Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-13 01:57:29 +03:00
Code Releases Activity
446 Commits 6 Branches 0 Tags
Commit Graph

446 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dietmar Maurer
c69cf61464 get_ipset_cmdlist: avoid restore problems due to wrong order 2014-11-10 12:50:29 +01:00
Dietmar Maurer
59f9b456b2 improve error messages 2014-11-10 12:49:00 +01:00
Dietmar Maurer
5b5c42b13f do not emit smurfs chain for ipv6 2014-11-10 12:47:31 +01:00
Dietmar Maurer
649cd83596 ipv6 addrtype does not work with kernel 2.6.32, use -d ff00::/8 instead 2014-11-10 12:45:02 +01:00
Alexandre Derumier
a2dbb47b4c add ipv6 examples 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-11-04 11:05:13 +01:00
Alexandre Derumier
7b7b2654bc ip6tables : remove_pvefw_chains 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-11-04 11:04:26 +01:00
Alexandre Derumier
17da5c0fcb apply ipv6 ruleset 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-11-04 11:02:14 +01:00
Alexandre Derumier
638c755a4c compile ipv6 ruleset 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-11-04 10:58:11 +01:00
Alexandre Derumier
47a79ff21c add ip6tables standard chains 
- icmp types in reject are different than ipv4
- broadcast not exist in ipv6
- I don't think that smurf attack exist (no broadcast)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-11-04 10:56:08 +01:00
Dietmar Maurer
041b9277a2 add icmpv6 support 
skip icmpv6 rule for iptables rules
skip icmp rule for ip6tables rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 2014-11-04 10:53:01 +01:00
Dietmar Maurer
6d959e3fe3 add ipv6 ipset support 
big change here,
we create now a ipset which include 2 others ipsets for ipv4 and ipv6

PVEFW-0-blacklist list:set
    PVEFW-0-blacklist-v4 hash:net family inet4
    PVEFW-0-blacklist-v6 hash:net family inet6

v4 and v6, are only created if ip address are defined in the set
in iptables rules, we use the main set.

Benchmark show no performance impact

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 2014-11-04 08:46:31 +01:00
Dietmar Maurer
ca1a5a39e4 ipset_match: implement simulation of list type ipsets 2014-11-04 07:44:37 +01:00
Dietmar Maurer
bc1bd0233a resolve_alias: use better regex to detect alias 2014-11-03 06:23:26 +01:00
Dietmar Maurer
ae029a8867 code cleanup 2014-10-31 13:06:52 +01:00
Alexandre Derumier
70e524eb32 check ipversion of aliases 
also add support for ipv6

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-31 12:25:54 +01:00
Alexandre Derumier
aedde2c2df skip group rules generation if rule ipversion don't match iptables version 
we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables

if rule ipversion is undef, we apply to both iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-31 12:16:55 +01:00
Dietmar Maurer
b546f5007c use integer compare for $ipversion 2014-10-31 12:08:10 +01:00
Alexandre Derumier
78a72bc4b2 enable hostfw for ipv4 only 
currently pveproxy don't works with ipv6,
so let's generate host fw ipv4 only for the moment

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-31 12:06:34 +01:00
Dietmar Maurer
b33ce1b520 fix venet rule generation: venet can have ipv4 and ipv6 address 2014-10-31 12:03:17 +01:00
Dietmar Maurer
006490cb2f $ipversion is interger, so use '!=' instead of string 'ne' 2014-10-30 13:35:55 +01:00
Alexandre Derumier
84870b1ac7 skip vms rules generation if rule ipversion don't match iptables version 
we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables

if rule ipversion is undef, we apply to both iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 13:31:58 +01:00
Dietmar Maurer
9e2205e5ff verify_rule: detected mixed ipv4/ipv6 addresses 2014-10-30 13:27:01 +01:00
Dietmar Maurer
c344e50926 parse_address_list: improve type detection 2014-10-30 13:17:28 +01:00
Dietmar Maurer
a589b6acd9 parse_address_list: make sure we only have one type of addresses (ipv4 or ipv6) 2014-10-30 13:17:24 +01:00
Dietmar Maurer
5163367b84 fix error message 2014-10-30 12:52:29 +01:00
Dietmar Maurer
d31689ee39 rename pve-fw-v4addr-spec to pve-fw-addr-spec 
Because we allow ipv4 and ipv6 addresses now.
 2014-10-30 12:43:52 +01:00
Alexandre Derumier
7697c04184 parse_rules src && dst ipversion 
check the ipversion of src and dst in rules

(fixme : parse ip in range)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 12:40:20 +01:00
Dietmar Maurer
db8a955f4d cleanup generate_std_chains: don't overwrite global variable $pve_std_chains 
Instead, pass $ipversion and use local var $std_chains.
 2014-10-30 12:21:00 +01:00
Alexandre Derumier
5547adf719 move $pve_std_chains to $pve_std_chains->{$ipversion} 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 12:10:09 +01:00
Alexandre Derumier
9268573a46 split compile to compile_iptables_filter 
compile just read configs file and will call compile_iptables_filter for iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 11:56:34 +01:00
Dietmar Maurer
0ac5757051 bump version to 1.0-9 2014-10-14 16:30:01 +02:00
Dietmar Maurer
30150dca3c fix max ipset name lenght 2014-10-14 16:28:44 +02:00
Dietmar Maurer
571e47f9dd make dependency to cman/clvm optional 2014-09-08 13:06:39 +02:00
Dietmar Maurer
03170bbd02 do not start daemons during installation 2014-09-08 12:25:13 +02:00
Dietmar Maurer
05fd3b63be bump version to 1.0-8 2014-09-08 12:17:02 +02:00
Dietmar Maurer
9f6845cfa9 Firewall/IPSet: implement permission 
Facor out common code into PVE/Firewall.
 2014-07-21 10:48:00 +02:00
Dietmar Maurer
7f733a5a9f Firewall/Rules: add permissions 2014-07-21 10:24:09 +02:00
Dietmar Maurer
5c9da37bf6 Firewall/Groups: add permissions 2014-07-21 09:54:42 +02:00
Dietmar Maurer
16c8f5d71c Firewall/VM: add permissions 2014-07-21 09:52:01 +02:00
Dietmar Maurer
60c103df97 Firewall/Host: add permissions 2014-07-21 09:40:34 +02:00
Dietmar Maurer
0ec568419a Firewall/Cluster: add permissions 2014-07-21 09:33:18 +02:00
Dietmar Maurer
a34cfdd0d1 generate MAC and IP filter rules if firewall is enabled on NIC 
Only omit rules if firewall is disabled. Also remove ipfilter for
venet, because that is not required (kernel does that job for us).
 2014-06-26 09:12:23 +02:00
Dietmar Maurer
bea9d5ab11 bump version to 1.0-7 2014-06-26 07:13:16 +02:00
Dietmar Maurer
eadbc1ded3 proxy host rule API calls to correct node 2014-06-26 07:12:06 +02:00
Dietmar Maurer
582275c31f bump version to 1.0-6 2014-06-12 08:37:43 +02:00
Dietmar Maurer
d562837827 add example for ipfilter ipset 2014-06-12 08:36:05 +02:00
Dietmar Maurer
a306a176c4 add regression tests for ipfilter 2014-06-12 08:32:11 +02:00
Dietmar Maurer
66f33d78ed fwtester: add more network (net1, net2) to vm100 to test ipfilter 2014-06-12 08:30:33 +02:00
Dietmar Maurer
b625713bdd implement negative ipset match 
To simulate ipfilter.
 2014-06-12 08:29:32 +02:00
Dietmar Maurer
b692f42c1b use separate ipfilter ipset on each interface 2014-06-12 06:39:31 +02:00