X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=f009e58ec93f16a60c5c049bf8454d5031536855;hb=e4882cff462276e51fa511f7baa38b776afbc99d;hp=1479d3b55873a6dccd646b54cb1b005d25119686;hpb=e0a9139f982390e149e44e71e31199b4cfa6bca5;p=pve-firewall.git diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 1479d3b..f009e58 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -12,12 +12,15 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option); use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools qw($IPV4RE $IPV6RE); +use PVE::Network; +use PVE::SafeSyslog; use File::Basename; use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file dir_glob_foreach); use Encode; +use Storable qw(dclone); my $hostfw_conf_filename = "/etc/pve/local/host.fw"; my $pvefw_conf_dir = "/etc/pve/firewall"; @@ -28,6 +31,7 @@ my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw"; my $have_qemu_server; eval { require PVE::QemuServer; + require PVE::QemuConfig; $have_qemu_server = 1; }; @@ -48,7 +52,15 @@ our $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+'; my $max_alias_name_length = 64; my $max_ipset_name_length = 64; -my $max_group_name_length = 20; +my $max_group_name_length = 18; + +my $PROTOCOLS_WITH_PORTS = { + udp => 1, 17 => 1, + udplite => 1, 136 => 1, + tcp => 1, 6 => 1, + dccp => 1, 33 => 1, + sctp => 1, 132 => 1, +}; PVE::JSONSchema::register_format('IPorCIDR', \&pve_verify_ip_or_cidr); sub pve_verify_ip_or_cidr { @@ -131,6 +143,20 @@ my $log_level_hash = { emerg => 0, }; +# %rule +# +# name => optional +# action => +# proto => +# sport => +# dport => +# log => optional, loglevel +# logmsg => optional, logmsg - overwrites default +# iface_in +# iface_out +# match => optional, overwrites generation of match +# target => optional, overwrites action + # we need to overwrite some macros for ipv6 my $pve_ipv6fw_macros = { 'Ping' => [ @@ -144,6 +170,7 @@ my $pve_ipv6fw_macros = { { action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-advertisement' }, ], 'DHCPv6' => [ + "DHCPv6 traffic", { action => 'PARAM', proto => 'udp', dport => '546:547', sport => '546:547' }, ], 'Trcrt' => [ @@ -319,6 +346,10 @@ my $pve_fw_macros = { { action => 'PARAM', proto => 'tcp', dport => '465' }, { action => 'PARAM', proto => 'tcp', dport => '587' }, ], + 'MDNS' => [ + "Multicast DNS", + { action => 'PARAM', proto => 'udp', dport => '5353' }, + ], 'Munin' => [ "Munin networked resource monitoring traffic", { action => 'PARAM', proto => 'tcp', dport => '4949' }, @@ -514,10 +545,14 @@ my $pve_fw_macro_descr; my $pve_fw_macro_ipversion = {}; my $pve_fw_preferred_macro_names = {}; +my $FWACCEPTMARK_ON = "0x80000000/0x80000000"; +my $FWACCEPTMARK_OFF = "0x00000000/0x80000000"; + my $pve_std_chains = {}; -$pve_std_chains->{4} = { +my $pve_std_chains_conf = {}; +$pve_std_chains_conf->{4} = { 'PVEFW-SET-ACCEPT-MARK' => [ - "-j MARK --set-mark 1", + { target => "-j MARK --set-mark $FWACCEPTMARK_ON" }, ], 'PVEFW-DropBroadcast' => [ # same as shorewall 'Broadcast' @@ -533,10 +568,10 @@ $pve_std_chains->{4} = { { action => 'DROP', dsttype => 'BROADCAST' }, { action => 'DROP', source => '224.0.0.0/4' }, { action => 'DROP', proto => 'icmp' }, - "-p tcp -j REJECT --reject-with tcp-reset", - "-p udp -j REJECT --reject-with icmp-port-unreachable", - "-p icmp -j REJECT --reject-with icmp-host-unreachable", - "-j REJECT --reject-with icmp-host-prohibited", + { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' }, + { match => '-p udp', target => '-j REJECT --reject-with icmp-port-unreachable' }, + { match => '-p icmp', target => '-j REJECT --reject-with icmp-host-unreachable' }, + { target => '-j REJECT --reject-with icmp-host-prohibited' }, ], 'PVEFW-Drop' => [ # same as shorewall 'Drop', which is equal to DROP, @@ -549,15 +584,15 @@ $pve_std_chains->{4} = { { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, # Drop Microsoft SMB noise - { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, - { action => 'DROP', proto => 'udp', dport => '137:139'}, + { action => 'DROP', proto => 'udp', dport => '135,445' }, + { action => 'DROP', proto => 'udp', dport => '137:139' }, { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445' }, { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, # Drop DNS replies { action => 'DROP', proto => 