Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-08 09:57:29 +03:00
Code Releases Activity
830 Commits 6 Branches 0 Tags
Commit Graph

830 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dietmar Maurer
e5cd1ee01c cleanup: try to use more consistent method naming 2014-05-30 11:21:30 +02:00
Dietmar Maurer
f2c0865cf3 API: add ability to restrict ref list to specified type 2014-05-30 09:37:49 +02:00
Dietmar Maurer
7c619bbb2c API fix: allow aliases in IPSets 2014-05-30 09:37:27 +02:00
Dietmar Maurer
351052d148 parser: verify group and ipset names 2014-05-30 08:24:03 +02:00
Dietmar Maurer
947d6ea2ed implement API to get list of possible refs (aliases + ipsets) 2014-05-28 13:57:21 +02:00
Dietmar Maurer
4dfe04e604 introduce ipset_name_pattern to avoid confusion 2014-05-28 12:59:17 +02:00
Dietmar Maurer
e2c627332f limit alias/ipset name length to 64 characters 2014-05-28 12:51:06 +02:00
Dietmar Maurer
6af480d46d add test for long ipset names 2014-05-28 10:45:27 +02:00
Dietmar Maurer
ac4580a02e fix ipset match - s/src/dst/ 2014-05-28 10:41:50 +02:00
Dietmar Maurer
708ba7149c implement VM ipsets, allow long ipset names 
If names are to long, We simply use the FNV digest instead of the name.
 2014-05-28 10:31:03 +02:00
Dietmar Maurer
42ec817818 always pass cluster_conf to load_vmfw_conf 2014-05-28 06:47:05 +02:00
Dietmar Maurer
1210ae94fb implement ipsets for VM/CT 2014-05-27 11:38:54 +02:00
Dietmar Maurer
1521df52e4 do not print trace when debug is not set 2014-05-27 11:31:09 +02:00
Dietmar Maurer
bfc488f6ca white space cleanup 2014-05-27 08:03:09 +02:00
Dietmar Maurer
e523d2bb40 implement aliases at VM level 2014-05-27 07:58:32 +02:00
Dietmar Maurer
9b284533ff add test for aliases inside vm firewall configuration 2014-05-27 07:57:16 +02:00
Dietmar Maurer
4912485180 fwtester.pl: add warnings to trace 2014-05-27 06:58:13 +02:00
Alexandre Derumier
b5831a0de8 optimize blacklist : create a PVEFW-blacklist chain 
currently we check the ipset blacklist twice (1 for log and 1 for drop)

It's better to check ipset once, and go to a PVEFW-blacklist chain
where we do the log, and then the drop

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-05-27 06:25:31 +02:00
Dietmar Maurer
e0a38def09 fix comment 2014-05-26 12:58:58 +02:00
Dietmar Maurer
5383df39a0 skip diabled rules and rules with errors early 2014-05-26 12:55:46 +02:00
Dietmar Maurer
b7ab6989be ruleset_generate_vm_rules: skip rules with errors 2014-05-26 12:46:27 +02:00
Dietmar Maurer
a523e0578d improve rule verification 
Also verify ipset/aliases.
 2014-05-26 12:45:41 +02:00
Dietmar Maurer
b6b8e6ade7 pass $rule_env (cluster/host/vm/ct) to rule parser. 
So that we can correctly verify 'iface' parameter.

Also add new API classes for CTs (because we need to pass $rule_env).
 2014-05-26 08:09:02 +02:00
Dietmar Maurer
d4cda423ca improve error handling 
We now show syntax errors from firewall files with:

 # pve-firewall status

But we do not log such errors to syslog, because that would result
in same warning on each update (10 seconds).
 2014-05-23 11:32:33 +02:00
Dietmar Maurer
6d9246e73c allow to read rule with errors 
And return error messages inside $rule->{errors}. The GUI can display
those errors so that the user can correct them.
 2014-05-23 10:43:22 +02:00
Dietmar Maurer
3e99870474 close inotify handle before restart 2014-05-22 10:02:27 +02:00
Dietmar Maurer
914f9a50a1 improve rules API 
Do not use JSON schema 'requires' property, because that forbids to
use '' to delete properties.

It is now possible to update/delete individual rule properties like:

  pvesh set nodes/lola/openvz/104/firewall/rules/0 -proto udp
  pvesh set nodes/lola/openvz/104/firewall/rules/1 -delete dport
 2014-05-21 13:03:57 +02:00
Dietmar Maurer
b1ef6d2e71 fix API: property sport/dport requires protocol 2014-05-21 10:29:06 +02:00
Dietmar Maurer
1a9978ed50 fix test/test-errors3 - protect rule generation with eval 2014-05-21 10:16:48 +02:00
Dietmar Maurer
a51bd5484f add new test case to show serious bug 2014-05-21 09:35:23 +02:00
Dietmar Maurer
cc8dc02f01 allow igmp traffic 2014-05-21 09:17:14 +02:00
Dietmar Maurer
5b15e12404 add another test case 2014-05-21 09:01:55 +02:00
Dietmar Maurer
93d96f83f9 fix for test case test/test-errors1 2014-05-21 08:56:52 +02:00
Dietmar Maurer
c4c477f3d2 add test case to show serious bug 2014-05-21 08:39:33 +02:00
Dietmar Maurer
3324948a51 use GET instead of POST for command that do not change state. 2014-05-21 08:27:55 +02:00
Dietmar Maurer
e7fb6ff270 add new localnet command 
Print information about local network (IP/NETWORK/NODENAME).
 2014-05-21 08:24:07 +02:00
Dietmar Maurer
525778d783 rename cluster_network to local_network, introduce local_network alias 
So that the user can overwrite it.
 2014-05-21 07:43:50 +02:00
Dietmar Maurer
d4cae1d697 add tests for management ipset 2014-05-21 06:48:23 +02:00
Dietmar Maurer
eb399cef48 Introduce new management ipset 
The uses can setup a 'management' IPSet to make sure he has access to the GUI
from those IPs.
 2014-05-21 06:41:10 +02:00
Dietmar Maurer
c5191f5768 do not use ctstate in corosync rule 
That is not necessary, because we only reach that rule if ctstate is NEW.
 2014-05-21 06:01:17 +02:00
Dietmar Maurer
e76a9f5395 start alias support for VMs 
implement config parser/writer and API. iptables functionatity is missing.
 2014-05-20 11:56:06 +02:00
Dietmar Maurer
c9902e5a0e improve documentation 2014-05-20 10:54:51 +02:00
Dietmar Maurer
815b4ebf6f do not log simulate warnings to syslog 2014-05-20 10:50:25 +02:00
Dietmar Maurer
814de8329c add simulate command for easy testing 2014-05-20 10:36:58 +02:00
Dietmar Maurer
63e8c70ed0 move test code to FirewallSimulator.pm 2014-05-20 09:46:35 +02:00
Dietmar Maurer
4a9ce6d362 add tests for corosync multicast addrtype rules 2014-05-20 08:24:31 +02:00
Dietmar Maurer
0394065673 do not enable VM firewall by default 
Else we get different behavior with empty vs. non-existinf <VMID>.fw
 2014-05-20 07:52:46 +02:00
Dietmar Maurer
318d0f92f0 add tests for default rules 2014-05-20 07:38:25 +02:00
Dietmar Maurer
ee06b00944 fwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2 
So that we can add test for default rules
 2014-05-20 07:36:44 +02:00
Dietmar Maurer
de25c7622e allow tests without cluster.fw and host.fw configuration 2014-05-20 07:35:54 +02:00