├── LICENSE
├── README.md
├── explanation_ru.md
├── img
├── Classical PVE.png
├── Sample_NAT_in.PNG
├── Sample_NAT_out.PNG
└── map.drawio
├── patcher.sh
├── patches
├── pve-firewall: 4.0-10.diff
├── pve-firewall: 4.0-3.diff
├── pve-firewall: 4.0-4.diff
├── pve-firewall: 4.0-5.diff
├── pve-firewall: 4.0-6.diff
├── pve-firewall: 4.0-7.diff
├── pve-firewall: 4.0-8.diff
├── pve-firewall: 4.0-9.diff
├── pve-firewall: 4.1-1.diff
├── pve-firewall: 4.1-2.diff
├── pve-firewall: 4.1-3.diff
├── pve-firewall: 4.1-4.diff
├── pve-firewall: 4.2-2.diff
├── pve-firewall: 4.2-3.diff
├── pve-firewall: 4.2-4.diff
├── pve-firewall: 4.2-5.diff
├── pve-firewall: 4.2-6.diff
├── pve-firewall: 4.2-7.diff
├── pve-firewall: 4.3-1.diff
├── pve-firewall: 4.3-2.diff
├── pve-firewall: 4.3-4.diff
├── pve-firewall: 4.3-5.diff
├── pve-firewall: 5.0.1.diff
├── pve-firewall: 5.0.2.diff
├── pve-firewall: 5.0.3.diff
├── pve-firewall: 5.0.4.diff
├── pve-firewall: 5.0.5.diff
├── pve-firewall: 5.0.6.diff
└── pve-firewall: 5.0.7.diff
└── pve_fw_dist
├── bookworm
├── pve-firewall_5.0.1_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.1.diff
├── pve-firewall_5.0.2_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.2.diff
├── pve-firewall_5.0.3_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.3.diff
├── pve-firewall_5.0.4_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.4.diff
├── pve-firewall_5.0.5_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.5.diff
├── pve-firewall_5.0.6_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.6.diff
├── pve-firewall_5.0.7_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.0.7.diff
└── pve-firewall_5.1.0_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 5.1.0.diff
├── bullseye
├── pve-firewall_4.2-2_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.2-2.diff
├── pve-firewall_4.2-3_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.2-3.diff
├── pve-firewall_4.2-4_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.2-4.diff
├── pve-firewall_4.2-5_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.2-5.diff
├── pve-firewall_4.2-6_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.2-6.diff
├── pve-firewall_4.2-7_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.2-7.diff
├── pve-firewall_4.3-1_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.3-1.diff
├── pve-firewall_4.3-2_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.3-2.diff
├── pve-firewall_4.3-4_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.3-4.diff
└── pve-firewall_4.3-5_amd64
│ ├── Firewall.pm
│ ├── Firewall.pm.orig
│ └── pve-firewall: 4.3-5.diff
└── buster
├── pve-firewall_4.0-10_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-10.diff
├── pve-firewall_4.0-3_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-3.diff
├── pve-firewall_4.0-4_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-4.diff
├── pve-firewall_4.0-5_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-5.diff
├── pve-firewall_4.0-6_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-6.diff
├── pve-firewall_4.0-7_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-7.diff
├── pve-firewall_4.0-8_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-8.diff
├── pve-firewall_4.0-9_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.0-9.diff
├── pve-firewall_4.1-1_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.1-1.diff
├── pve-firewall_4.1-2_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.1-2.diff
├── pve-firewall_4.1-3_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.1-3.diff
└── pve-firewall_4.1-4_amd64
├── Firewall.pm
├── Firewall.pm.orig
└── pve-firewall: 4.1-4.diff
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 Code-Exec
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Proxmox_NAT_Patch
2 | Proxmox patch gives ability to create firewall NAT rules using the standard PVE web UI.
3 |
4 | Full problem and working explanation (RU) - [link](explanation_ru.md)
5 |
6 | # Installation
7 |
8 | **1. Patch pve-firewall.**
9 |
10 | Download the latest release from the releases page [Releases](https://github.com/Code-Exec/Proxmox_NAT_Patch/releases) and extract it to any convenient place. Go to this folder and write in the console -
11 |
12 | $ ./patcher.sh run
13 |
14 | This command will patch the `/usr/share/perl5/PVE/Firewall.pm` file, making a backup. If it is successful, we will see "Patch done".
15 |
16 | **WARNING!** The modified file has a line for binding to the external interface (needed for NAT rules).
17 |
18 | my $ext_if = 'vmbr0'; #external interface
19 |
20 | If you have a different architecture scheme, change the value to your interface.
21 |
22 | **2. Make the changes necessary for NAT**
23 |
24 | Following the recommendations of the official site - [Link](https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt).
25 |
26 | Modify the file /etc/network/interfaces
27 |
28 | auto vmbr1
29 | #private sub network
30 | iface vmbr1 inet static
31 | address 10.10.10.10.1
32 | netmask 255.255.255.255.0
33 | bridge-ports none
34 | bridge-stp off
35 | bridge-fd 1
36 |
37 | post-up echo 1 > /proc/sys/net/ipv4/ip_forward
38 | post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
39 | post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
40 |
41 | In fact, we add three lines to our virtual network interface (which will also be the gateway for the entire network)
42 |
43 | post-up echo 1 > /proc/sys/net/ipv4/ip_forward
44 | post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
45 | post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
46 |
47 | The first line adds the ability to allow "passing traffic", without it NAT will not work at all.
