[pve-devel] [PATCH firewall 5/7] split compile_ipsets() out of compile_iptables_filter()
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Mar 1 12:20:19 CET 2016
compile_iptables_filter() is called twice, once to get the
ipv4 ruleset + ipsets and ones to get the ipv6 ruleset. The
second call still generates ipsets which are discarded so it
makes sense to do this in a separate step.
---
src/PVE/Firewall.pm | 89 ++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 65 insertions(+), 24 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index b0ee295..2e2b2f7 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3160,8 +3160,24 @@ sub compile {
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
- my ($ruleset, $ipset_ruleset) = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
- my ($rulesetv6) = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
+ return ({},{},{}) if !$cluster_conf->{options}->{enable};
+
+ my $localnet;
+ if ($cluster_conf->{aliases}->{local_network}) {
+ $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+ } else {
+ my $localnet_ver;
+ ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
+
+ $cluster_conf->{aliases}->{local_network} = {
+ name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
+ }
+
+ push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+
+ my $ruleset = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
+ my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
+ my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
return ($ruleset, $ipset_ruleset, $rulesetv6);
}
@@ -3169,21 +3185,6 @@ sub compile {
sub compile_iptables_filter {
my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $ipversion, $verbose) = @_;
- my $localnet;
- if ($cluster_conf->{aliases}->{local_network}) {
- $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
- } else {
- my $localnet_ver;
- ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
-
- $cluster_conf->{aliases}->{local_network} = {
- name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
- }
-
- push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
-
- return ({}, {}) if !$cluster_conf->{options}->{enable};
-
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");
@@ -3210,8 +3211,6 @@ sub compile_iptables_filter {
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
- my $ipset_ruleset = {};
-
if ($hostfw_enable) {
eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion); };
warn $@ if $@; # just to be sure - should not happen
@@ -3224,8 +3223,6 @@ sub compile_iptables_filter {
my $vmfw_conf = $vmfw_configs->{$vmid};
return if !$vmfw_conf;
- generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
-
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $net = PVE::QemuServer::parse_net($conf->{$netid});
@@ -3249,8 +3246,6 @@ sub compile_iptables_filter {
my $vmfw_conf = $vmfw_configs->{$vmid};
return if !$vmfw_conf;
- generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
-
if ($vmfw_conf->{options}->{enable}) {
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
@@ -3272,9 +3267,55 @@ sub compile_iptables_filter {
ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS");
}
+ return $ruleset;
+}
+
+sub compile_ipsets {
+ my ($cluster_conf, $vmfw_configs, $vmdata) = @_;
+
+ my $localnet;
+ if ($cluster_conf->{aliases}->{local_network}) {
+ $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+ } else {
+ my $localnet_ver;
+ ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
+
+ $cluster_conf->{aliases}->{local_network} = {
+ name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
+ }
+
+ push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+
+
+ my $ipset_ruleset = {};
+
+ # generate ipsets for QEMU VMs
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ eval {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+
+ generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+ };
+ warn $@ if $@; # just to be sure - should not happen
+ }
+
+ # generate firewall rules for LXC containers
+ foreach my $vmid (keys %{$vmdata->{lxc}}) {
+ eval {
+ my $conf = $vmdata->{lxc}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+
+ generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+ };
+ warn $@ if $@; # just to be sure - should not happen
+ }
+
generate_ipset_chains($ipset_ruleset, undef, $cluster_conf);
- return ($ruleset, $ipset_ruleset);
+ return $ipset_ruleset;
}
sub get_ruleset_status {
--
2.1.4
More information about the pve-devel
mailing list