5
0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-07 21:17:59 +03:00
Commit Graph

726 Commits

Author SHA1 Message Date
Stefan Reiter
6f6a6b3f82 Update and add tests for corosync firewall changes
Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.

New test rules have been introduced to check corosync rules relating to
different rings/links.

Includes hostnames in config to trigger resolving codepaths.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
2019-07-02 09:05:44 +02:00
Stefan Reiter
06208a013f Create corosync firewall rules independently of localnet
"localnet" does not necessarily correspond to the correct network for
corosync (e.g. corosync rings/link can be run independently from other PVE
cluster service networks).

This change uses the previously introduced sub 'for_all_corosync_addresses'
to iterate through all nodes in a corosync cluster and generate rules for
all nodes and all their respective ringX_addr's it finds.

The rules are generated as strict as possible, there is a specific rule
for every remote node and every ring/link. Also, communication "between"
different links/rings is not allowed, e.g. a remote ring1_addr cannot
contact a local ring0_addr, and vice versa.

Multicast is always allowed, for backwards compatibility. Note however,
that we no longer filter on the source of inbound multicast packets,
since that would require localnet, and thus introduce the bug we're
trying to fix once again.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
2019-07-02 09:05:44 +02:00
Thomas Lamprecht
9429bd3510 bump version to 4.0-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-06-24 20:43:57 +02:00
Thomas Lamprecht
c743e671da pve-firewall.service: update-alternative ip-/eb- tables to legacy versions
This is rather a bit of an hack but works for us for now.

we need to use the legacy versions for both due some bugs in the
nftables based versions, i.e., for iptables it's Debian bug #929527 [0]
and for ebtables it's Debian bug #929976 [1]. While the first gained
some response from the maintainer and a solution is in sight it's
currently blocked by Buster release freeze policy. The second one did
not get any response so far.

[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-06-24 20:36:10 +02:00
Thomas Lamprecht
0398480886 fix CT rule generation with ipfilter set
commit 255698f651 tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...

But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...

First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-28 08:15:43 +02:00
Thomas Lamprecht
1b9bb7f785 fix systemd warning about PIDFile directory
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-25 18:27:46 +02:00
Thomas Lamprecht
71f03196c7 buildsys: switch upload dist over to buster
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-23 18:19:56 +02:00
Thomas Lamprecht
6b9da9b01e bump version to 4.0-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-21 22:30:27 +02:00
Thomas Lamprecht
8b092c2606 bump debian compat level to 10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-21 22:30:14 +02:00
Thomas Lamprecht
0d462fc085 buildsys: use dpkg-dev makefile helpers for pkg info
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-21 22:28:39 +02:00
Thomas Lamprecht
1bd6810f0c d/control: fix build-depends-on-obsolete-package
build-depends: dh-systemd => use debhelper (>= 9.20160709)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-21 22:12:44 +02:00
Thomas Lamprecht
d0b0a77a1e d/control: fix priority-extra-is-replaced-by-priority-optional
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-21 22:11:48 +02:00
Christian Ebner
8f3aa9cc80 Remove redundant logging of packets passing the tap chain.
Incomming and outgoing packets passing the firewall bridge were unneccessarily
logged, leading to double entries.
The first log entry occurred when passing the bridge, the second when the packets
fate was decided (ACCEPT/DROP/REJECT).

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2019-05-16 09:55:16 +02:00
Thomas Lamprecht
dd7d737bcb bump version to 3.0-21
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-08 10:18:38 +00:00
Thomas Lamprecht
255698f651 followup: do not replace original variable content
this could be confusing, if someone adds code which uses $net->{ip}
it may work for the case were ipfilter is off but not else (which may
not get tested), so keep the original $net intact and copy the scalar
value..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-07 09:58:56 +00:00
Thomas Lamprecht
a9068b2d3b followup: code cleanup and comment
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-05-07 09:40:57 +00:00
Alexandre Derumier
556ae5c18f fix #2193: arpfilter: CT: remove mask from net ip cidr.
We need to send to ebtables an host address without prefix or with
/32 prefix.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2019-05-07 09:40:35 +00:00
Alexandre Derumier
58ca8ec0a0 fix ipv6 PVEFW-reject
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2019-04-30 09:10:46 +00:00
Thomas Lamprecht
bbf77725f2 bump version to 3.0-20
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-19 05:11:27 +00:00
Thomas Lamprecht
c1f1728736 fix reading host.fw through IPCC interface
IPCC has no knowledge about FUSE based links, but we used
'local/host.fw' here, where local is always a link to
'nodes/<LOCAL-NODENAME>/', this works only when using the common file
system interface provided by FUSE, but not if we're talking directly
with our memdb file store through IPCC..

So use a nodename based path here, to avoid getting just empty
strings for host.fw.

fixes commit 0dbef53046

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-19 04:51:42 +00:00
Mira Limbeck
98bd53b6dc fix #2178: endless loop on ipv6 extension headers
increment header and decrement payload size by the extensions size. the
length calculation is different for some extensions. in our case only
IPPROTO_FRAGMENT requires a different size calculation than the rest. in
addition 'proto' is now set in the loop when advancing from an
extension header. it moves on to the next extension or protocol now
instead of looping on the same 'proto' while advancing the payload.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2019-04-18 13:24:16 +02:00
Thomas Lamprecht
2f46ee4f78 remove useless unused Data::Dumper uses
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-17 12:20:35 +00:00
Thomas Lamprecht
0fd61594df firewall: split and order modules
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-17 12:20:35 +00:00
Thomas Lamprecht
0dbef53046 use IPCC to read FW files if the are backed by pmxcfs
This allows us to profit from the IPCC pmxcfs restart mechanisms,
which will block this call for the grace period (~10 seconds) and
transparently try to reconnect to the IPCC interface of pmxcfs, if a
restart is detected..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-17 13:01:45 +02:00
Thomas Lamprecht
585ede439c remove a level of indirection on FW config parsing
the removed methods where only used by those we merged their code
into.