48 |
49 | The second line fixes the problem with contrack (the part of NAT that allows you not to write double rules for ingress and egress, based on link state analysis and packet flags). The problem is that contrack sometimes gets confused in traffic between virtual and non-virtual networks.
50 |
51 | The first two are triggered when the interface is enabled. The third one, when disconnected, overrides the second one.....
52 |
53 | **3. Restart**
54 |
55 | It is better to restart the whole server. But if this is not possible, you can do it in the console:
56 |
57 | service pvedaemon restart
58 | service pvepoxy restart
59 | pve-firewall restart
60 |
61 | # Usage
62 |
63 | **NAT rules are created only when the rule comment starts with the string "NAT"!
64 |
65 | Rules are not applied instantly... Sometimes it can take up to a minute. But very rarely. The architecture of the solution is such that rules are all cleaned up, then new ones are created.
66 |
67 | Example NAT in:
68 |
69 | 
70 |
71 | In this example, in addition to the standard rule allowing 123.123.123.123.123.123:822 -> 10.10.10.107:22, another NAT will be created. That is, by creating such a rule and knocking from IP 123.123.123.123.123 on port 822 to the IP address of our server, we will be routed to 10.10.10.107:22 . If you don't fill in the source, any IP will be able to connect through port 822.
72 |
73 | **IMPORTANT!** In my architecture all virtual machines have a static IP so when I create such a rule I know exactly which machine it will go to. It is very convenient to use the VMID as the last digit of the IP, but this is my personal opinion.
74 |
75 | Example NAT out:
76 |
77 | 
78 |
79 | Everything is similar in this example. A second NAT rule will be created to forward traffic from 10.10.10.10.105 (this is a specific VM) to 123.123.123.123.123:443. So if we try to connect to 123.123.123.123.123.123:443 from this VM, the NAT will work and let us through.
80 |
81 | **IMPORTANT!** Eliases or aliases are not supported yet. You will only have to use IPs.
82 |
83 | # Uninstall
84 |
85 | Uninstall are going by the steps as install but in back order:
86 | 1. Type the command -
87 |
88 | ./patcher.sh rollback
89 |
90 | This command will restore the original file from the backup. If everything was successful we will see "Rollback done".
91 |
92 | 2. Delete lines from "/etc/network/interfaces".
93 | 3. Reboot.
94 |
95 | Translated with DeepL.com (free version)
--------------------------------------------------------------------------------
/explanation_ru.md:
--------------------------------------------------------------------------------
1 | # Proxmox_NAT_Patch
2 | Proxmox patch to create firewall NAT rules for web UI
3 |
4 | # Проблематика
5 | Все пользователи Proxmox уже почувствовали всю мощь это продукта, а IT администраторы систем витруализации вовсю используют Proxmox в production. Однако, как и все бесплатные продукты есть ряд недоработок, нервирующие каждый день. Чтож сегодня мы сделаем одной проблемой меньше!
6 |
7 | Итак рассматривая общую архитектуру облачно/контейнерных решений в простом варианте архитектура сети выглядит следующим образом (мой опыт, не претендую на истину):
8 |
9 | 
10 |
11 | Немного поясню. Интерфейс "eth0" - физический интерфейс. Как правило из коробки Proxmox VE настраивается на "vmbr0" как виртуальный интерфейс сбридженный с физическим "eth0". Вероятно это для упрощения настройки будущей балансировки в случае существования нескольких каналов интернет. Однако в случае с одним каналом интернет это никакого значения не имеет. Можно было бы насртоить и на физический интерфейс "eth0". Интерфейсы "vmbr0", "vmbr1" - виртуальные, существуют только в PVE. Итак, вот мы создавали несколько виртуальных машин (или контейнеров) и первая проблема - как управлять их сетевым доступом? Локальный трафик в рамках виртуального сегмента сети "192.168.0.1/24" управляется легко. Встроенный в PVE Firewall (основанный на iptables) прекрасно с этим справляется, но как прокинуть порты во внутрь и пропустить трафик наружу?
12 |
13 | Официальный сайт нам предлагает изумительное решение. - [Masquerading (NAT) with iptables](https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt).
14 |
15 | Формально они предлагают писать ручками правила NAT между vmbr0 и vmbr1.
16 |
17 | Это как у купили вы Теслу, а заводить ее с толкача. Казалось бы тривиальная задача...
18 |
19 | # В чем идея?
20 | Да конечно, поначалу я как и все пошел пропихивать в iptables свои правила. Причем тут еще один ньюанс, PVE Firewall на виртуальных машинах тоже работал и для каждого NAT правила нужно было создать еще одно в интерфейсе PVE. В последствии PVE Firewall на виртуальных машинах отключался (изолированная виртуальная сеть не сильно снижала безопасность без него). Но одно дело когда машин 2 и другое когда 20. На память не упомнишь кому какие порты раздавал, у какой машины есть выход на сторонние узлы... ребут или перезапуск служб мог вычистить все созданные правила...