'udp', sport => 53 }, ], @@ -572,119 +607,126 @@ $pve_std_chains->{4} = { { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, # Drop Microsoft SMB noise - { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' }, { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' }, { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, # Drop DNS replies { action => 'DROP', proto => 'udp', sport => 53 }, ], 'PVEFW-tcpflags' => [ # same as shorewall tcpflags action. # Packets arriving on this interface are checked for som illegal combinations of TCP flags - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", - "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' }, ], 'PVEFW-smurfs' => [ # same as shorewall smurfs action # Filter packets for smurfs (packets with a broadcast address as the source). - "-s 0.0.0.0/32 -j RETURN", # allow DHCP - "-m addrtype --src-type BROADCAST -g PVEFW-smurflog", - "-s 224.0.0.0/4 -g PVEFW-smurflog", + { match => '-s 0.0.0.0/32', target => '-j RETURN' }, # allow DHCP + { match => '-m addrtype --src-type BROADCAST', target => '-g PVEFW-smurflog' }, + { match => '-s 224.0.0.0/4', target => '-g PVEFW-smurflog' }, + ], + 'PVEFW-smurflog' => [ + { action => 'DROP', logmsg => 'DROP: ' }, + ], + 'PVEFW-logflags' => [ + { action => 'DROP', logmsg => 'DROP: ' }, ], }; -$pve_std_chains->{6} = { +$pve_std_chains_conf->{6} = { 'PVEFW-SET-ACCEPT-MARK' => [ - "-j MARK --set-mark 1", + { target => "-j MARK --set-mark $FWACCEPTMARK_ON" }, ], 'PVEFW-DropBroadcast' => [ - # same as shorewall 'Broadcast' - # simply DROP BROADCAST/MULTICAST/ANYCAST - # we can use this to reduce logging - #{ action => 'DROP', dsttype => 'BROADCAST' }, #no broadcast in ipv6 + # same as shorewall 'Broadcast' + # simply DROP BROADCAST/MULTICAST/ANYCAST + # we can use this to reduce logging + #{ action => 'DROP', dsttype => 'BROADCAST' }, #no broadcast in ipv6 # ipv6 addrtype does not work with kernel 2.6.32 #{ action => 'DROP', dsttype => 'MULTICAST' }, - #{ action => 'DROP', dsttype => 'ANYCAST' }, - { action => 'DROP', dest => 'ff00::/8' }, - #{ action => 'DROP', dest => '224.0.0.0/4' }, + #{ action => 'DROP', dsttype => 'ANYCAST' }, + { action => 'DROP', dest => 'ff00::/8' }, + #{ action => 'DROP', dest => '224.0.0.0/4' }, ], 'PVEFW-reject' => [ - # same as shorewall 'reject' - #{ action => 'DROP', dsttype => 'BROADCAST' }, - #{ action => 'DROP', source => '224.0.0.0/4' }, + # same as shorewall 'reject' + #{ action => 'DROP', dsttype => 'BROADCAST' }, + #{ action => 'DROP', source => '224.0.0.0/4' }, { action => 'DROP', proto => 'icmpv6' }, - "-p tcp -j REJECT --reject-with tcp-reset", - #"-p udp -j REJECT --reject-with icmp-port-unreachable", - #"-p icmp -j REJECT --reject-with icmp-host-unreachable", - #"-j REJECT --reject-with icmp-host-prohibited", + { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' }, + #"-p udp -j REJECT --reject-with icmp-port-unreachable", + #"-p icmp -j REJECT --reject-with icmp-host-unreachable", + #"-j REJECT --reject-with icmp-host-prohibited", ], 'PVEFW-Drop' => [ - # same as shorewall 'Drop', which is equal to DROP, - # but REJECT/DROP some packages to reduce logging, - # and ACCEPT critical ICMP types + # same as shorewall 'Drop', which is equal to DROP, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' - # we are not interested in BROADCAST/MULTICAST/ANYCAST - { action => 'PVEFW-DropBroadcast' }, - # ACCEPT critical ICMP types - { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, - - # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", - # Drop Microsoft SMB noise - { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, + # Drop packets with INVALID state + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, + # Drop Microsoft SMB noise + { action => 'DROP', proto => 'udp', dport => '135,445' }, { action => 'DROP', proto => 'udp', dport => '137:139'}, { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445' }, { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP - # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", - # Drop DNS replies + # Drop new/NotSyn traffic so that it doesn't get logged + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, + # Drop DNS replies { action => 'DROP', proto => 'udp', sport => 53 }, ], 'PVEFW-Reject' => [ - # same as shorewall 