pve-firewall

mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-08 09:57:29 +03:00

Author	SHA1	Message	Date
Dietmar Maurer	22dde8d692	bump version to 1.0-15	2014-12-12 06:33:58 +01:00
Alexandre Derumier	50f9a28d1a	firewall update : load cluster conf for host rules Currently we can't use ipsets defined in cluster in host rules host.fw ---------- [OPTIONS] log_level_in: debug enable: 1 tcp_flags_log_level: debug log_level_out: debug tcpflags: 1 smurf_log_level: debug [RULES] IN ACCEPT -source +whitelist in sub update { my $hostfw_conf = load_hostfw_conf(); } $VAR1 = { 'options' => { 'enable' => 1, 'log_level_in' => 'debug', 'tcp_flags_log_level' => 'debug', 'log_level_out' => 'debug', 'tcpflags' => 1, 'smurf_log_level' => 'debug' }, 'ipset' => {}, 'rules' => [ { 'source' => '+whitelist', 'enable' => 1, 'errors' => { 'source' => 'no such ipset \'whitelist\'' }, 'action' => 'ACCEPT', 'type' => 'in' } ] }; Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-12-12 06:27:54 +01:00
Dietmar Maurer	e33e2f1603	bump version to 1.0-14	2014-12-05 13:42:07 +01:00
Dietmar Maurer	88c26d5ee2	do not use ipset list chains Instead, we directly use -v4 and -v6 names inside iptables rules. So we can safely remove the preinst script.	2014-12-05 13:38:05 +01:00
Dietmar Maurer	3bce273b66	bump version to 1.0-13	2014-11-28 12:46:25 +01:00
Dietmar Maurer	ce41ae23ac	fix ipset remove order	2014-11-28 12:44:18 +01:00
Dietmar Maurer	cdcaaa04e0	add debian/dirs file to install /var/lib/pve-firewall	2014-11-28 11:40:09 +01:00
Dietmar Maurer	7a7c322c9e	bump version to 1.0-12	2014-11-28 09:00:13 +01:00
Dietmar Maurer	161796ceb9	add preinst script We need to clear ipset from older installation, because sets cannot be swapped if there type does not match.	2014-11-28 08:58:31 +01:00
Dietmar Maurer	1b918ee5a4	bump version to 1.0-11	2014-11-28 08:04:26 +01:00
Dietmar Maurer	eea9d2a1b7	verify_rule: correctly set ipversion for aliases	2014-11-28 08:01:52 +01:00
Dietmar Maurer	259db1e656	save restore commands into files (debug help) To make it easier to debug restore errors.	2014-11-28 07:18:58 +01:00
Dietmar Maurer	df617cea3a	bump version to 1.0-10	2014-11-26 07:04:21 +01:00
Dietmar Maurer	1cc9bd9005	pve-firewall compile: improve output format	2014-11-26 07:03:14 +01:00
Dietmar Maurer	f979293740	API2::Firewall::IPSet: fix alias check for ipv6 addresses	2014-11-17 12:41:03 +01:00
Dietmar Maurer	c69cf61464	get_ipset_cmdlist: avoid restore problems due to wrong order	2014-11-10 12:50:29 +01:00
Dietmar Maurer	59f9b456b2	improve error messages	2014-11-10 12:49:00 +01:00
Dietmar Maurer	5b5c42b13f	do not emit smurfs chain for ipv6	2014-11-10 12:47:31 +01:00
Dietmar Maurer	649cd83596	ipv6 addrtype does not work with kernel 2.6.32, use -d ff00::/8 instead	2014-11-10 12:45:02 +01:00
Alexandre Derumier	a2dbb47b4c	add ipv6 examples Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-11-04 11:05:13 +01:00
Alexandre Derumier	7b7b2654bc	ip6tables : remove_pvefw_chains Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-11-04 11:04:26 +01:00
Alexandre Derumier	17da5c0fcb	apply ipv6 ruleset Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-11-04 11:02:14 +01:00
Alexandre Derumier	638c755a4c	compile ipv6 ruleset Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-11-04 10:58:11 +01:00
Alexandre Derumier	47a79ff21c	add ip6tables standard chains - icmp types in reject are different than ipv4 - broadcast not exist in ipv6 - I don't think that smurf attack exist (no broadcast) Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-11-04 10:56:08 +01:00
Dietmar Maurer	041b9277a2	add icmpv6 support skip icmpv6 rule for iptables rules skip icmp rule for ip6tables rules Signed-off-by: Alexandre Derumier <aderumier@odiso.com> Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>	2014-11-04 10:53:01 +01:00
