[pve-devel] [PATCH] prepare code for more generic firewall logging

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Sep 18 12:21:30 CEST 2017


Improving logging makes sense, the current state might be confuse for
some (given that drop-rules simply generate a `-j DROP` iptables rules
and therefore don't get logged).
This seems to be a good first step, although I'd be much happier if
iptables would allow setting the log-prefix and performing the log
action separately, then we could simply introduce a log-drop chain
instead.
I'm assuming your intention is to be able to duplicate the matching part
of a rule so that you can first add it with `-j NFLOG` and afterwards
its `-j DROP` action (or whatever action was requested). In this case,
also note that with groups the actions may not be executed immediately
and instead set a mark and return out of the current chain.

With that in mind, I have no objections to this patch (or a version of
it, see the inline comments below).

But first things first: please read https://pve.proxmox.com/wiki/Developer_Documentation
for details about patches and CLA (which is required for us to apply
external patches).
Also, the spaces in your patch have been replaced by non-breaking-space
characters, causing git-am to fail on it. You should check your mailer
settings to avoid this.

More comments inline.

On Thu, Sep 14, 2017 at 07:08:54PM +0200, Tom Weber wrote:
> making ruleset generation aware of a match and action
> part in iptable rules.
> code will generate the same iptables as before! (except for
> a few additional spaces between match and action).

Note that these spaces are currently not accepted by the testcases and
requires:
-    $rule =~ s/^-A $chain // || die "got strange rule: $rule";
+    $rule =~ s/^-A $chain +// || die "got strange rule: $rule";
in FirewallSimulator.pm's rule_match()

Please use `make check` in the future to check your changes ;-)

> ---
>  src/PVE/Firewall.pm | 168 +++++++++++++++++++++++++++++++---------------------
>  1 file changed, 99 insertions(+), 69 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index cc81325..61f07e0 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -1648,8 +1648,6 @@ sub enable_bridge_firewall {
>      $bridge_firewall_enabled = 1;
>  }
>  
> -my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
> -

Removes an unrelated unused variable. Such cleanups are preferred as
separate patches.

>  sub iptables_restore_cmdlist {
>      my ($cmdlist) = @_;
>  
> @@ -1778,7 +1776,7 @@ sub ipset_get_chains {
>      return $res;
>  }
>  
> -sub ruleset_generate_cmdstr {
> +sub ruleset_generate_match {
>      my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
>  
>      return if defined($rule->{enable}) && !$rule->{enable};
> @@ -1909,6 +1907,14 @@ sub ruleset_generate_cmdstr {
>  
>      push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
>  
> +    return scalar(@cmd) ? join(' ', @cmd) : undef;
> +}
> +
> +sub ruleset_generate_action {
> +    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
> +
> +    my @cmd = ();
> +
>      if (my $action = $rule->{action}) {
>  	$action = $actions->{$action} if defined($actions->{$action});
>  	$goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
> @@ -1918,6 +1924,17 @@ sub ruleset_generate_cmdstr {
>      return scalar(@cmd) ? join(' ', @cmd) : undef;
>  }
>  
> +sub ruleset_generate_cmdstr {
> +    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
> +    my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf);
> +    my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf);
> +
> +    return undef if !(defined($match) or defined($action));
> +    my $ret = defined($match) ? $match : "";
> +    $ret = "$ret $action" if defined($action);
> +    return $ret;
> +}
> +
>  sub ruleset_generate_rule {
>      my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
>  
> @@ -1931,15 +1948,19 @@ sub ruleset_generate_rule {
>  
>      # update all or nothing
>  
> -    my @cmds = ();
> +    my @mstrs = ();
> +    my @astrs = ();
>      foreach my $tmp (@$rules) {
> -	if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf)) {
> -	    push @cmds, $cmdstr;
> +	my $m = ruleset_generate_match($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf);
> +	my $a = ruleset_generate_action($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf);
> +	if (defined $m or defined $a) {
> +	    push @mstrs, defined($m) ? $m : "";
> +	    push @astrs, defined($a) ? $a : "";

While this is all part of a small chunk of code, I'd prefer a single
array containing pairs of [$match, $action] as elements, rather than
worrying about future changes possibly bringing @mstrs and @astrs out of
sync.