21 | Постепенно я написал скрипт на bash для более менее комфортного управления всем этим ужасом и готовился уже создавать более красивое решение на python.
22 | Я даже думал пойти ужасным путем и поднять прокси внутри виртуальной сети...
23 | Но тут у меня возник вопрос в голове:
24 | `"Стоп, ведь вся проблема в том что интерфейс PVE Firewall не позволяет вводить правила NAT". `
25 | Да и в архитектуре должен быть один firewall. Нет смысла их плодить и тратить время на их обслуживание. Сохраняя правила NAT в стандартном интерфейсе PVE Firewall мы получаем массу преимуществ: видимость всех правил разом, сохранение вместе с ВМ, не нужно лезь в консоль.
26 | Конечная идея была сформирована: **научить интерфейс PVE Firewall понимать правила NAT !**
27 | # Решение
28 | Решение представляет из себя создание дополнительного правила iptables(NAT) при добавлении стандартного правила PVE через интерфейс, тригер для создания - строка "Comment" начинается с "NAT". Для этого нужно подправить файл файервола PVE.
29 |
30 | # Установка
31 |
32 | **1. Патчим pve-firewall.**
33 |
34 | Скачиваем последний релиз со страницы релизов [Releses](https://github.com/Code-Exec/Proxmox_NAT_Patch/releases) и распаковываем в любое удобное место. Переходим в эту папку и пишем в консоле -
35 |
36 | $ ./patcher.sh run
37 |
38 | Эта команда пропатчит файл `/usr/share/perl5/PVE/Firewall.pm`, сделав бэкап. Если все прошло успешно то увидим "Patch done".
39 |
40 | **ВНИМАНИЕ!** В модифицированном файле есть строка для привязки к внешнему интерфейсу (необходим для NAT правил).
41 |
42 | my $ext_if = 'vmbr0'; #external interface
43 |
44 | Если у вас другая схема архитектуры, то измените значение на свой интерфейс.
45 |
46 | **2. Вносим изменения необходимые для NAT**
47 |
48 | По рекомендациям офицаильного сайта - [Link](https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt)
49 |
50 | Изменяем файл /etc/network/interfaces
51 |
52 | auto vmbr1
53 | #private sub network
54 | iface vmbr1 inet static
55 | address 10.10.10.1
56 | netmask 255.255.255.0
57 | bridge-ports none
58 | bridge-stp off
59 | bridge-fd 1
60 |
61 | post-up echo 1 > /proc/sys/net/ipv4/ip_forward
62 | post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
63 | post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
64 |
65 | По факту мы добавляем три строки к нашему интерфейсу виртуальной сети (он же будет шлюзом для всей сети)
66 |
67 | post-up echo 1 > /proc/sys/net/ipv4/ip_forward
68 | post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
69 | post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
70 |
71 | Первая строка - добавляет возможность пропускать "проходящий трафик", без нее NAT вообще не будет работать.
72 |
73 | Вторая - исправляет проблему с contrack (часть для NAT позволяющая не писать двойные правила на вход и выход, основывается на анализе состояния соединений и флагах пакетов). Проблема в том что contrack иногда запутывается в трафике между виртуально и не виртуальной сетями.
74 |
75 | Первые две срабатывают при включении интерфейса. Третья при отключении, отменяет вторую...
76 |
77 | **3. Перезапускаемся**
78 |
79 | Лучше перезапустить весь сервер. Но если это не возможно то можно выполнить в консоли:
80 |
81 | service pvedaemon restart
82 | service pvepoxy restart
83 | pve-firewall restart
84 |
85 | # Использование
86 |
87 | **Правила NAT создаются только когда комментрий правила начинается с строки "NAT"!**
88 |
89 | Привила применяются не моментально... Иногда дело может доходить до минуты. Но очень редко. Архитектура решения такова, что правила все очищаются, потом создаются новые.
90 |
91 | Пример NAT in:
92 |
93 | 
94 |
95 | В этом примере по мимо стандартного правила разрешающего 123.123.123.123:822 -> 10.10.10.107:22 создастся еще одно NAT. То есть создав такое правило и постучавшись с IP 123.123.123.123 на порт 822 на IP адрес нашего сервера, мы будем прокинуты на 10.10.10.107:22 . Если не заполнить источник, то любой IP сможет подключиться через порт 822.
96 |
97 | **ВАЖНО!** В моей архитектуре все виртуальные машины имеют статический IP поэтому создавая такое правило я точно знаю на какую машину оно уйдет. Очень удобно использовать VMID в качестве последней цифры IP, но это лично мое мнение.
98 |
99 | Пример NAT out:
100 |
101 | 
102 |
103 | В этом примере все аналогично. Создастся второе правило NAT пробрасывающее с 10.10.10.105 (это конкретная VM) трафик на 123.123.123.123:443. То есть если мы с этой VM попробуем подключиться к 123.123.123.123:443 сработает NAT и нас пропустит.