Dietmar Maurer	6d959e3fe3	add ipv6 ipset support big change here, we create now a ipset which include 2 others ipsets for ipv4 and ipv6 PVEFW-0-blacklist list:set PVEFW-0-blacklist-v4 hash:net family inet4 PVEFW-0-blacklist-v6 hash:net family inet6 v4 and v6, are only created if ip address are defined in the set in iptables rules, we use the main set. Benchmark show no performance impact Signed-off-by: Alexandre Derumier <aderumier@odiso.com> Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>	2014-11-04 08:46:31 +01:00
Dietmar Maurer	ca1a5a39e4	ipset_match: implement simulation of list type ipsets	2014-11-04 07:44:37 +01:00
Dietmar Maurer	bc1bd0233a	resolve_alias: use better regex to detect alias	2014-11-03 06:23:26 +01:00
Dietmar Maurer	ae029a8867	code cleanup	2014-10-31 13:06:52 +01:00
Alexandre Derumier	70e524eb32	check ipversion of aliases also add support for ipv6 Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-31 12:25:54 +01:00
Alexandre Derumier	aedde2c2df	skip group rules generation if rule ipversion don't match iptables version we skip ipv6 rules for iptables we skip ipv4 rules for ip6tables if rule ipversion is undef, we apply to both iptables and ip6tables Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-31 12:16:55 +01:00
Dietmar Maurer	b546f5007c	use integer compare for $ipversion	2014-10-31 12:08:10 +01:00
Alexandre Derumier	78a72bc4b2	enable hostfw for ipv4 only currently pveproxy don't works with ipv6, so let's generate host fw ipv4 only for the moment Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-31 12:06:34 +01:00
Dietmar Maurer	b33ce1b520	fix venet rule generation: venet can have ipv4 and ipv6 address	2014-10-31 12:03:17 +01:00
Dietmar Maurer	006490cb2f	$ipversion is interger, so use '!=' instead of string 'ne'	2014-10-30 13:35:55 +01:00
Alexandre Derumier	84870b1ac7	skip vms rules generation if rule ipversion don't match iptables version we skip ipv6 rules for iptables we skip ipv4 rules for ip6tables if rule ipversion is undef, we apply to both iptables and ip6tables Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-30 13:31:58 +01:00
Dietmar Maurer	9e2205e5ff	verify_rule: detected mixed ipv4/ipv6 addresses	2014-10-30 13:27:01 +01:00
Dietmar Maurer	c344e50926	parse_address_list: improve type detection	2014-10-30 13:17:28 +01:00
Dietmar Maurer	a589b6acd9	parse_address_list: make sure we only have one type of addresses (ipv4 or ipv6)	2014-10-30 13:17:24 +01:00
Dietmar Maurer	5163367b84	fix error message	2014-10-30 12:52:29 +01:00
Dietmar Maurer	d31689ee39	rename pve-fw-v4addr-spec to pve-fw-addr-spec Because we allow ipv4 and ipv6 addresses now.	2014-10-30 12:43:52 +01:00
Alexandre Derumier	7697c04184	parse_rules src && dst ipversion check the ipversion of src and dst in rules (fixme : parse ip in range) Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-30 12:40:20 +01:00
Dietmar Maurer	db8a955f4d	cleanup generate_std_chains: don't overwrite global variable $pve_std_chains Instead, pass $ipversion and use local var $std_chains.	2014-10-30 12:21:00 +01:00
Alexandre Derumier	5547adf719	move $pve_std_chains to $pve_std_chains->{$ipversion} Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-30 12:10:09 +01:00
Alexandre Derumier	9268573a46	split compile to compile_iptables_filter compile just read configs file and will call compile_iptables_filter for iptables and ip6tables Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2014-10-30 11:56:34 +01:00
Dietmar Maurer	0ac5757051	bump version to 1.0-9	2014-10-14 16:30:01 +02:00
Dietmar Maurer	30150dca3c	fix max ipset name lenght	2014-10-14 16:28:44 +02:00
Dietmar Maurer	571e47f9dd	make dependency to cman/clvm optional	2014-09-08 13:06:39 +02:00
Dietmar Maurer	03170bbd02	do not start daemons during installation	2014-09-08 12:25:13 +02:00
Dietmar Maurer	05fd3b63be	bump version to 1.0-8	2014-09-08 12:17:02 +02:00

1 2 3 4 5 ...

511 Commits