mirror of
git://git.proxmox.com/git/pve-firewall.git
synced 2025-02-02 13:47:16 +03:00
fwtester: implement new 'outside' zone
To simulate traffic from/to outside world (vmbr0/eth0)
This commit is contained in:
Dietmar Maurer
parent
d1486f380e
commit
31dc73f1fd
@ -9,6 +9,9 @@ use PVE::Firewall;
|
||||
my $mark;
|
||||
my $trace;
|
||||
|
||||
my $outside_iface = 'eth0';
|
||||
my $outside_bridge = 'vmbr0';
|
||||
|
||||
my $debug = 0;
|
||||
|
||||
sub add_trace {
|
||||
@ -192,9 +195,17 @@ sub route_packet {
|
||||
$pkg->{iface_in} = $pkg->{iface_out} = undef;
|
||||
$pkg->{physdev_in} = $pkg->{physdev_out} = undef;
|
||||
|
||||
if ($route_state eq 'host') {
|
||||
if ($route_state eq 'from-outside') {
|
||||
$next_route_state = $outside_bridge || die 'internal error';
|
||||
$next_physdev_in = $outside_iface || die 'internal error';
|
||||
} elsif ($route_state eq 'host') {
|
||||
|
||||
if ($target->{type} eq 'ct') {
|
||||
if ($target->{type} eq 'outside') {
|
||||
$pkg->{iface_in} = 'lo';
|
||||
$pkg->{iface_out} = $outside_bridge;
|
||||
$chain = 'PVEFW-OUTPUT';
|
||||
$next_route_state = $outside_iface
|
||||
} elsif ($target->{type} eq 'ct') {
|
||||
$pkg->{iface_in} = 'lo';
|
||||
$pkg->{iface_out} = 'venet0';
|
||||
$chain = 'PVEFW-OUTPUT';
|
||||
@ -217,6 +228,13 @@ sub route_packet {
|
||||
$pkg->{iface_out} = 'lo';
|
||||
$next_route_state = 'host';
|
||||
|
||||
} elsif ($target->{type} eq 'outside') {
|
||||
|
||||
$chain = 'PVEFW-FORWARD';
|
||||
$pkg->{iface_in} = 'venet0';
|
||||
$pkg->{iface_out} = $outside_bridge;
|
||||
$next_route_state = $outside_iface;
|
||||
|
||||
} elsif ($target->{type} eq 'vm') {
|
||||
|
||||
$chain = 'PVEFW-FORWARD';
|
||||
@ -265,6 +283,24 @@ sub route_packet {
|
||||
$pkg->{iface_out} = 'lo';
|
||||
$next_route_state = 'host';
|
||||
|
||||
if ($route_state eq $outside_bridge) {
|
||||
|
||||
} else {
|
||||
|
||||
}
|
||||
|
||||
} elsif ($target->{type} eq 'outside') {
|
||||
|
||||
$chain = 'PVEFW-FORWARD';
|
||||
$pkg->{iface_in} = $route_state;
|
||||
$pkg->{iface_out} = $outside_bridge;
|
||||
$pkg->{physdev_in} = $physdev_in;
|
||||
# conditionally set physdev_out (same behavior as kernel)
|
||||
if ($route_state eq $outside_bridge) {
|
||||
$pkg->{physdev_out} = $outside_iface || die 'internal error';
|
||||
}
|
||||
$next_route_state = $outside_iface;
|
||||
|
||||
} elsif ($target->{type} eq 'ct') {
|
||||
|
||||
$chain = 'PVEFW-FORWARD';
|
||||
@ -275,16 +311,12 @@ sub route_packet {
|
||||
} elsif ($target->{type} eq 'vm') {
|
||||
|
||||
$chain = 'PVEFW-FORWARD';
|
||||
$pkg->{iface_in} = $route_state;
|
||||
$pkg->{iface_out} = $target->{bridge};
|
||||
$pkg->{physdev_in} = $physdev_in;
|
||||
# conditionally set physdev_out (same behavior as kernel)
|
||||
