[pve-devel] [PATCH firewall 5/7] split compile_ipsets() out of compile_iptables_filter()

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Mar 1 12:20:19 CET 2016


compile_iptables_filter() is called twice, once to get the
ipv4 ruleset + ipsets and ones to get the ipv6 ruleset. The
second call still generates ipsets which are discarded so it
makes sense to do this in a separate step.
---
 src/PVE/Firewall.pm | 89 ++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 65 insertions(+), 24 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index b0ee295..2e2b2f7 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3160,8 +3160,24 @@ sub compile {
 	$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
     }
 
-    my ($ruleset, $ipset_ruleset) = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
-    my ($rulesetv6) = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
+    return ({},{},{}) if !$cluster_conf->{options}->{enable};
+
+    my $localnet;
+    if ($cluster_conf->{aliases}->{local_network}) {
+	$localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+    } else {
+	my $localnet_ver;
+	($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
+
+	$cluster_conf->{aliases}->{local_network} = { 
+	    name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
+    }
+
+    push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+
+    my $ruleset = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
+    my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
+    my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
 
     return ($ruleset, $ipset_ruleset, $rulesetv6);
 }
@@ -3169,21 +3185,6 @@ sub compile {
 sub compile_iptables_filter {
     my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $ipversion, $verbose) = @_;
 
-    my $localnet;
-    if ($cluster_conf->{aliases}->{local_network}) {
-	$localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
-    } else {
-	my $localnet_ver;
-	($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
-
-	$cluster_conf->{aliases}->{local_network} = { 
-	    name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
-    }
-
-    push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
-
-    return ({}, {}) if !$cluster_conf->{options}->{enable};
-
     my $ruleset = {};
 
     ruleset_create_chain($ruleset, "PVEFW-INPUT");
@@ -3210,8 +3211,6 @@ sub compile_iptables_filter {
 
     my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
 
-    my $ipset_ruleset = {};
-
     if ($hostfw_enable) {
 	eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion); };
 	warn $@ if $@; # just to be sure - should not happen
@@ -3224,8 +3223,6 @@ sub compile_iptables_filter {
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
 	    return if !$vmfw_conf;
 
-	    generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
-
 	    foreach my $netid (keys %$conf) {
 		next if $netid !~ m/^net(\d+)$/;
 		my $net = PVE::QemuServer::parse_net($conf->{$netid});
@@ -3249,8 +3246,6 @@ sub compile_iptables_filter {
             my $vmfw_conf = $vmfw_configs->{$vmid};
             return if !$vmfw_conf;
 
-            generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
-
             if ($vmfw_conf->{options}->{enable}) {
 		foreach my $netid (keys %$conf) {
                     next if $netid !~ m/^net(\d+)$/;
@@ -3272,9 +3267,55 @@ sub compile_iptables_filter {
 	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS");
     }
 
+    return $ruleset;
+}
+
+sub compile_ipsets {
+    my ($cluster_conf, $vmfw_configs, $vmdata) = @_;
+
+    my $localnet;
+    if ($cluster_conf->{aliases}->{local_network}) {
+	$localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+    } else {
+	my $localnet_ver;
+	($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
+
+	$cluster_conf->{aliases}->{local_network} = { 
+	    name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
+    }
+
+    push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+
+
+    my $ipset_ruleset = {};
+
+    # generate ipsets for QEMU VMs
+    foreach my $vmid (keys %{$vmdata->{qemu}}) {
+	eval {
+	    my $conf = $vmdata->{qemu}->{$vmid};
+	    my $vmfw_conf = $vmfw_configs->{$vmid};
+	    return if !$vmfw_conf;
+
+	    generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+	};
+	warn $@ if $@; # just to be sure - should not happen
+    }
+
+    # generate firewall rules for LXC containers
+    foreach my $vmid (keys %{$vmdata->{lxc}}) {
+        eval {
+            my $conf = $vmdata->{lxc}->{$vmid};
+            my $vmfw_conf = $vmfw_configs->{$vmid};
+            return if !$vmfw_conf;
+
+            generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+        };
+        warn $@ if $@; # just to be sure - should not happen
+    }
+
     generate_ipset_chains($ipset_ruleset, undef, $cluster_conf);
 
-    return ($ruleset, $ipset_ruleset);
+    return $ipset_ruleset;
 }
 
 sub get_ruleset_status {
-- 
2.1.4





More information about the pve-devel mailing list