Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-19 14:03:53 +03:00
Code Releases Activity

add configuration option for new nftables firewall

Browse Source 
Introduces new nftables configuration option that en/disables the new
nftables firewall.

pve-firewall reads this option and only generates iptables rules when
nftables is set to `0` or if the proxmox-firewall package is not
installed at all. Conversely, proxmox-firewall only generates rules
when the option is set to `1`.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
 [ TL: mark as tech preview and clarify is_enabled method name ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Stefan Hanreich 2024-04-19 11:42:36 +02:00 committed by Thomas Lamprecht
parent 3640b561ed
commit 60abf93972
1 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
src/PVE/Firewall.pm
View File

@ -1408,6 +1408,12 @@ our $host_option_properties = {
default => 0,
optional => 1
},
nftables => {
description => "Enable nftables based firewall (tech preview)",
type => 'boolean',
default => 0,
optional => 1,
},
};
our $vm_option_properties = {
@ -2929,7 +2935,7 @@ sub parse_hostfw_option {
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack|nf_conntrack_allow_invalid|protection_synflood):\s*(0|1)\s*$/i) {
if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack|nf_conntrack_allow_invalid|protection_synflood|nftables):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@ -4673,12 +4679,30 @@ sub remove_pvefw_chains_ebtables {
ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
}
sub init {
my $cluster_conf = load_clusterfw_conf();
my $cluster_options = $cluster_conf->{options};
my $enable = $cluster_options->{enable};
sub is_nftables {
my ($cluster_conf, $host_conf) = @_;
return if !$enable;
if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
return 0;
}
$cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
$host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
return $host_conf->{options}->{nftables};
}
sub is_enabled_and_not_nftables {
my ($cluster_conf, $host_conf) = @_;
$cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
$host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
return $cluster_conf->{options}->{enable} && !is_nftables($cluster_conf, $host_conf);
}
sub init {
return if !is_enabled_and_not_nftables();
# load required modules here
}
@ -4687,14 +4711,13 @@ sub update {
my $code = sub {
my $cluster_conf = load_clusterfw_conf();
my $cluster_options = $cluster_conf->{options};
my $hostfw_conf = load_hostfw_conf($cluster_conf);
if (!$cluster_options->{enable}) {
if (!is_enabled_and_not_nftables($cluster_conf, $hostfw_conf)) {
PVE::Firewall::remove_pvefw_chains();
return;
}
my $hostfw_conf = load_hostfw_conf($cluster_conf);
my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf);