Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-01 09:47:24 +03:00
Code Releases Activity
830 Commits 6 Branches 0 Tags
Commit Graph

830 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dietmar Maurer
b546f5007c use integer compare for $ipversion 2014-10-31 12:08:10 +01:00
Alexandre Derumier
78a72bc4b2 enable hostfw for ipv4 only 
currently pveproxy don't works with ipv6,
so let's generate host fw ipv4 only for the moment

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-31 12:06:34 +01:00
Dietmar Maurer
b33ce1b520 fix venet rule generation: venet can have ipv4 and ipv6 address 2014-10-31 12:03:17 +01:00
Dietmar Maurer
006490cb2f $ipversion is interger, so use '!=' instead of string 'ne' 2014-10-30 13:35:55 +01:00
Alexandre Derumier
84870b1ac7 skip vms rules generation if rule ipversion don't match iptables version 
we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables

if rule ipversion is undef, we apply to both iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 13:31:58 +01:00
Dietmar Maurer
9e2205e5ff verify_rule: detected mixed ipv4/ipv6 addresses 2014-10-30 13:27:01 +01:00
Dietmar Maurer
c344e50926 parse_address_list: improve type detection 2014-10-30 13:17:28 +01:00
Dietmar Maurer
a589b6acd9 parse_address_list: make sure we only have one type of addresses (ipv4 or ipv6) 2014-10-30 13:17:24 +01:00
Dietmar Maurer
5163367b84 fix error message 2014-10-30 12:52:29 +01:00
Dietmar Maurer
d31689ee39 rename pve-fw-v4addr-spec to pve-fw-addr-spec 
Because we allow ipv4 and ipv6 addresses now.
 2014-10-30 12:43:52 +01:00
Alexandre Derumier
7697c04184 parse_rules src && dst ipversion 
check the ipversion of src and dst in rules

(fixme : parse ip in range)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 12:40:20 +01:00
Dietmar Maurer
db8a955f4d cleanup generate_std_chains: don't overwrite global variable $pve_std_chains 
Instead, pass $ipversion and use local var $std_chains.
 2014-10-30 12:21:00 +01:00
Alexandre Derumier
5547adf719 move $pve_std_chains to $pve_std_chains->{$ipversion} 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 12:10:09 +01:00
Alexandre Derumier
9268573a46 split compile to compile_iptables_filter 
compile just read configs file and will call compile_iptables_filter for iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-10-30 11:56:34 +01:00
Dietmar Maurer
0ac5757051 bump version to 1.0-9 2014-10-14 16:30:01 +02:00
Dietmar Maurer
30150dca3c fix max ipset name lenght 2014-10-14 16:28:44 +02:00
Dietmar Maurer
571e47f9dd make dependency to cman/clvm optional 2014-09-08 13:06:39 +02:00
Dietmar Maurer
03170bbd02 do not start daemons during installation 2014-09-08 12:25:13 +02:00
Dietmar Maurer
05fd3b63be bump version to 1.0-8 2014-09-08 12:17:02 +02:00
Dietmar Maurer
9f6845cfa9 Firewall/IPSet: implement permission 
Facor out common code into PVE/Firewall.
 2014-07-21 10:48:00 +02:00
Dietmar Maurer
7f733a5a9f Firewall/Rules: add permissions 2014-07-21 10:24:09 +02:00
Dietmar Maurer
5c9da37bf6 Firewall/Groups: add permissions 2014-07-21 09:54:42 +02:00
Dietmar Maurer
16c8f5d71c Firewall/VM: add permissions 2014-07-21 09:52:01 +02:00
Dietmar Maurer
60c103df97 Firewall/Host: add permissions 2014-07-21 09:40:34 +02:00
Dietmar Maurer
0ec568419a Firewall/Cluster: add permissions 2014-07-21 09:33:18 +02:00
Dietmar Maurer
a34cfdd0d1 generate MAC and IP filter rules if firewall is enabled on NIC 
Only omit rules if firewall is disabled. Also remove ipfilter for
venet, because that is not required (kernel does that job for us).
 2014-06-26 09:12:23 +02:00
Dietmar Maurer
bea9d5ab11 bump version to 1.0-7 2014-06-26 07:13:16 +02:00
Dietmar Maurer
eadbc1ded3 proxy host rule API calls to correct node 2014-06-26 07:12:06 +02:00
Dietmar Maurer
582275c31f bump version to 1.0-6 2014-06-12 08:37:43 +02:00
Dietmar Maurer
d562837827 add example for ipfilter ipset 2014-06-12 08:36:05 +02:00
Dietmar Maurer
a306a176c4 add regression tests for ipfilter 2014-06-12 08:32:11 +02:00
Dietmar Maurer
66f33d78ed fwtester: add more network (net1, net2) to vm100 to test ipfilter 2014-06-12 08:30:33 +02:00
Dietmar Maurer
b625713bdd implement negative ipset match 
To simulate ipfilter.
 2014-06-12 08:29:32 +02:00
Dietmar Maurer
b692f42c1b use separate ipfilter ipset on each interface 2014-06-12 06:39:31 +02:00
Dietmar Maurer
808d711d1c add support for ipfilter ipset 2014-06-11 09:59:21 +02:00
Dietmar Maurer
210534093a generate /etc/pve/firewall directory automatically 2014-06-04 09:13:43 +02:00
Dietmar Maurer
89ea63c8a9 avoid errors about undefined values 2014-06-04 09:03:53 +02:00
Dietmar Maurer
de0c1e49cd bump version to 1.0-5 2014-06-04 08:50:57 +02:00
Dietmar Maurer
55fad3b788 remove ipsets when firewall disabled 
And improve status output
 2014-06-04 08:40:15 +02:00
Dietmar Maurer
085fd492bf return empty ruleset if firewall disabled in cluster.fw 2014-06-04 07:24:34 +02:00
Dietmar Maurer
64c266f582 bump version to 1.0-4 2014-06-04 06:50:32 +02:00
Dietmar Maurer
6f0b67e91c depend on iptables and ipset 2014-06-04 06:44:57 +02:00
Dietmar Maurer
16bcfa8b77 change dh_installinit order 2014-06-04 06:36:55 +02:00
Dietmar Maurer
9a3061c7e2 improve error message 2014-06-02 13:17:53 +02:00
Dietmar Maurer
c8c534f7a4 generate warnings when we read the configuration file 2014-06-02 13:14:42 +02:00
Dietmar Maurer
d46b1ef6fb pass ipset errors to GUI 2014-05-30 13:06:55 +02:00
Dietmar Maurer
4803b296c5 skip non-existent aliases inside ipset configuration 2014-05-30 12:40:25 +02:00
Dietmar Maurer
af2bc60c6c remove dead code from previous commit 2014-05-30 12:26:40 +02:00
Dietmar Maurer
6c22157652 code cleanup - introcduce new method resolve_alias 2014-05-30 12:24:40 +02:00
Dietmar Maurer
3782185622 another regression test 2014-05-30 11:28:24 +02:00