[pve-devel] [PATCH 3/8] use accept instead return and remove marks

Alexandre Derumier aderumier at odiso.com
Wed Apr 30 10:56:32 CEST 2014


We can now do ACCEPT everywhere, and no need to use marks

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   35 +++++++++++------------------------
 1 file changed, 11 insertions(+), 24 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 35c3a8e..0892bb8 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1483,7 +1483,7 @@ sub ruleset_create_vm_chain {
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
 	if ($direction eq 'OUT') {
-	    ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK',
+	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT',
 						      proto => 'udp', sport => 68, dport => 67 });
 	} else {
 	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT',
@@ -1497,7 +1497,7 @@ sub ruleset_create_vm_chain {
 
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     if ($direction eq 'OUT') {
-	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK");
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     } else {
 	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
     }
@@ -1506,7 +1506,6 @@ sub ruleset_create_vm_chain {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
 	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
 	}
-	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
     }
 }
 
@@ -1527,10 +1526,8 @@ sub ruleset_generate_vm_rules {
 	    }
 	    ruleset_addrule($ruleset, $chain, "-j $group_chain");
 	    if ($direction eq 'OUT'){
-		ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN");
 	    }else{
 		my $accept = generate_nfqueue($options);
-		ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $accept");
 	    }
 
 	} else {
@@ -1538,7 +1535,7 @@ sub ruleset_generate_vm_rules {
 	    eval {
 		if ($direction eq 'OUT') {
 		    ruleset_generate_rule($ruleset, $chain, $rule,
-					  { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, 
+					  { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, 
 					  undef, $cluster_conf);
 		} else {
 		    ruleset_generate_rule($ruleset, $chain, $rule, 
@@ -1618,7 +1615,7 @@ sub generate_venet_rules_direction {
     }
 
     my $accept = generate_nfqueue($options);
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+    my $accept_action = $direction eq 'OUT' ? "ACCEPT" : $accept;
     ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action);
 
     # plug into FORWARD, INPUT and OUTPUT chain
@@ -1674,7 +1671,7 @@ sub generate_tap_rules_direction {
     }
 
     my $accept = generate_nfqueue($options);
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+    my $accept_action = $direction eq 'OUT' ? "ACCEPT" : $accept;
     ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
 
     # plug the tap chain to bridge chain
@@ -1716,18 +1713,15 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
 
-    # we use RETURN because we need to check also tap rules
-    my $accept_action = 'RETURN';
-
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'in';
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
     # implement input policy
     my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
-    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
+    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, "ACCEPT");
 
     # host outbound firewall
     $chain = "PVEFW-HOST-OUT";
@@ -1742,18 +1736,15 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
 
-    # we use RETURN because we may want to check other thigs later
-    $accept_action = 'RETURN';
-
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'out';
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
     # implement output policy
     $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
-    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
+    ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, "ACCEPT");
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
     ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
@@ -1768,24 +1759,20 @@ sub generate_group_rules {
     my $chain = "GROUP-${group}-IN";
 
     ruleset_create_chain($ruleset, $chain);
-    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
-	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "ACCEPT", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
     $chain = "GROUP-${group}-OUT";
 
     ruleset_create_chain($ruleset, $chain);
-    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'out';
-	# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
-	# check also other tap rules later
 	ruleset_generate_rule($ruleset, $chain, $rule,
-			      { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+			      { ACCEPT => 'ACCEPT', REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 }
 
-- 
1.7.10.4



More information about the pve-devel mailing list