Opening the FH in the generic parser safes a bit of repetition too..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-17 13:01:45 +02:00
Thomas Lamprecht
40af93c406 make verbose a global state
This is part of the project 'stop the parameter rabbit hole madness'
and tries to make reading the firewall code a little bit easier.

Here we remove passing $verbose from 44 method signatures, while it
was used in 4 of those methods, a ration of 1/11 is simply not
acceptable for such a thing as a verbosity flag..

Remove it, and just make it a global variable with a setter for now.

Verbose is not modified in any API call, only in a Service
environment callablle by CLI, so we are save to do so.

If we decide to add some sort of firewall instance (i.e., a blessed
$self "object") with some state we could also move it there, but
making it global now doesn't hurt.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-17 13:01:45 +02:00
Thomas Lamprecht
baba607ab0 bump version to 3.0-19
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-02 11:18:30 +02:00
Thomas Lamprecht
4c7a837388 buildsys: no need to not pre-clean for source package
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-02 11:18:21 +02:00
Thomas Lamprecht
115b38dc46 buildsys: correctly cleanup source tarball
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-01 13:57:41 +02:00
Thomas Lamprecht
cc37e0005d allow to enable/disable and modify cluster wide log ratelimits
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Christian Ebner <c.ebner@proxmox.com>
2019-04-01 13:55:34 +02:00
Thomas Lamprecht
95ed90a9a8 buildsys: add dsc target
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-03-31 15:43:40 +02:00
Thomas Lamprecht
43be6155b4 cleanup makefiles, set target dirs per makefile
be more consistent with the buildsystems of our other packages.
compared old to new with diffoscope, no real changes (besides
different SOURCE file, as base check commits differ)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-03-31 15:26:57 +02:00
Thomas Lamprecht
056f92115a fix Razor macro
'ACCEPT' was plain wrong here and broken and disables ALL firewalling
for a Container, at least when used in a Security Group.

fixes 857f62c833
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reported-by: Tom Weber <pve@junkyard.4t2.com>
2019-03-30 17:36:18 +01:00
Mira Limbeck
e17d3eec6b add 'log_nf_conntrack' option description
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2019-03-19 14:38:13 +01:00
Thomas Lamprecht
2db2b6aa1b followup: minor code style fix
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-03-19 14:37:56 +01:00
Thomas Lamprecht
3c57745acd followup: use default burst limit of 5
it does not hurt and can be be used to see high frequeny occurences
of certain rules which hit.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-03-19 14:36:42 +01:00
Christian Ebner
3489f8a2b9 fix: #2123 Logging of user defined firewall rules
This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.

The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.

For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2019-03-19 13:39:55 +01:00
Alexandre Derumier
33efd363ab ebtables: test layer2_protocols in an external chain
We need the not matching DROP outside the main tapchain,
in a specific proto chain, and a ACCEPT in the main tap chain.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2019-03-12 07:35:56 +01:00
Alexandre Derumier
401c141b36 ebtables: add arp filtering
This implemented arp filtering if ipfilter is enable
https://bugzilla.proxmox.com/show_bug.cgi?id=2125

They are another filters possible (ipv4,rarp),
i don't known if we need them.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2019-03-12 07:35:56 +01:00
Thomas Lamprecht
d8ea08e395 bump version to 3.0-18
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-03-04 10:27:42 +01:00
Thomas Lamprecht
07731b19db d/control: bump version dependency to pve-doc-generator
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-02-22 13:31:32 +01:00
Christian Ebner
2b9ac8633a 1891 Add zsh command completion for pve-firewall
Adds the zsh command completion scripts for pve-firewall.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2019-02-22 11:44:49 +01:00
Alexandre Derumier
b4c72cfae9 daemon: cleanup '+' character at begin of line
this stray '+' was introduced by
commit 151c209e05 while it had no
effect let's remove it nonetheless.
2019-02-20 07:22:02 +01:00
Alwin Antreich
45c8eeb8bd Fix unitialized value $mark in bitwise operation
Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
2019-02-18 10:38:05 +01:00
Alexandre Derumier
d8d4dd6749 log reject : add space after policy REJECT like drop
For log consistency and parsing, we already have a space after "policy DROP: "
but not REJECT

ex:

DROP
135 6 tap135i1-IN 05/Feb/2019:10:59:55 +0100 policy DROP: IN=.....

REJECT
232 6 tap232i1-IN 05/Feb/2019:10:59:28 +0100 policy REJECT:IN=....
2019-02-05 11:29:25 +01:00
Thomas Lamprecht
b409c8a834 followup: avoid long hash access, use own variable
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-02-04 14:22:41 +01:00
Christian Ebner
27c49e251c Fix #1606 Add nf_conntrack_allow_invalid option
This adds the nf_conntrack_allow_invalid host firewall option to allow to disable
the dropping of invalid packets from the connection tracker point of view.
This is needed for some rare setups with asymmetrical multi-path routing.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2019-02-04 14:13:22 +01:00
Wolfgang Bumiller
05018f6e8b buildsys: build a dbgsym package
don't forcefully strip debug components out of the firewall
logger...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-01-25 10:56:18 +01:00
Thomas Lamprecht
91d88bc517 bump version to 3.0-17
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-01-09 16:56:32 +01:00
David Limbeck
77331e89ed log and ignore ENOBUFS in nfct_catch
nfct_catch sets ENOBUFS if not enough buffer space is available. log
and continue operation instead of stopping. in addition log possible
other errors set by nfct_catch

Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
2019-01-09 16:27:20 +01:00