104 |
105 | **ВАЖНО!** Элиасы или псевдонимы пока что не поддерживаются. Использовать придется только IP.
106 |
107 | # Удаление
108 |
109 | Удаление происходит в том же порядке:
110 | 1. Вводим команду -
111 | > ./patcher.sh rollback
112 | Эта команда восстановит оригинальный файл из бэкапа. Если все прошло успешно увидим "Rollback done".
113 | 2. Удаляем строки из "/etc/network/interfaces".
114 | 3. Перезагружаемся.
--------------------------------------------------------------------------------
/img/Classical PVE.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Code-Exec/Proxmox_NAT_Patch/2021a9a1fbacf77fa91ffa90716b8caeea2d1cad/img/Classical PVE.png
--------------------------------------------------------------------------------
/img/Sample_NAT_in.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Code-Exec/Proxmox_NAT_Patch/2021a9a1fbacf77fa91ffa90716b8caeea2d1cad/img/Sample_NAT_in.PNG
--------------------------------------------------------------------------------
/img/Sample_NAT_out.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Code-Exec/Proxmox_NAT_Patch/2021a9a1fbacf77fa91ffa90716b8caeea2d1cad/img/Sample_NAT_out.PNG
--------------------------------------------------------------------------------
/img/map.drawio:
--------------------------------------------------------------------------------
1 | 7VrbcuI4EP0aqnYfQtnylccAmUx2J1OpoipzeZNtYbyRLVYIAvv1K9kyvkgwzmDIZCrkAautm/t0n9NyGFiTdHtL4XJxTyKEB8CItgNrOgDABDbgX8KyKyye4xWGmCaR7FQZZsl/SBoNaV0nEVo1OjJCMEuWTWNIsgyFrGGDlJLnZrc5wc1VlzBGimEWQqxavyQRWxRWH3iV/SNK4kW5sumOijspLDvLJ1ktYESeaybrZmBNKCGsuEq3E4SF80q/FOM+HLi73xhFGesy4NvdrbekJqTfP1+lj2Pvr+XEupKzbCBeyweeoigJIUMRN88Q3SDKL/74SFYsyeKBWMP9dy32PB7zpe8Rg7hhHYAJb989/P14/6d8cLYrvUnJOouQ2JDBuz4vEoZmSxiKu888frhtwVLMWya/5EszvhV8jZM44zZGRIc5ydhMzih6YRggPIbhU5xPPiGYUH4rIxkSvROMS9MAWHNH/HH7ilHyhGp33Pwj56/Zi0/+XLmj+J7Q9iAC5h5XnhCIpIjRHe8iB9gyEnbN5nMVV44rbYtaTNmlEcpYjvczV3DzC4n4C9C3FYBQxKNfNgllCxKTDOKbyjpuQlj1+UQEPDkk/yDGdjKV4ZqRJqzFmmKh427k+yJrGqIj+5fcwiCNETvSz9HDQhGGLNk096Fzshz6QBK+wz2cntHE0xy1cCr2JUe1oNpv4+fRc5TcvcsYohliKqwYc8IU8HEWWgpjiMk6+nEOtvPHD1EY6vIn8B3bMfrJE9dtOdZylEwxgSZT/HMligkUXz9Qsk3Jlhsfb07juZzRimzh63TlvTYy8znQIxO5geu4PSHTBMZXGcwe6RjMOBcwKi5cibDQoaCBSKlOwotXq9zZ17yDCZbbunS5sfhGbGGU0/BdBaW9X5j39YChohk5yI9sHZo+CCy3JzQds5Vnroqnr4HTOluavYogcW/R3Vc5Pm98E42hUzan2/rN6a7ErA0o53t2LWrOnF/hapWEpflDgs+gf6bVUQDBiQJ4GqqqUAW81ufPrwP7k6jnmgBBSYQhEvqmYcg0iaIiFhDPbRjk8wmIlkJ78+dxxgNnqgGtYzlZMCz/HMs8eQaR6+8L8ga0R+L+YJ4aQ2CVa8hULQv3E0uYK187azkBmc9X6Cy1Sxm5euIu6HaTBnTPwwGtWFhl5od1gHmyiXNHcf64/VJ8p3D1VFxNP89O4+8mX7fDqMXfEPlzrRq7oY+Co1HUnb8t0OJvR+Vv09AQuHM2Ave7wWp2g1WgaZgjMDRdf2gMTWWubtP87rgDT1Mf63Av6+j+yzBDwf3x3jyn31u0ra+Ze/C130oxoEkx3VHENM7ma+stFUkdi6I2vj0WSaDrW4KCvE59TcCfFe5qHWQJclCClQjzW6/xftAfjKxWSBU76FWuSx/2e87a1A9aL1ICoI4Sin9AK352f5dQlxedCi+iLqZSVajqMnIuWFQAVyMu4DcUFy7sw45vus4oL/6ryMs2YV9r1zVx4a1KW0SjlJY3LEnepSTptFDwfi3Wt95Z/2KsD1xPw0WX5f2RhvfV4vft875lvzrrW+ph7Z31e2b98rX5GzmI2DLYfqmDiKW+aHhVSbLfJelikmRp/t3YkyDxZvVDnCJWq58zWTf/Aw==
--------------------------------------------------------------------------------
/patcher.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #we can use this path from params
3 | if [$2 eq ""]; then
4 | path='/usr/share/perl5/PVE/Firewall.pm'
5 | else
6 | path=$2
7 | fi
8 |
9 | #we can use this path from params
10 | if [$3 eq ""]; then
11 | pvefw_ver=`pveversion -v | grep pve-firewall`
12 | else
13 | pvefw_ver=$3
14 | fi
15 |
16 | #checking that is all tools are exists
17 | if [ ! -x "$(command -v patch)" ];
18 | then
19 | echo " could not be found. Please install it 'apt install patch'"
20 | exit 1
21 | fi
22 |
23 | execute_path=$( dirname "$0" )
24 | patches_dir="$execute_path/patches"
25 | patch_path="$patches_dir/$pvefw_ver.diff"
26 |
27 | if [ "$1" == "run" ]; then
28 | if [ -e "$path.orig" ]; then
29 | echo "Allredy patched"
30 | else
31 | if [ -e "$patch_path" ]; then
32 | cp $path $path.orig
33 | patch -b $path < "$patch_path"
34 | echo "Patching done"
35 | else
36 | echo -e "Patch for version '${pvefw_ver}' not found!
