IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The DEB_BUILD_ARCH is the one from the build host, the DEB_HOST_ARCH
is the one the package is build for, so the latter is the correct one
here.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The NOVIEW variable is useless now anyway, and the cleanup-docgen
target is a bit dangerous (removes _all_ *.adoc files) and it's just
a single line, so avoid complexity.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
without this additional conditions, it's possible to break the firewall by
setting an ICMP-type value as dport for non-ICMP protocols, e.g. 'any' for
'tcp'.
by rejecting the invalid rule/parameter, the rest of the ruleset is still
applied properly, and the error messages are a lot more informative as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
as that can trigger hard to reproduce/debug bugs; as with such
statements the variable won't be necessarily undef if the post-if
evaluates to false, but rather will hold the (now bogus) value from
the last time it evaluated to true.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The optional unix epoch timestamps parameters `since` and `until` are introduced
in order to filter firewall logs files. If one of these flags is set, also
rotated logfiles are included. This is handled in the `dump_fw_logfile` helper
function. Filtering is now performed based on a callback function passed to
`dump_fw_logfile`.
This patch depends on the corresponding patch in the pve-common repository.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
[w.bumiller@proxmox.com: fixup 'continue' -> 'next']
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
They can already be set directly via the cluster.fw file. Net::IP is just a
bit more picky with what it allows:
For example:
error: 192.168.1.155/24
correct: 192.168.1.0/24
This cleans the entered IP and removes the non zero host bits.
Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
Currently, trying to delete a non-empty IPSet will throw an error.
Manually deleting all members of the set might be a time-consuming
process, which the force parameter allows to bypass.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
When renaming a group, the usages didn't get updated automatically. To
get around problems with atomicity, the old rule is first cloned with the
new name, the usages are updated and only when updating has finished, the
old rule is deleted.
The subroutines that lock/update host configs had to be changed so that
it's possible to lock any config, not just the one of the current host.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
while I'm still a bit on the edge about the usefulness of this macro,
it should better convey for what it is, as SPICE itself doesn't
really have a direct port (in PVE that is), but all runs through our
spiceproxy, so name the macro that way.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
uses port 3128 (same as squid)
although it's enabled by default for the "management" ipset, it doesn't
hurt to add it in there.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!
note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
MAC filter was enabled as long as the VM firewall config existed even
with an invalid config.
With this change the check now matches the one for CTs.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
The former is simply new and we can control it, so do so instead of
ignoring it, if it seems worth while we can also expose that as
option or do some fancier auto calculation, maybe depending on ipset
size.
The u32 `initval` is a bit different, its not a config in the exact
traditional sense but would allow to recreate an bit to bit
indentical save/restore - but we do not really do that and we cannot
pre-calculate that our self (or at least I'd rather like to avoid
doing that from perl).. So, ignore it actively for now to avoid
false-postivie detection in pending changes.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
both, `override_dh_systemd_enable` and `override_dh_systemd_start`
are ignored with current compat level 12, and will become an error in
level >= 13, so drop them and use `override_dh_installsystemd` for
both of the previous uses.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
iptables-restore has a buffer limit of 1024 for paramters [0].
If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.
Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.
[0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
The docs mention --<opt> as valid syntax for firewall rules, but the
code that parses the .fw files only accepts -<opt>. To make it
consistent with the docs and the API, also accept --<opt>.
In addition allow 'proto' as option, not only '-p'.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
