mirror of
git://git.proxmox.com/git/pve-firewall.git
synced 2025-01-21 22:03:52 +03:00
Create corosync firewall rules independently of localnet
"localnet" does not necessarily correspond to the correct network for corosync (e.g. corosync rings/link can be run independently from other PVE cluster service networks). This change uses the previously introduced sub 'for_all_corosync_addresses' to iterate through all nodes in a corosync cluster and generate rules for all nodes and all their respective ringX_addr's it finds. The rules are generated as strict as possible, there is a specific rule for every remote node and every ring/link. Also, communication "between" different links/rings is not allowed, e.g. a remote ring1_addr cannot contact a local ring0_addr, and vice versa. Multicast is always allowed, for backwards compatibility. Note however, that we no longer filter on the source of inbound multicast packets, since that would require localnet, and thus introduce the bug we're trying to fix once again. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
This commit is contained in:
parent
9429bd3510
commit
06208a013f
@ -10,10 +10,11 @@ use File::Path;
|
||||
use IO::File;
|
||||
use Net::IP;
|
||||
use POSIX;
|
||||
use Socket qw(AF_INET6 inet_ntop inet_pton);
|
||||
use Socket qw(AF_INET AF_INET6 inet_ntop inet_pton);
|
||||
use Storable qw(dclone);
|
||||
|
||||
use PVE::Cluster;
|
||||
use PVE::Corosync;
|
||||
use PVE::Exception qw(raise raise_param_exc);
|
||||
use PVE::INotify;
|
||||
use PVE::JSONSchema qw(register_standard_option get_standard_option);
|
||||
@ -2395,13 +2396,27 @@ sub generate_tap_rules_direction {
|
||||
}
|
||||
|
||||
sub enable_host_firewall {
|
||||
my ($ruleset, $hostfw_conf, $cluster_conf, $ipversion) = @_;
|
||||
my ($ruleset, $hostfw_conf, $cluster_conf, $ipversion, $corosync_conf) = @_;
|
||||
|
||||
my $options = $hostfw_conf->{options};
|
||||
my $cluster_options = $cluster_conf->{options};
|
||||
my $rules = $hostfw_conf->{rules};
|
||||
my $cluster_rules = $cluster_conf->{rules};
|
||||
|
||||
# corosync preparation
|
||||
my $corosync_rule = "-p udp --dport 5404:5405";
|
||||
my $corosync_local_addresses = {};
|
||||
my $local_hostname = PVE::INotify::nodename();
|
||||
if (defined($corosync_conf)) {
|
||||
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
|
||||
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
|
||||
|
||||
if ($node_name eq $local_hostname) {
|
||||
$corosync_local_addresses->{$key} = $node_ip;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
# host inbound firewall
|
||||
my $chain = "PVEFW-HOST-IN";
|
||||
ruleset_create_chain($ruleset, $chain);
|
||||
@ -2446,14 +2461,23 @@ sub enable_host_firewall {
|
||||
ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy
|
||||
ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j $accept_action"); # SSH
|
||||
|
||||
my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
|
||||
my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion};
|
||||
# corosync inbound rules
|
||||
if (defined($corosync_conf)) {
|
||||
# always allow multicast
|
||||
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
|
||||
|
||||
# corosync
|
||||
if ($localnet && ($ipversion == $localnet_ver)) {
|
||||
my $corosync_rule = "-p udp --dport 5404:5405";
|
||||
ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule", "-j $accept_action");
|
||||
ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
|
||||
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
|
||||
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
|
||||
|
||||
if ($node_name ne $local_hostname) {
|
||||
my $destination = $corosync_local_addresses->{$key};
|
||||
|
||||
# accept only traffic on same ring
|
||||
if (defined($destination)) {
|
||||
ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
# implement input policy
|
||||
@ -2496,15 +2520,33 @@ sub enable_host_firewall {
|
||||
}
|
||||
|
||||
# allow standard traffic on cluster network
|
||||
my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
|
||||
my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion};
|
||||
|
||||
if ($localnet && ($ipversion == $localnet_ver)) {
|
||||
ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", "-j $accept_action"); # PVE API
|
||||
ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j $accept_action"); # SSH
|
||||
ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console
|
||||
ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy
|
||||
}
|
||||
|
||||
my $corosync_rule = "-p udp --dport 5404:5405";
|
||||
ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule", "-j $accept_action");
|
||||
# corosync outbound rules
|
||||
if (defined($corosync_conf)) {
|
||||
# always allow multicast
|
||||
ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
|
||||
|
||||
PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
|
||||
my ($node_name, $node_ip, $node_ipversion, $key) = @_;
|
||||
|
||||
if ($node_name ne $local_hostname) {
|
||||
my $source = $corosync_local_addresses->{$key};
|
||||
|
||||
# accept only traffic on same ring
|
||||
if (defined($source)) {
|
||||
ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
# implement output policy
|
||||
@ -3456,7 +3498,7 @@ sub save_hostfw_conf {
|
||||
}
|
||||
|
||||
sub compile {
|
||||
my ($cluster_conf, $hostfw_conf, $vmdata) = @_;
|
||||
my ($cluster_conf, $hostfw_conf, $vmdata, $corosync_conf) = @_;
|
||||
|
||||
my $vmfw_configs;
|
||||
|
||||
@ -3477,6 +3519,9 @@ sub compile {
|
||||
|
||||
$hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
|
||||
|
||||
# cfs_update is handled by daemon or API
|
||||
$corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf;
|
||||
|
||||
$vmdata = read_local_vm_config();
|
||||
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef);
|
||||
}
|
||||
@ -3496,8 +3541,8 @@ sub compile {
|
||||
|
||||
push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
|
||||
|
||||
my $ruleset = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4);
|
||||
my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6);
|
||||
my $ruleset = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $corosync_conf, 4);
|
||||
my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $corosync_conf, 6);
|
||||
my $ebtables_ruleset = compile_ebtables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata);
|
||||
my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
|
||||
|
||||
@ -3505,7 +3550,7 @@ sub compile {
|
||||
}
|
||||
|
||||
sub compile_iptables_filter {
|
||||
my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $ipversion) = @_;
|
||||
my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $corosync_conf, $ipversion) = @_;
|
||||
|
||||
my $ruleset = {};
|
||||
|
||||
@ -3535,7 +3580,7 @@ sub compile_iptables_filter {
|
||||
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
|
||||
|
||||
if ($hostfw_enable) {
|
||||
eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion); };
|
||||
eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion, $corosync_conf); };
|
||||
warn $@ if $@; # just to be sure - should not happen
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user