>  	}
>      }
>  
> -    foreach my $cmdstr (@cmds) {
> -	ruleset_addrule($ruleset, $chain, $cmdstr);
> +    for my $i (0 .. $#mstrs) {
> +	ruleset_addrule($ruleset, $chain, $mstrs[$i], $astrs[$i]);
>      }
>  }
>  
> @@ -1948,8 +1969,10 @@ sub ruleset_generate_rule_insert {
>  
>      die "implement me" if $rule->{macro}; # not implemented, because not needed so far
>  
> -    if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, $rule, $actions, $goto)) {
> -	ruleset_insertrule($ruleset, $chain, $cmdstr);
> +    my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto);
> +    my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto);
> +    if (defined $match && defined $action) {
> +	ruleset_insertrule($ruleset, $chain, $match, $action);
>      }
>  }
>  
> @@ -1970,7 +1993,7 @@ sub ruleset_chain_exist {
>      return $ruleset->{$chain} ? 1 : undef;
>  }
>  
> -sub ruleset_addrule {
> +sub ruleset_addrule_old {

The name suggests that you plan on removing this later on. If this is
not the case, consider replacing _old with _full and making the new
ruleset_addrule() a simple ruleset_addrule_full(..., "$match $action");
(saves duplicating the 'no such chain' check).

