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
+    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, "ACCEPT");
 
     # host outbound firewall
     $chain = "PVEFW-HOST-OUT";
@@ -1739,18 +1733,15 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
 
-    # we use RETURN because we may want to check other thigs later
-    $accept_action = 'RETURN';
-
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'out';
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
     # implement output policy
     $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
-    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
+    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, "ACCEPT");
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
     ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
@@ -1765,24 +1756,20 @@ sub generate_group_rules {
     my $chain = "GROUP-${group}-IN";
 
     ruleset_create_chain($ruleset, $chain);
-    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
     $chain = "GROUP-${group}-OUT";
 
     ruleset_create_chain($ruleset, $chain);
-    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'out';
-	# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
-	# check also other tap rules later
 	ruleset_generate_rule($ruleset, $chain, $rule,
-			      { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+			      { ACCEPT => 'ACCEPT', REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 }
 
-- 
1.7.10.4