37 | Please send mail to ssa.codex@gmail.com
38 | or open a new issue on the github."
39 | fi
40 | fi
41 |
42 | elif [ "$1" == "rollback" ]; then
43 | if [ -e "$path.orig" ]; then
44 | mv $path.orig $path
45 | echo "Rollback done"
46 | else
47 | echo "Backups not found"
48 | fi
49 | else
50 | echo "Unknown command. Allowed - run, rollback"
51 | fi
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-10.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-01-27 19:25:49.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 19:47:46.051279925 +0100
3 | @@ -2090,6 +2090,39 @@
4 | $targetstr = ($goto) ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | +
14 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
15 | +
16 | + }
17 | +
18 | + #DNAT
19 | + if ($rule->{type} eq 'in') {
20 | +
21 | + #with ipset field is empty
22 | + if (defined $rule->{sport}) {
23 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
24 | + $matchstr =~ s/--sport $rule->{sport}//;
25 | + }
26 | +
27 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
28 | +
29 | + #replace dport (its nat destonation in rule) to sport
30 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
31 | +
32 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
33 | + $nat_matchstr =~ s/-d $rule->{dest}//;
34 | +
35 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
36 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
37 | + }
38 | +
39 | + }
40 | my @iptcmds;
41 | my $log = $rule->{log};
42 | if (defined($log) && $log ne 'nolog') {
43 | @@ -3546,6 +3579,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-04 15:56:11.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 03:22:28.674333309 +0100
3 | @@ -2045,6 +2045,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3501,6 +3535,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-11 19:40:01.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 03:26:13.490336909 +0100
3 | @@ -2046,6 +2046,40 @@
4 | $targetstr = ($goto) ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | +
14 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
15 | +
16 | + }
17 | +
18 | + #DNAT
19 | + if ($rule->{type} eq 'in') {
20 | +
21 | + #with ipset field is empty
22 | + if (defined $rule->{sport}) {
23 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
24 | + $matchstr =~ s/--sport $rule->{sport}//;
25 | + }
26 | +
27 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
28 | +
29 | + #replace dport (its nat destonation in rule) to sport
30 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
31 | +
32 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
33 | + $nat_matchstr =~ s/-d $rule->{dest}//;
34 | +
35 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
36 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
37 | + }
38 | +
39 | + }
40 | +
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | if (defined($log) && $log ne 'nolog') {
44 | @@ -3501,6 +3535,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-12 11:47:53.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 03:28:25.042339015 +0100
3 | @@ -2045,6 +2045,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3501,6 +3535,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-6.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-23 18:57:48.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:43:05.995275441 +0100
3 | @@ -2026,6 +2026,40 @@
4 | push @match, "--sport $rule->{sport}";
5 | }
6 | };
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | # order matters - single port before multiport!
43 | $add_dport->() if $multisport;
44 | @@ -3504,6 +3538,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-7.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:11:57.872353179 +0100
3 | @@ -2026,6 +2026,39 @@
4 | push @match, "--sport $rule->{sport}";
5 | }
6 | };
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | # order matters - single port before multiport!
