These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged
-j tap123i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j
veth0.0-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j
PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT
Based on patch from Alexandre.
Signed-off-by: Dietmar Maurer <diet...@proxmox.com>
---
src/PVE/Firewall.pm | 87 ++++++++++++++++++++++++++-------------------------
1 file changed, 44 insertions(+), 43 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c95bedd..8d0e187 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1428,16 +1428,31 @@ sub ruleset_add_chain_policy {
}
}
+sub ruleset_chain_add_conn_filters {
+ my ($ruleset, $chain, $accept) = @_;
+
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j
DROP");
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate
RELATED,ESTABLISHED -j $accept");
+}
+
+sub ruleset_chain_add_input_filters {
+ my ($ruleset, $chain, $options) = @_;
+
+ if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW
-j PVEFW-smurfs");
+ }
+
+ if ($options->{tcpflags}) {
+ ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+ }
+}
+
sub ruleset_create_vm_chain {
my ($ruleset, $chain, $options, $host_options, $macaddr, $direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
- if (!(defined($host_options->{nosmurfs}) && $host_options->{nosmurfs} ==
0)) {
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW
-j PVEFW-smurfs");
- }
-
if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
if ($direction eq 'OUT') {
ruleset_generate_rule($ruleset, $chain, { action =>
'PVEFW-SET-ACCEPT-MARK',
@@ -1448,17 +1463,6 @@ sub ruleset_create_vm_chain {
}
}
- if ($host_options->{tcpflags}) {
- ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
- }
-
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j
DROP");
- if ($direction eq 'OUT') {
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate
RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK");
- } else {
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate
RELATED,ESTABLISHED -j $accept");
- }
-
if ($direction eq 'OUT') {
if (defined($macaddr) && !(defined($options->{macfilter}) &&
$options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr
-j DROP");
@@ -1653,17 +1657,11 @@ sub enable_host_firewall {
my $loglevel = get_option_log_level($options, "log_level_in");
- if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW
-j PVEFW-smurfs");
- }
+ ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
- if ($options->{tcpflags}) {
- ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
- }
+ ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
+ ruleset_chain_add_input_filters($ruleset, $chain, $options);
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j
DROP");
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j
ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW
--dport 5404:5405 -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");
#corosync
@@ -1687,9 +1685,10 @@ sub enable_host_firewall {
$loglevel = get_option_log_level($options, "log_level_out");
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j
DROP");
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT");
+
+ ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
+
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j
ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW
--dport 5404:5405 -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");
#corosync
@@ -2557,35 +2556,37 @@ sub compile {
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT");
-
- ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev
--physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN");
-
- ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev
--physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
-
- ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN");
-
my $hostfw_options = $hostfw_conf->{options} || {};
# fixme: what log level should we use here?
my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
- if($hostfw_options->{optimize}){
+ my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" :
"ACCEPT";
+ ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept);
- my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" :
"ACCEPT";
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
INVALID -j DROP");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
RELATED,ESTABLISHED -j $accept");
- }
+ #ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD",
$hostfw_options, $accept);
if ($cluster_conf->{ipset}->{blacklist}){
ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m
set --match-set PVEFW-blacklist src");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set
PVEFW-blacklist src -j DROP");
}
+ ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT");
+
+ ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
+ ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN",
$hostfw_options);
+
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev
--physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN");
+
+ ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev
--physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
+
+ ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
+ ruleset_chain_add_input_filters($ruleset, "PVEFW-VENET-IN",
$hostfw_options);
+
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN");
+
generate_std_chains($ruleset, $hostfw_options);
my $hostfw_enable = !(defined($hostfw_options->{enable}) &&
($hostfw_options->{enable} == 0));
--
1.7.10.4
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
