5
0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-21 22:03:52 +03:00

872 Commits

Author SHA1 Message Date
Stefan Hanreich
49d2d028e5 api: add vnet endpoints
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-11-19 16:40:45 +01:00
Stefan Hanreich
aa6aa578e8 sdn: add vnet firewall configuration
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Tested-by: Hannes Dürr <h.duerr@proxmox.com>
2024-11-19 16:40:45 +01:00
Stefan Hanreich
75a84a6b9e sdn: always include SDN configuration
If the cluster configuration does not exist, but in other firewall
configuration files there are rules referencing SDN IPsets, validation
for those rules fails, because the cluster configuration does not
contain the SDN IPSets. This is because generic_fw_config_parser
returns an empty hash when there is no cluster configuration file.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-11-19 16:40:45 +01:00
Stefan Hanreich
2e9eb2dbd8 ipsets: return sdn ipsets from api
In order for the new SDN ipsets to show up we need to adapt the
existing API endpoints so they read the SDN configuration. We reload
the SDN configuration explicitly, in order to return only the IPSets
the user is allowed to see.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-11-19 16:00:48 +01:00
Stefan Hanreich
9734f890c4 add support for loading sdn firewall configuration
This also includes support for parsing rules referencing IPSets in the
new SDN scope and generating those IPSets in the firewall. We always
load the new configuration, since loading the configuration always
includes validating the loaded rules. Validation fails without
including the SDN ipsets, leading to syslog error messages.

In the API, we only use the IPSets the user is actually allowed to use
for validating the rules - preventing users from using autogenerated
IPSets they have no permission for.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-11-19 16:00:48 +01:00
Stefan Hanreich
632d02a8e2 nftables: make is_nftables check flag file instead of config
is_nftables is used in the VM and CT network startup scripts to
determine whether the nftables firewall is enabled or not. This causes
issues on container and VM startup when loading the SDN config, since
it requires the RPCEnvironment which is not initialized yet. Therefore
change this check to look for the existence of the flag file instead.

It also avoids parsing the entire cluster and host firewall
configuration on VM / CT startup, which means increased performance.

While we're at it, make all methods related to the configuration
parsing private, in order to avoid accidental usage of the expensive
methods.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2024-11-17 15:58:00 +01:00
Thomas Lamprecht
4339ef1526 bump version to 5.0.7
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-30 10:30:25 +02:00
Thomas Lamprecht
21e5d52232 also signal force-disable nftables if FW is completely disabled
If the FW is disabled on cluster level then touch the file flag to
signal that the nftables FW should not run, to avoid that a config
that uses some keys the new ipl doesn't yet understand causes log-spam
there.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-30 10:27:21 +02:00
Thomas Lamprecht
c71345969d bump version to 5.0.6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-26 17:19:57 +02:00
Thomas Lamprecht
719bdfaab9 service: create flag file to signal if nftables impl should not run
The new nftables/rust based proxmox-firewall is still a WIP w.r.t.
understanding all oddities the firewall config provides.

This is not a problem in general, as it's released as tech-preview,
but the new service needs to parse the config to check if it's
enabled, so if that fails due to not recognizing some edge case, the
users get some scary looking log-spam.

So use a flag in the memory-backed /run as a side-channel that does
not need any parsing to signal if the new implementation should be
disabled.

This can be removed again once proxmox-firewall covers all possible
cases for sure and/or becomes the new default.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-04-26 17:15:59 +02:00
Thomas Lamprecht
e59c8fd1b5 buildsys: avoid that the dinstall target always triggers a rebuild
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-26 15:43:27 +02:00
Thomas Lamprecht
29b48c381d bump version to 5.0.5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-23 13:11:55 +02:00
Stefan Hanreich
b5c4c33632 simulator: use new bridge naming scheme
We now allow bridges without the vmbr prefix, so we need to allow them
here in the simulator as well.

Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-04-21 13:04:47 +02:00
Thomas Lamprecht
50af7e0970 bump version to 5.0.4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-19 20:04:25 +02:00
Stefan Hanreich
60abf93972 add configuration option for new nftables firewall
Introduces new nftables configuration option that en/disables the new
nftables firewall.

pve-firewall reads this option and only generates iptables rules when
nftables is set to `0` or if the proxmox-firewall package is not
installed at all. Conversely, proxmox-firewall only generates rules
when the option is set to `1`.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
 [ TL: mark as tech preview and clarify is_enabled method name ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-19 20:00:35 +02:00
Daniel Krambrock via pve-devel
3640b561ed fix #5335: stable sorting in cluster.fw
Stable sorting in cluster.fw config file allows tracking changes by
checking into git or when using automation like ansible.

Signed-off-by: Daniel Krambrock <krambrock@hrz.uni-marburg.de>
2024-04-16 14:26:42 +02:00
Wolfgang Bumiller
372869e075 bump version to 5.0.3
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-07-17 10:40:17 +02:00
Leo Nunner
1f0303f82a parser: fix scoped alias resolution
We tried to resolve aliases in some places where the cluster
configuration didn't get set. It's probably better to handle these cases
directly in the function at hand, instead of at every place where this
issues might arise.

This seemingly fixes the issues reported on pve-user and the forum:
  * https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/
  * https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
2023-07-17 10:35:51 +02:00
Thomas Lamprecht
0d28aa2abc bump version to 5.0.2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-06-21 19:17:27 +02:00
Leo Nunner
b06a8c2d03 fix #4556: api: return scoped IPSets and aliases
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
2023-06-15 09:22:45 +02:00
Leo Nunner
aaa87fbb83 api: fix scoping for ipset endpoint
in the cluster class, we save the cluster config into the 'fw_conf'
variable, and not into 'cluster_conf', which in turns is set to 'undef'
instead.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
2023-06-15 09:21:47 +02:00
Wolfgang Bumiller
355420892e bump version to 5.0.1
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-06-07 16:06:17 +02:00
Wolfgang Bumiller
5bf304b587 change vm/ prefix to guest/ prefix
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-06-07 16:04:25 +02:00
Wolfgang Bumiller
9405f42be8 d/control: add missing anyevent dependency
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-06-07 15:13:38 +02:00
Leo Nunner
eeed0d90c9 fix #4556: introduce 'dc' and 'vm' prefix for aliases
since they had the same issue as IPSets, detailed in #4556. The format
works the same as for IPSets:

    dc/alias
	Looks for the alias on the Datacenter level.
    vm/alias
	Looks for the alias on the VM level.
    alias
	Uses the previous method of scoping, where it first looks at the
	VM level and then at the Datacenter level.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
2023-06-07 15:13:01 +02:00
Leo Nunner
856de23adb fix #4556: introduce 'dc' and 'vm' prefix for IPSets
to differentiate whether they should be taken from the datacenter config
or from the local config. The parser now accepts IPSets in the following
format:

    +dc/ipset
	Looks for the IPSet on the Datacenter level.
    +vm/ipset
	Looks for the IPSet on the VM level.
    +ipset
	Uses the previous method of scoping, where it first looks at the
	VM level and then at the Datacenter level.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
2023-06-07 15:12:56 +02:00
Thomas Lamprecht
97f2bc6c68 bump version to 5.0.0
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:48:12 +02:00
Thomas Lamprecht
ed35a17793 d/control: raise standards version compliance to 4.6.2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:48:09 +02:00
Thomas Lamprecht
c3d811ce84 d/control: define compat level via build-depends and raise to 13
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:47:51 +02:00
Thomas Lamprecht
68a0d9585e buildsys: add sbuild convenience target
and only call lintian for the dsc target, as otherwise sbuild already
takes care of that (avoid duplicate work)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:46:48 +02:00
Thomas Lamprecht
a6d4c650d7 buildsys: derive upload dist automatically
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:46:36 +02:00
Thomas Lamprecht
22b180a180 buildsys: use full DEB_VERSION and correct DEB_HOST_ARCH
The DEB_BUILD_ARCH is the one from the build host, the DEB_HOST_ARCH
is the one the package is build for, so the latter is the correct one
here.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:45:24 +02:00
Thomas Lamprecht
8fca2e979a buildsys: cleanup and expand clean target
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:42:06 +02:00
Thomas Lamprecht
005ab90dad add basic gitignore file
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:40:55 +02:00
Thomas Lamprecht
a1622d6367 d/control: do not depend on obsolete lsb-base
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:39:36 +02:00
Thomas Lamprecht
5d223aa31d makefile: convert to use simple parenthesis
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:39:25 +02:00
Thomas Lamprecht
8be25ddb37 buildsys: rework doc-gen cleanup and makefile inclusion
The NOVIEW variable is useless now anyway, and the cleanup-docgen
target is a bit dangerous (removes _all_ *.adoc files) and it's just
a single line, so avoid complexity.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-22 14:27:12 +02:00
Thomas Lamprecht
d3bf672b4f bump version to 4.3-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-16 11:18:09 +02:00
Fabian Grünbichler
4d1ca18ee6 fix #4730: add safeguards to prevent ICMP type misuse
without this additional conditions, it's possible to break the firewall by
setting an ICMP-type value as dport for non-ICMP protocols, e.g. 'any' for
'tcp'.