if ($route_state eq $target->{bridge}) {
|
||||
$pkg->{iface_in} = $route_state;
|
||||
$pkg->{iface_out} = $route_state;
|
||||
$pkg->{physdev_in} = $physdev_in;
|
||||
$pkg->{physdev_out} = $target->{fwpr} || die 'internal error';
|
||||
} else {
|
||||
$pkg->{iface_in} = $route_state;
|
||||
$pkg->{iface_out} = $route_state;
|
||||
$pkg->{physdev_in} = $physdev_in;
|
||||
# do not set physdev_out (same behavior as kernel)
|
||||
}
|
||||
$next_route_state = 'fwbr-in';
|
||||
|
||||
@ -372,6 +404,9 @@ sub simulate_firewall {
|
||||
if ($from eq 'host') {
|
||||
$from_info->{type} = 'host';
|
||||
$start_state = 'host';
|
||||
} elsif ($from eq 'outside') {
|
||||
$from_info->{type} = 'outside';
|
||||
$start_state = 'from-outside';
|
||||
} elsif ($from =~ m/^ct(\d+)$/) {
|
||||
my $vmid = $1;
|
||||
$from_info = extract_ct_info($vmdata, $vmid);
|
||||
@ -395,6 +430,9 @@ sub simulate_firewall {
|
||||
if ($to eq 'host') {
|
||||
$target->{type} = 'host';
|
||||
$target->{iface} = 'host';
|
||||
} elsif ($to eq 'outside') {
|
||||
$target->{type} = 'outside';
|
||||
$target->{iface} = $outside_iface;
|
||||
} elsif ($to =~ m/^ct(\d+)$/) {
|
||||
my $vmid = $1;
|
||||
$target = extract_ct_info($vmdata, $vmid);
|
||||
|
||||
@ -5,3 +5,4 @@ enable: 1
|
||||
[RULES]
|
||||
|
||||
IN ACCEPT - - - tcp 443
|
||||
OUT REJECT - - - tcp 81
|
||||
|
||||
@ -5,3 +5,4 @@ enable: 1
|
||||
[RULES]
|
||||
|
||||
IN ACCEPT - - - tcp 22
|
||||
OUT REJECT - - - tcp 81
|
||||
|
||||
@ -4,5 +4,6 @@ enable: 1
|
||||
|
||||
[RULES]
|
||||
|
||||
OUT REJECT - - - tcp 81
|
||||
#IN ACCEPT tesitif - - tcp 22
|
||||
IN ACCEPT - - - tcp 22
|
||||
|
||||
@ -23,4 +23,18 @@
|
||||
{ from => 'vm110', to => 'vm100', dport => 22, action => 'DROP' }
|
||||
{ from => 'vm110', to => 'vm100', dport => 443, action => 'ACCEPT' }
|
||||
|
||||
{ from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' }
|
||||
{ from => 'outside', to => 'ct200', dport => 23, action => 'DROP' }
|
||||
{ from => 'outside', to => 'vm100', dport => 22, action => 'DROP' }
|
||||
{ from => 'outside', to => 'vm100', dport => 443, action => 'ACCEPT' }
|
||||
{ from => 'outside', to => 'host', dport => 22, action => 'ACCEPT' }
|
||||
{ from => 'outside', to => 'host', dport => 23, action => 'DROP' }
|
||||
|
||||
{ from => 'host' , to => 'outside', dport => 80, action => 'ACCEPT' }
|
||||
{ from => 'host' , to => 'outside', dport => 81, action => 'REJECT' }
|
||||
{ from => 'vm100' , to => 'outside', dport => 80, action => 'ACCEPT' }
|
||||
{ from => 'vm100' , to => 'outside', dport => 81, action => 'REJECT' }
|
||||
{ from => 'ct200' , to => 'outside', dport => 80, action => 'ACCEPT' }
|
||||
{ from => 'ct200' , to => 'outside', dport => 81, action => 'REJECT' }
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user