>     my ($ruleset, $chain, $rule) = @_;
>  
>     die "no such chain '$chain'\n" if !$ruleset->{$chain};
> @@ -1978,12 +2001,20 @@ sub ruleset_addrule {
>     push @{$ruleset->{$chain}}, "-A $chain $rule";
>  }
>  
> +sub ruleset_addrule {
> +   my ($ruleset, $chain, $match, $action, $log) = @_;
> +
> +   die "no such chain '$chain'\n" if !$ruleset->{$chain};
> +
> +   push @{$ruleset->{$chain}}, "-A $chain $match $action";
> +}
> +
>  sub ruleset_insertrule {
> -   my ($ruleset, $chain, $rule) = @_;
> +   my ($ruleset, $chain, $match, $action, $log) = @_;
>  
>     die "no such chain '$chain'\n" if !$ruleset->{$chain};
>  
> -   unshift @{$ruleset->{$chain}}, "-A $chain $rule";
> +   unshift @{$ruleset->{$chain}}, "-A $chain $match $action";
>  }
>  
>  sub get_log_rule_base {
> @@ -2000,15 +2031,14 @@ sub get_log_rule_base {
>  }
>  
>  sub ruleset_addlog {
> -    my ($ruleset, $chain, $vmid, $msg, $loglevel, $rule) = @_;
> +    my ($ruleset, $chain, $vmid, $msg, $loglevel, $match) = @_;
>  
>      return if !defined($loglevel);
>  
> -    my $logrule = get_log_rule_base($chain, $vmid, $msg, $loglevel);
> -
> -    $logrule = "$rule $logrule" if defined($rule);
> +    my $logaction = get_log_rule_base($chain, $vmid, $msg, $loglevel);
>  
> -    ruleset_addrule($ruleset, $chain, $logrule);
> +    $match = "" if !defined $match;
> +    ruleset_addrule($ruleset, $chain, $match, $logaction);
>  }
>  
>  sub ruleset_add_chain_policy {
> @@ -2021,17 +2051,17 @@ sub ruleset_add_chain_policy {
>  
>      } elsif ($policy eq 'DROP') {
>  
> -	ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop");
> +	ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop");
>  
>  	ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);
>  
> -	ruleset_addrule($ruleset, $chain, "-j DROP");
> +	ruleset_addrule($ruleset, $chain, "", "-j DROP");
>      } elsif ($policy eq 'REJECT') {
> -	ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject");
> +	ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject");
>  
>  	ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);
>  
> -	ruleset_addrule($ruleset, $chain, "-g PVEFW-reject");
> +	ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject");
>      } else {
>  	# should not happen
>  	die "internal error: unknown policy '$policy'";
> @@ -2042,19 +2072,19 @@ sub ruleset_chain_add_ndp {
>      my ($ruleset, $chain, $ipversion, $options, $direction, $accept) = @_;
>      return if $ipversion != 6 || (defined($options->{ndp}) && !$options->{ndp});
>  
> -    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation $accept");
> +    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation", $accept);
>      if ($direction ne 'OUT' || $options->{radv}) {
> -	ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement $accept");
> +	ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", $accept);
>      }
> -    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation $accept");
> -    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement $accept");
> +    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation", $accept);
> +    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement", $accept);
>  }
>  
>  sub ruleset_chain_add_conn_filters {
>      my ($ruleset, $chain, $accept) = @_;
>  
> -    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
> -    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
> +    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
> +    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept");
>  }
>  
>  sub ruleset_chain_add_input_filters {
> @@ -2064,20 +2094,20 @@ sub ruleset_chain_add_input_filters {
>  	if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
>  	    ruleset_create_chain($ruleset, "PVEFW-blacklist");
>  	    ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
> -	    ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
> +	    ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP");
>  	}
>  	my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion);
> -	ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src -j PVEFW-blacklist");
> +	ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src", "-j PVEFW-blacklist");
>      }
>  
>      if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
>  	if ($ipversion == 4) {
> -	    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
> +	    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW", "-j PVEFW-smurfs");
>  	}
>      }
>  
>      if ($options->{tcpflags}) {
> -	ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
> +	ruleset_addrule($ruleset, $chain, "-p tcp", "-j PVEFW-tcpflags");
>      }
>  }
>  
> @@ -2114,15 +2144,15 @@ sub ruleset_create_vm_chain {
>  
>      if ($direction eq 'OUT') {
>  	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
> -	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
> +	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr", "-j DROP");
>  	}
>  	if ($ipversion == 6 && !$options->{radv}) {
> -	    ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type router-advertisement -j DROP');
> +	    ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", "-j DROP");
>  	}
>  	if ($ipfilter_ipset) {
> -	    ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
> +	    ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src", "-j DROP");
>  	}
> -	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
> +	ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
>      }
>  
>      my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-MARK' : "-j $accept";
> @@ -2139,14 +2169,14 @@ sub ruleset_add_group_rule {
>      }
>  
>      if ($direction eq 'OUT' && $rule->{iface_out}) {
> -	ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out} -j $group_chain");
> +	ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out}", "-j $group_chain");
>      } elsif ($direction eq 'IN' && $rule->{iface_in}) {
> -	ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in} -j $group_chain");
> +	ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in}", "-j $group_chain");
>      } else {
> -	ruleset_addrule($ruleset, $chain, "-j $group_chain");
> +	ruleset_addrule($ruleset, $chain, "", "-j $group_chain");
>      }
>  
> -    ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON -j $action");
> +    ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON", "-j $action");
>  }
>  
>  sub ruleset_generate_vm_rules {
> @@ -2211,7 +2241,7 @@ sub ruleset_generate_vm_ipsrules {
>  	    ruleset_create_chain($ruleset, "PVEFW-IPS");
>  	}
>  
> -        ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue");
> +        ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged", "-j $nfqueue");
>      }
>  }
>  
> @@ -2259,10 +2289,10 @@ sub generate_tap_rules_direction {
>      # plug the tap chain to bridge chain
>      if ($direction eq 'IN') {
>  	ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
> -			"-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain");
> +			"-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
>      } else {
>  	ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