by rejecting the invalid rule/parameter, the rest of the ruleset is still
applied properly, and the error messages are a lot more informative as well.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2023-05-16 11:15:15 +02:00
Fabian Grünbichler
42a7fbe0a4 icmp: factor out check for relevant protocols
this were not entirely consistent and sometimes the checks were repeated.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2023-05-16 11:15:15 +02:00
Thomas Lamprecht
4fffdd36f0 d/changelog: fixup released
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-04-26 12:24:28 +02:00
Thomas Lamprecht
521148df13 fix variables declared in conditional statement
as that can trigger hard to reproduce/debug bugs; as with such
statements the variable won't be necessarily undef if the post-if
evaluates to false, but rather will hold the (now bogus) value from
the last time it evaluated to true.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-04-11 16:23:42 +02:00
Thomas Lamprecht
e3d08ca1a6 d/changelog: fix typo
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-03-17 15:30:49 +01:00
Thomas Lamprecht
23b3e816dd bump version to 4.3-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-03-17 15:28:37 +01:00
Alexandre Derumier
e3047e3f0c Fix #4550 : host options: add nf_conntrack_helpers
kernel 6.1 have removed auto helpers loading.
This was deprecaded since multiple years.

We simply need to add rules in PREROUTING to load theses helpers.

supported protocols :
- amanda
- ftp
- irc (ipv4 only)
- netbios-ns (ipv4 only)
- pptp (ipv4 only)
- sane
- sip
- snmp (ipv4 only)
- tftp

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2023-03-13 10:41:09 +01:00
Wolfgang Bumiller
43dfdf3bac d/control: depend on pve-common 7.3-2 for new dump-log variant
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-01-27 10:51:37 +01:00
Christian Ebner
8bd9b3e479 api: Add optional parameters since and until for timestamp filter
The optional unix epoch timestamps parameters `since` and `until` are introduced
in order to filter firewall logs files. If one of these flags is set, also
rotated logfiles are included. This is handled in the `dump_fw_logfile` helper
function. Filtering is now performed based on a callback function passed to
`dump_fw_logfile`.

This patch depends on the corresponding patch in the pve-common repository.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
[w.bumiller@proxmox.com: fixup 'continue' -> 'next']
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-01-27 10:49:55 +01:00
Stefan Hrdlicka
c9536959ab cleanup: don't capture "/xx" of CIDR
Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
2022-12-14 14:40:41 +01:00
Stefan Hrdlicka
1218eee930 allow non zero ip address host bits to be entered
They can already be set directly via the cluster.fw file. Net::IP is just a
bit more picky with what it allows:
For example:
  error:   192.168.1.155/24
  correct: 192.168.1.0/24

This cleans the entered IP and removes the non zero host bits.

Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
2022-12-14 14:40:39 +01:00
Thomas Lamprecht
b4577a253c bump version to 4.2-7
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-11-17 19:53:09 +01:00