42 | $add_dport->() if $multisport;
43 | @@ -3504,6 +3537,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-8.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-11-18 13:48:20.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 19:45:32.139277781 +0100
3 | @@ -2085,6 +2085,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3541,6 +3575,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.0-9.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-12-03 08:12:20.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 19:46:36.815278816 +0100
3 | @@ -2085,6 +2085,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3542,6 +3576,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.1-1.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-05-04 15:01:57.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:48:46.603280895 +0100
3 | @@ -2102,6 +2102,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3607,6 +3641,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.1-2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-05-06 17:41:36.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:50:10.443282237 +0100
3 | @@ -2100,6 +2100,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3605,6 +3639,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.1-3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-09-18 16:51:27.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:51:26.531283455 +0100
3 | @@ -2145,6 +2145,39 @@
4 | $targetstr = ($goto) ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | +
14 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
15 | +
16 | + }
17 | +
18 | + #DNAT
19 | + if ($rule->{type} eq 'in') {
20 | +
21 | + #with ipset field is empty
22 | + if (defined $rule->{sport}) {
23 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
24 | + $matchstr =~ s/--sport $rule->{sport}//;
25 | + }
26 | +
27 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
28 | +
29 | + #replace dport (its nat destonation in rule) to sport
30 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
31 | +
32 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
33 | + $nat_matchstr =~ s/-d $rule->{dest}//;
34 | +
35 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
36 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
37 | + }
38 | +
39 | + }
40 | my @iptcmds;
41 | my $log = $rule->{log};
42 | if (defined($log) && $log ne 'nolog') {
43 | @@ -3654,6 +3687,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.1-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-05-26 17:27:56.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:52:30.047284473 +0100
3 | @@ -2143,6 +2143,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3653,6 +3687,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.2-2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-06-21 11:31:42.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:14:55.515306017 +0100
3 | @@ -2143,6 +2143,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3653,6 +3687,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.2-3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-09-10 13:00:07.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:15:34.195306636 +0100
3 | @@ -2141,6 +2141,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3651,6 +3685,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.2-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-10-12 10:39:05.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:17:37.375308609 +0100
3 | @@ -2141,6 +2141,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3651,6 +3685,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.2-5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-11-04 16:37:13.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 02:21:20.262274568 +0100
3 | @@ -2143,6 +2143,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3657,6 +3691,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.2-6.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2022-08-29 09:43:53.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:18:44.623309685 +0100
3 | @@ -2151,6 +2151,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3665,6 +3699,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.2-7.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2022-11-17 19:53:04.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 20:19:36.119310510 +0100
3 | @@ -2157,6 +2157,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3653,6 +3687,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.3-1.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2023-03-17 15:24:56.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 20:20:23.375311267 +0100
3 | @@ -2206,6 +2206,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3706,6 +3740,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.3-2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:09:07.848354746 +0100
3 | @@ -2215,6 +2215,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3716,6 +3749,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.3-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:09:45.276354401 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3739,6 +3772,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 4.3-5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:10:12.260354152 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3749,6 +3782,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.1.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.020362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:04:02.996357556 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3739,6 +3772,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.020362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:04:28.416357321 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3739,6 +3772,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.020362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:05:19.040356855 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3749,6 +3782,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-19 20:04:09.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 13:35:54.430787496 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-23 13:11:43.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 17:39:15.338098346 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.6.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-26 17:19:50.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 17:43:17.866086899 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/patches/pve-firewall: 5.0.7.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-30 10:30:16.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 17:47:23.238075317 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.1_amd64/pve-firewall: 5.0.1.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.020362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:04:02.996357556 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3739,6 +3772,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.2_amd64/pve-firewall: 5.0.2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.020362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:04:28.416357321 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3739,6 +3772,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.3_amd64/pve-firewall: 5.0.3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.020362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:05:19.040356855 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3749,6 +3782,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.4_amd64/pve-firewall: 5.0.4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-19 20:04:09.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 13:35:54.430787496 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.5_amd64/pve-firewall: 5.0.5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-23 13:11:43.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 17:39:15.338098346 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.6_amd64/pve-firewall: 5.0.6.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-26 17:19:50.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 17:43:17.866086899 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.0.7_amd64/pve-firewall: 5.0.7.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-04-30 10:30:16.000000000 +0200
2 | +++ Firewall.pm 2024-06-24 17:47:23.238075317 +0200
