[pve-devel] [PATCH] bypass firewall for non firewalled vms v2

Alexandre Derumier aderumier at odiso.com
Sat May 10 14:06:04 CEST 2014 

we use an ipset PVEFW-venet0 with all venet0 ip address
firewalled vms are going to PVEFW-FORWARD-FW
else it's  return to FORWARD

-A FORWARD -j PVEFW-FORWARD
   -A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW
   -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-FORWARD-FW
   -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-FORWARD-FW

       -A PVEFW-FORWARD-FW -m conntrack --ctstate INVALID -j DROP
       -A PVEFW-FORWARD-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       -A PVEFW-FORWARD-FW -m physdev --physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT
       -A PVEFW-FORWARD-FW -i vnet0 -j PVEFW-VENET-OUT
       -A PVEFW-FORWARD-FW -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
       -A PVEFW-FORWARD-FW -o vnet0 -j PVEFW-VENET-IN

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1f4d9ce..33fcdb5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2108,7 +2108,6 @@ sub parse_cluster_fw_rules {
 	    push @{$res->{$section}->{$group}}, $entry;
 	}
     }
-
     return $res;
 }
 
@@ -2521,8 +2520,7 @@ sub compile {
     my $vmdata = read_local_vm_config();
     my $vmfw_configs = read_vm_firewall_configs($vmdata);
 
-    my $ipset_ruleset = {};
-    generate_ipset_chains($ipset_ruleset, $cluster_conf);
+    $cluster_conf->{ipset}->{venet0} = [];
 
     my $ruleset = {};
 
@@ -2530,6 +2528,11 @@ sub compile {
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+    ruleset_create_chain($ruleset, "PVEFW-FORWARD-FW");
+
+    ruleset_addrule($ruleset,"PVEFW-FORWARD", "-i fwbr+ -j PVEFW-FORWARD-FW");
+    ruleset_addrule($ruleset,"PVEFW-FORWARD", "-o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-FORWARD-FW");
+    ruleset_addrule($ruleset,"PVEFW-FORWARD", "-i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-FORWARD-FW");
 
     my $hostfw_options = $hostfw_conf->{options} || {};
 
@@ -2537,22 +2540,22 @@ sub compile {
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
     my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
+    ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-m conntrack --ctstate INVALID -j DROP");
+    ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
 
     if ($cluster_conf->{ipset}->{blacklist}){
-	ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set PVEFW-blacklist src -j DROP");
+	ruleset_addlog($ruleset, "PVEFW-FORWARD-FW", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-m set --match-set PVEFW-blacklist src -j DROP");
     }
 
     if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-OUT")) {
 	ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
     }
 
     if (!ruleset_chain_exist($ruleset, "PVEFW-VENET-OUT")) {
 	ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vnet0 -j PVEFW-VENET-OUT");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-i vnet0 -j PVEFW-VENET-OUT");
     }
 
     if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-IN")) {
@@ -2566,7 +2569,7 @@ sub compile {
 	    ruleset_addrule($ruleset, "PVEFW-FWBR-IN", "-p tcp -j PVEFW-tcpflags");
 	}
 
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-in link+ -j PVEFW-FWBR-IN");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-m physdev --physdev-in link+ -j PVEFW-FWBR-IN");
     }
 
     if (!ruleset_chain_exist($ruleset, "PVEFW-VENET-IN")) {
@@ -2580,7 +2583,7 @@ sub compile {
 	    ruleset_addrule($ruleset, "PVEFW-VENET-IN", "-p tcp -j PVEFW-tcpflags");
 	}
 
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vnet0 -j PVEFW-VENET-IN");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD-FW", "-o vnet0 -j PVEFW-VENET-IN");
     }
 
     generate_std_chains($ruleset, $hostfw_options);
@@ -2620,6 +2623,9 @@ sub compile {
 
 	if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
 	    my $ip = $conf->{ip_address}->{value};
+	    my $venet0ipset = {};
+	    $venet0ipset->{cidr} = $ip;
+	    push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
 	    generate_venet_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, 'IN');
 	    generate_venet_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, 'OUT');
 	}
@@ -2639,6 +2645,9 @@ sub compile {
 	}
     }
 
+    my $ipset_ruleset = {};
+    generate_ipset_chains($ipset_ruleset, $cluster_conf);
+
     return ($ruleset, $ipset_ruleset);
 }
 
-- 
1.7.10.4

More information about the pve-devel mailing list