IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Tested-by: Hannes Dürr <h.duerr@proxmox.com>
If the cluster configuration does not exist, but in other firewall
configuration files there are rules referencing SDN IPsets, validation
for those rules fails, because the cluster configuration does not
contain the SDN IPSets. This is because generic_fw_config_parser
returns an empty hash when there is no cluster configuration file.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
In order for the new SDN ipsets to show up we need to adapt the
existing API endpoints so they read the SDN configuration. We reload
the SDN configuration explicitly, in order to return only the IPSets
the user is allowed to see.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
This also includes support for parsing rules referencing IPSets in the
new SDN scope and generating those IPSets in the firewall. We always
load the new configuration, since loading the configuration always
includes validating the loaded rules. Validation fails without
including the SDN ipsets, leading to syslog error messages.
In the API, we only use the IPSets the user is actually allowed to use
for validating the rules - preventing users from using autogenerated
IPSets they have no permission for.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
is_nftables is used in the VM and CT network startup scripts to
determine whether the nftables firewall is enabled or not. This causes
issues on container and VM startup when loading the SDN config, since
it requires the RPCEnvironment which is not initialized yet. Therefore
change this check to look for the existence of the flag file instead.
It also avoids parsing the entire cluster and host firewall
configuration on VM / CT startup, which means increased performance.
While we're at it, make all methods related to the configuration
parsing private, in order to avoid accidental usage of the expensive
methods.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
If the FW is disabled on cluster level then touch the file flag to
signal that the nftables FW should not run, to avoid that a config
that uses some keys the new ipl doesn't yet understand causes log-spam
there.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The new nftables/rust based proxmox-firewall is still a WIP w.r.t.
understanding all oddities the firewall config provides.
This is not a problem in general, as it's released as tech-preview,
but the new service needs to parse the config to check if it's
enabled, so if that fails due to not recognizing some edge case, the
users get some scary looking log-spam.
So use a flag in the memory-backed /run as a side-channel that does
not need any parsing to signal if the new implementation should be
disabled.
This can be removed again once proxmox-firewall covers all possible
cases for sure and/or becomes the new default.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
We now allow bridges without the vmbr prefix, so we need to allow them
here in the simulator as well.
Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Introduces new nftables configuration option that en/disables the new
nftables firewall.
pve-firewall reads this option and only generates iptables rules when
nftables is set to `0` or if the proxmox-firewall package is not
installed at all. Conversely, proxmox-firewall only generates rules
when the option is set to `1`.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
[ TL: mark as tech preview and clarify is_enabled method name ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stable sorting in cluster.fw config file allows tracking changes by
checking into git or when using automation like ansible.
Signed-off-by: Daniel Krambrock <krambrock@hrz.uni-marburg.de>
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
in the cluster class, we save the cluster config into the 'fw_conf'
variable, and not into 'cluster_conf', which in turns is set to 'undef'
instead.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
since they had the same issue as IPSets, detailed in #4556. The format
works the same as for IPSets:
dc/alias
Looks for the alias on the Datacenter level.
vm/alias
Looks for the alias on the VM level.
alias
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
to differentiate whether they should be taken from the datacenter config
or from the local config. The parser now accepts IPSets in the following
format:
+dc/ipset
Looks for the IPSet on the Datacenter level.
+vm/ipset
Looks for the IPSet on the VM level.
+ipset
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
and only call lintian for the dsc target, as otherwise sbuild already
takes care of that (avoid duplicate work)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The DEB_BUILD_ARCH is the one from the build host, the DEB_HOST_ARCH
is the one the package is build for, so the latter is the correct one
here.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The NOVIEW variable is useless now anyway, and the cleanup-docgen
target is a bit dangerous (removes _all_ *.adoc files) and it's just
a single line, so avoid complexity.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
without this additional conditions, it's possible to break the firewall by
setting an ICMP-type value as dport for non-ICMP protocols, e.g. 'any' for
'tcp'.
by rejecting the invalid rule/parameter, the rest of the ruleset is still
applied properly, and the error messages are a lot more informative as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
as that can trigger hard to reproduce/debug bugs; as with such
statements the variable won't be necessarily undef if the post-if
evaluates to false, but rather will hold the (now bogus) value from
the last time it evaluated to true.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The optional unix epoch timestamps parameters `since` and `until` are introduced
in order to filter firewall logs files. If one of these flags is set, also
rotated logfiles are included. This is handled in the `dump_fw_logfile` helper
function. Filtering is now performed based on a callback function passed to
`dump_fw_logfile`.
This patch depends on the corresponding patch in the pve-common repository.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
[w.bumiller@proxmox.com: fixup 'continue' -> 'next']
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
They can already be set directly via the cluster.fw file. Net::IP is just a
bit more picky with what it allows:
For example:
error: 192.168.1.155/24
correct: 192.168.1.0/24
This cleans the entered IP and removes the non zero host bits.
Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>