3 | @@ -2235,6 +2235,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3755,6 +3788,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bookworm/pve-firewall_5.1.0_amd64/pve-firewall: 5.1.0.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2025-02-23 13:56:32.565394948 +0100
2 | +++ Firewall.pm 2025-02-23 14:03:39.594369659 +0100
3 | @@ -2302,6 +2302,37 @@
4 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
14 | + }
15 | +
16 | + #DNAT
17 | + if ($rule->{type} eq 'in') {
18 | +
19 | + #with ipset field is empty
20 | + if (defined $rule->{sport}) {
21 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
22 | + $matchstr =~ s/--sport $rule->{sport}//;
23 | + }
24 | +
25 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
26 | +
27 | + #replace dport (its nat destonation in rule) to sport
28 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
29 | +
30 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
31 | + $nat_matchstr =~ s/-d $rule->{dest}//;
32 | +
33 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
34 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
35 | + }
36 | + }
37 | +
38 | my @iptcmds;
39 | my $log = $rule->{log};
40 | if (defined($log) && $log ne 'nolog') {
41 | @@ -3910,6 +3941,9 @@
42 |
43 | my $vmfw_configs;
44 |
45 | + #flush NAT table, flush raw + add PREROUTING contrack
46 | + run_command(['iptables -t nat -F']);
47 | +
48 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
49 | $pve_std_chains = dclone($pve_std_chains_conf);
50 |
51 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.2-2_amd64/pve-firewall: 4.2-2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-06-21 11:31:42.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:14:55.515306017 +0100
3 | @@ -2143,6 +2143,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3653,6 +3687,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.2-3_amd64/pve-firewall: 4.2-3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-09-10 13:00:07.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:15:34.195306636 +0100
3 | @@ -2141,6 +2141,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3651,6 +3685,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.2-4_amd64/pve-firewall: 4.2-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-10-12 10:39:05.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:17:37.375308609 +0100
3 | @@ -2141,6 +2141,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3651,6 +3685,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.2-5_amd64/pve-firewall: 4.2-5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-11-04 16:37:13.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 02:21:20.262274568 +0100
3 | @@ -2143,6 +2143,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3657,6 +3691,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.2-6_amd64/pve-firewall: 4.2-6.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2022-08-29 09:43:53.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 20:18:44.623309685 +0100
3 | @@ -2151,6 +2151,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3665,6 +3699,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.2-7_amd64/pve-firewall: 4.2-7.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2022-11-17 19:53:04.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 20:19:36.119310510 +0100
3 | @@ -2157,6 +2157,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3653,6 +3687,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.3-1_amd64/pve-firewall: 4.3-1.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2023-03-17 15:24:56.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 20:20:23.375311267 +0100
3 | @@ -2206,6 +2206,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3706,6 +3740,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.3-2_amd64/pve-firewall: 4.3-2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:09:07.848354746 +0100
3 | @@ -2215,6 +2215,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3716,6 +3749,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.3-4_amd64/pve-firewall: 4.3-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:09:45.276354401 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3739,6 +3772,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/bullseye/pve-firewall_4.3-5_amd64/pve-firewall: 4.3-5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:10:12.260354152 +0100
3 | @@ -2229,6 +2229,39 @@
4 | my $action = (defined $rule->{action}) ? $rule->{action} : "";
5 | $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | @@ -3749,6 +3782,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-10_amd64/pve-firewall: 4.0-10.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-01-27 19:25:49.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 19:47:46.051279925 +0100
3 | @@ -2090,6 +2090,39 @@
4 | $targetstr = ($goto) ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | +
14 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
15 | +
16 | + }
17 | +
18 | + #DNAT
19 | + if ($rule->{type} eq 'in') {
20 | +
21 | + #with ipset field is empty
22 | + if (defined $rule->{sport}) {
23 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
24 | + $matchstr =~ s/--sport $rule->{sport}//;
25 | + }
26 | +
27 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
28 | +
29 | + #replace dport (its nat destonation in rule) to sport
30 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
31 | +
32 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
33 | + $nat_matchstr =~ s/-d $rule->{dest}//;
34 | +
35 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
36 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
37 | + }
38 | +
39 | + }
40 | my @iptcmds;
41 | my $log = $rule->{log};
42 | if (defined($log) && $log ne 'nolog') {
43 | @@ -3546,6 +3579,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-3_amd64/pve-firewall: 4.0-3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-04 15:56:11.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 03:22:28.674333309 +0100
3 | @@ -2045,6 +2045,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3501,6 +3535,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-4_amd64/pve-firewall: 4.0-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-11 19:40:01.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 03:26:13.490336909 +0100
3 | @@ -2046,6 +2046,40 @@
4 | $targetstr = ($goto) ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | +
14 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
15 | +
16 | + }
17 | +
18 | + #DNAT
19 | + if ($rule->{type} eq 'in') {
20 | +
21 | + #with ipset field is empty
22 | + if (defined $rule->{sport}) {
23 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
24 | + $matchstr =~ s/--sport $rule->{sport}//;
25 | + }
26 | +
27 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
28 | +
29 | + #replace dport (its nat destonation in rule) to sport
30 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
31 | +
32 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
33 | + $nat_matchstr =~ s/-d $rule->{dest}//;
34 | +
35 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
36 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
37 | + }
38 | +
39 | + }
40 | +
41 | my @iptcmds;
42 | my $log = $rule->{log};
43 | if (defined($log) && $log ne 'nolog') {
44 | @@ -3501,6 +3535,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-5_amd64/pve-firewall: 4.0-5.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-12 11:47:53.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 03:28:25.042339015 +0100
3 | @@ -2045,6 +2045,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3501,6 +3535,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-6_amd64/pve-firewall: 4.0-6.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-07-23 18:57:48.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:43:05.995275441 +0100
3 | @@ -2026,6 +2026,40 @@
4 | push @match, "--sport $rule->{sport}";
5 | }
6 | };
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | # order matters - single port before multiport!
43 | $add_dport->() if $multisport;
44 | @@ -3504,6 +3538,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-7_amd64/pve-firewall: 4.0-7.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2024-03-29 22:54:57.024362588 +0100
2 | +++ Firewall.pm 2024-03-29 23:11:57.872353179 +0100
3 | @@ -2026,6 +2026,39 @@
4 | push @match, "--sport $rule->{sport}";
5 | }
6 | };
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | + }
40 |
41 | # order matters - single port before multiport!