> -			"-m physdev --physdev-is-bridged --physdev-in $iface -j $tapchain");
> +			"-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
>      }
>  }
>  
> @@ -2280,7 +2310,7 @@ sub enable_host_firewall {
>  
>      my $loglevel = get_option_log_level($options, "log_level_in");
>  
> -    ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
> +    ruleset_addrule($ruleset, $chain, "-i lo", "-j ACCEPT");
>  
>      ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
>      ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'IN', '-j RETURN');
> @@ -2289,7 +2319,7 @@ sub enable_host_firewall {
>      # we use RETURN because we need to check also tap rules
>      my $accept_action = 'RETURN';
>  
> -    ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
> +    ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast
>  
>      # add host rules first, so that cluster wide rules can be overwritten
>      foreach my $rule (@$rules, @$cluster_rules) {
> @@ -2314,19 +2344,19 @@ sub enable_host_firewall {
>      # allow standard traffic for management ipset (includes cluster network)
>      my $mngmnt_ipset_chain = compute_ipset_chain_name(0, "management", $ipversion);
>      my $mngmntsrc = "-m set --match-set ${mngmnt_ipset_chain} src";
> -    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action");  # PVE API
> -    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action");  # PVE VNC Console
> -    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
> -    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH
> +    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006", "-j $accept_action");  # PVE API
> +    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999", "-j $accept_action");  # PVE VNC Console
> +    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j $accept_action");  # SPICE Proxy
> +    ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j $accept_action");  # SSH
>  
>      my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
>      my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion};
>  
>      # corosync
>      if ($localnet && ($ipversion == $localnet_ver)) {
> -	my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
> -	ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule");
> -	ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule");
> +	my $corosync_rule = "-p udp --dport 5404:5405";
> +	ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule", "-j $accept_action");
> +	ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
>      }
>  
>      # implement input policy
> @@ -2339,7 +2369,7 @@ sub enable_host_firewall {
>  
>      $loglevel = get_option_log_level($options, "log_level_out");
>  
> -    ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT");
> +    ruleset_addrule($ruleset, $chain, "-o lo", "-j ACCEPT");
>  
>      ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
>  
> @@ -2347,7 +2377,7 @@ sub enable_host_firewall {
>      $accept_action = 'RETURN';
>      ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'OUT', "-j $accept_action");
>  
> -    ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
> +    ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast
>  
>      # add host rules first, so that cluster wide rules can be overwritten
>      foreach my $rule (@$rules, @$cluster_rules) {
> @@ -2370,22 +2400,22 @@ sub enable_host_firewall {
>  
>      # allow standard traffic on cluster network
>      if ($localnet && ($ipversion == $localnet_ver)) {
> -	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006 -j $accept_action");  # PVE API
> -	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22 -j $accept_action");  # SSH
> -	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999 -j $accept_action");  # PVE VNC Console
> -	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
> +	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", "-j $accept_action");  # PVE API
> +	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j $accept_action");  # SSH
> +	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999", "-j $accept_action");  # PVE VNC Console
> +	ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", "-j $accept_action");  # SPICE Proxy
>  
> -	my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
> -	ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule");
> -	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
> +	my $corosync_rule = "-p udp --dport 5404:5405"; 
> +	ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule", "-j $accept_action");
> +	ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
>      }
>  
>      # implement output policy
>      $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
>      ruleset_add_chain_policy($ruleset, $chain, $ipversion, 0, $policy, $loglevel, $accept_action);
>  
> -    ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
> -    ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
> +    ruleset_addrule($ruleset, "PVEFW-OUTPUT", "", "-j PVEFW-HOST-OUT");
> +    ruleset_addrule($ruleset, "PVEFW-INPUT", "", "-j PVEFW-HOST-IN");
>  }
>  
>  sub generate_group_rules {
> @@ -2401,7 +2431,7 @@ sub generate_group_rules {
>      my $chain = "GROUP-${group}-IN";
>  
>      ruleset_create_chain($ruleset, $chain);
> -    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
> +    ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
>  
>      foreach my $rule (@$rules) {
>  	next if $rule->{type} ne 'in';
> @@ -2414,7 +2444,7 @@ sub generate_group_rules {
>      $chain = "GROUP-${group}-OUT";
>  
>      ruleset_create_chain($ruleset, $chain);
> -    ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
> +    ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
>  
>      foreach my $rule (@$rules) {
>  	next if $rule->{type} ne 'out';
> @@ -3137,7 +3167,7 @@ sub generate_std_chains {
>  	    if (ref($rule)) {
>  		ruleset_generate_rule($ruleset, $chain, $ipversion, $rule);
>  	    } else {
> -		ruleset_addrule($ruleset, $chain, $rule);
> +		ruleset_addrule_old($ruleset, $chain, $rule);
>  	    }
>  	}
>      }
> @@ -3380,10 +3410,10 @@ sub compile_iptables_filter {
>      ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
>      ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $ipversion, $hostfw_options, $cluster_conf, $loglevel);
>  
> -    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN");
> +    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+", "-j PVEFW-FWBR-IN");
>  
>      ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
> -    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT");
> +    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+", "-j PVEFW-FWBR-OUT");
>  
>      generate_std_chains($ruleset, $hostfw_options, $ipversion);
>  
> @@ -3442,7 +3472,7 @@ sub compile_iptables_filter {
>      }
>  
>      if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
> -	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS");
> +	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED", "-j PVEFW-IPS");
>      }
>  
>      return $ruleset;




More information about the pve-devel mailing list