42 | $add_dport->() if $multisport;
43 | @@ -3504,6 +3537,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-8_amd64/pve-firewall: 4.0-8.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-11-18 13:48:20.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 19:45:32.139277781 +0100
3 | @@ -2085,6 +2085,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3541,6 +3575,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.0-9_amd64/pve-firewall: 4.0-9.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2019-12-03 08:12:20.000000000 +0100
2 | +++ Firewall.pm 2024-02-18 19:46:36.815278816 +0100
3 | @@ -2085,6 +2085,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3542,6 +3576,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.1-1_amd64/pve-firewall: 4.1-1.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-05-04 15:01:57.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:48:46.603280895 +0100
3 | @@ -2102,6 +2102,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3607,6 +3641,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.1-2_amd64/pve-firewall: 4.1-2.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-05-06 17:41:36.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:50:10.443282237 +0100
3 | @@ -2100,6 +2100,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3605,6 +3639,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.1-3_amd64/pve-firewall: 4.1-3.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2020-09-18 16:51:27.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:51:26.531283455 +0100
3 | @@ -2145,6 +2145,39 @@
4 | $targetstr = ($goto) ? "-g $action" : "-j $action";
5 | }
6 |
7 | + #add second NAT rule if comment eq NAT
8 | + my $ext_if = 'vmbr0'; #external interface
9 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
10 | +
11 | + #SNAT
12 | + if ($rule->{type} eq 'out') {
13 | +
14 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
15 | +
16 | + }
17 | +
18 | + #DNAT
19 | + if ($rule->{type} eq 'in') {
20 | +
21 | + #with ipset field is empty
22 | + if (defined $rule->{sport}) {
23 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
24 | + $matchstr =~ s/--sport $rule->{sport}//;
25 | + }
26 | +
27 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
28 | +
29 | + #replace dport (its nat destonation in rule) to sport
30 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
31 | +
32 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
33 | + $nat_matchstr =~ s/-d $rule->{dest}//;
34 | +
35 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
36 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
37 | + }
38 | +
39 | + }
40 | my @iptcmds;
41 | my $log = $rule->{log};
42 | if (defined($log) && $log ne 'nolog') {
43 | @@ -3654,6 +3687,9 @@
44 |
45 | my $vmfw_configs;
46 |
47 | + #flush NAT table, flush raw + add PREROUTING contrack
48 | + run_command(['iptables -t nat -F']);
49 | +
50 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
51 | $pve_std_chains = dclone($pve_std_chains_conf);
52 |
53 |
--------------------------------------------------------------------------------
/pve_fw_dist/buster/pve-firewall_4.1-4_amd64/pve-firewall: 4.1-4.diff:
--------------------------------------------------------------------------------
1 | --- Firewall.pm.orig 2021-05-26 17:27:56.000000000 +0200
2 | +++ Firewall.pm 2024-02-18 19:52:30.047284473 +0100
3 | @@ -2143,6 +2143,40 @@
4 | my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
5 | $targetstr = ($goto) ? "-g $action" : "-j $action";
6 | }
7 | +
8 | + #add second NAT rule if comment eq NAT
9 | + my $ext_if = 'vmbr0'; #external interface
10 | + if ($rule->{comment} && substr($rule->{comment},0,3) eq 'NAT') {
11 | +
12 | + #SNAT
13 | + if ($rule->{type} eq 'out') {
14 | +
15 | + run_command(['iptables -t nat -A POSTROUTING ' . $matchstr . ' -o ' . $ext_if . ' -j MASQUERADE']);
16 | +
17 | + }
18 | +
19 | + #DNAT
20 | + if ($rule->{type} eq 'in') {
21 | +
22 | + #with ipset field is empty
23 | + if (defined $rule->{sport}) {
24 | + #patch matchstr. Use sport like inbound port on $ext_if. So to get valid pve rule we delete it.
25 | + $matchstr =~ s/--sport $rule->{sport}//;
26 | + }
27 | +
28 | + my $nat_matchstr = $matchstr; #matchstr include ipset data
29 | +
30 | + #replace dport (its nat destonation in rule) to sport
31 | + $nat_matchstr =~ s/--dport $rule->{dport}/--dport $rule->{sport}/;
32 | +
33 | + #delete destination data from rule, in DNAT rule that data must be at '--to-destination' block
34 | + $nat_matchstr =~ s/-d $rule->{dest}//;
35 | +
36 | + $nat_matchstr .= ' -i ' . $ext_if . ' -j DNAT --to ' . $rule->{dest} . ':' . $rule->{dport};
37 | + run_command(['iptables -t nat -A PREROUTING ' . $nat_matchstr]);
38 | + }
39 | +
40 | + }
41 |
42 | my @iptcmds;
43 | my $log = $rule->{log};
44 | @@ -3653,6 +3687,9 @@
45 |
46 | my $vmfw_configs;
47 |
48 | + #flush NAT table, flush raw + add PREROUTING contrack
49 | + run_command(['iptables -t nat -F']);
50 | +
51 | # fixme: once we read standard chains from config this needs to be put in test/standard cases below
52 | $pve_std_chains = dclone($pve_std_chains_conf);
53 |
54 |
--------------------------------------------------------------------------------