'Reject', which is equal to Reject, - # but REJECT/DROP some packages to reduce logging, - # and ACCEPT critical ICMP types - { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' - # we are not interested in BROADCAST/MULTICAST/ANYCAST - { action => 'PVEFW-DropBroadcast' }, - # ACCEPT critical ICMP types - { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, - - # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", - # Drop Microsoft SMB noise - { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, - { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, - { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, - { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP - # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", - # Drop DNS replies - { action => 'DROP', proto => 'udp', sport => 53 }, + # same as shorewall 'Reject', which is equal to Reject, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, + # Drop packets with INVALID state + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, + # Drop Microsoft SMB noise + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' }, + { action => 'PVEFW-reject', proto => 'udp', dport => '137:139' }, + { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, ], 'PVEFW-tcpflags' => [ - # same as shorewall tcpflags action. - # Packets arriving on this interface are checked for som illegal combinations of TCP flags - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", - "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + # same as shorewall tcpflags action. + # Packets arriving on this interface are checked for som illegal combinations of TCP flags + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' }, + ], + 'PVEFW-logflags' => [ + { action => 'DROP', logmsg => 'DROP: ' }, ], }; @@ -870,24 +912,6 @@ sub get_etc_protocols { return $etc_protocols; } -my $ipv4_mask_hash_localnet = { - '255.255.0.0' => 16, - '255.255.128.0' => 17, - '255.255.192.0' => 18, - '255.255.224.0' => 19, - '255.255.240.0' => 20, - '255.255.248.0' => 21, - '255.255.252.0' => 22, - '255.255.254.0' => 23, - '255.255.255.0' => 24, - '255.255.255.128' => 25, - '255.255.255.192' => 26, - '255.255.255.224' => 27, - '255.255.255.240' => 28, - '255.255.255.248' => 29, - '255.255.255.252' => 30, -}; - my $__local_network; sub local_network { @@ -911,13 +935,17 @@ sub local_network { my $mask; if ($isv6) { $mask = $entry->{prefix}; + next if !$mask; # skip the default route... } else { - $mask = $ipv4_mask_hash_localnet->{$entry->{mask}}; + $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}}; next if !defined($mask); } my $cidr = "$entry->{dest}/$mask"; my $testnet = Net::IP->new($cidr); - if ($testnet->overlaps($testip) == $Net::IP::IP_B_IN_A_OVERLAP) { + my $overlap = $testnet->overlaps($testip); + if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP || + $overlap == $Net::IP::IP_IDENTICAL) + { $__local_network = $cidr; return; } @@ -972,7 +1000,9 @@ sub parse_address_list { my $iprange = 0; my $ipversion; - foreach my $elem (split(/,/, $str)) { + my @elements = split(/,/, $str); + die "extraneous commas in list\n" if $str ne join(',', @elements); + foreach my $elem (@elements) { $count++; my $ip = Net::IP->new($elem); if (!$ip) { @@ -1001,7 +1031,9 @@ sub parse_port_name_number_or_range { my $count = 0; my $icmp_port = 0; - foreach my $item (split(/,/, $str)) { + my @elements = split(/,/, $str); + die "extraneous commas in list\n" if $str ne join(',', @elements); + foreach my $item (@elements) { $count++; if ($item =~ m/^(\d+):(\d+)$/) { my ($port1, $port2) = ($1, $2); @@ -1119,6 +1151,130 @@ sub copy_list_with_digest { return wantarray ? ($res, $digest) : $res; } +our $cluster_option_properties = { + enable => { + description => "Enable or disable the firewall cluster wide.", + type => 'integer', + minimum => 0, + optional => 1, + }, + policy_in => { + description => "Input policy.", + type => 'string', + optional => 1, + enum => ['ACCEPT', 'REJECT', 'DROP'], + }, + policy_out => { + description => "Output policy.", + type => 'string', + optional => 1, + enum => ['ACCEPT', 'REJECT', 'DROP'], + }, +}; + +our $host_option_properties = { + enable => { + description => "Enable host firewall rules.", + type => 'boolean', + optional => 1, + }, + log_level_in => get_standard_option('pve-fw-loglevel', { + description => "Log level for incoming traffic." }), + log_level_out => get_standard_option('pve-fw-loglevel', { + description => "Log level for outgoing traffic." }), + tcp_flags_log_level => get_standard_option('pve-fw-loglevel', { + description => "Log level for illegal tcp flags filter." }), + smurf_log_level => get_standard_option('pve-fw-loglevel', { + description => "Log level for SMURFS filter." }), + nosmurfs => { + description => "Enable SMURFS filter.", + type => 'boolean', + optional => 1, + }, + tcpflags => { + description => "Filter illegal combinations of TCP flags.", + type => 'boolean', + optional => 1, + }, + nf_conntrack_max => { + description => "Maximum number of tracked connections.", + type => 'integer', + optional => 1, + minimum => 32768, + }, + nf_conntrack_tcp_timeout_established => { + description => "Conntrack established timeout.", + type => 'integer', + optional => 1, + minimum => 7875, + }, + ndp => { + description => "Enable NDP.", + type => 'boolean', + optional => 1, + }, +}; + +our $vm_option_properties = { + enable => { + description => "Enable/disable firewall rules.", + type => 'boolean', + optional => 1, + }, + macfilter => { + description => "Enable/disable MAC address filter.", + type => 'boolean', + optional => 1, + }, + dhcp => { + description => "Enable DHCP.", + type => 'boolean', + optional => 1, + }, + ndp => { + description => "Enable NDP.", + type => 'boolean', + optional => 1, + }, + radv => { + description => "Allow sending Router Advertisement.", + type => 'boolean', + optional => 1, + }, + ipfilter => { + description => "Enable default IP filters. " . + "This is equivalent to adding an empty ipfilter-net ipset " . + "for every interface. Such ipsets implicitly contain sane default " . + "restrictions such as restricting IPv6 link local addresses to " . + "the one derived from the interface's MAC address. For containers " . + "the configured IP addresses will be implicitly added.", + type => 'boolean', + optional => 1, + }, + policy_in => { + description => "Input policy.", + type => 'string', + optional => 1, + enum => ['ACCEPT', 'REJECT', 'DROP'], + }, + policy_out => { + description => "Output policy.", + type => 'string', + optional => 1, + enum => ['ACCEPT', 'REJECT', 'DROP'], + }, + log_level_in => get_standard_option('pve-fw-loglevel', { + description => "Log level for incoming traffic." }), + log_level_out => get_standard_option('pve-fw-loglevel', { + description => "Log level for outgoing traffic." }), + +}; + + +my $addr_list_descr = "This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists."; + +my $port_descr = "You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\\d+:\\d+', for example '80:85', and you can use comma separated list to match several ports or ranges."; + my $rule_properties = { pos => { description => "Update rule at position .", @@ -1128,6 +1284,7 @@ my $rule_properties = { }, digest => get_standard_option('pve-config-digest'), type => { + description => "Rule type.", type => 'string', optional => 1, enum => ['in', 'out', 'group'], @@ -1141,37 +1298,48 @@ my $rule_properties = { minLength => 2, }, macro => { + description => "Use predefined standard macro.", type => 'string', optional => 1, maxLength => 128, }, - iface => get_standard_option('pve-iface', { optional => 1 }), + iface => get_standard_option('pve-iface', { + description => "Network interface name. You have to use network configuration key names for VMs and containers ('net\\d+'). Host related rules can use arbitrary strings.", + optional => 1 + }), source => { + description => "Restrict packet source address. $addr_list_descr", type => 'string', format => 'pve-fw-addr-spec', optional => 1, }, dest => { + description => "Restrict packet destination address. $addr_list_descr", type => 'string', format => 'pve-fw-addr-spec', optional => 1, }, proto => { + description => "IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.", type => 'string', format => 'pve-fw-protocol-spec', optional => 1, }, enable => { + description => "Flag to enable/disable a rule.", type => 'integer', minimum => 0, optional => 1, }, sport => { + description => "Restrict TCP/UDP source port. $port_descr", type => 'string', format => 'pve-fw-sport-spec', optional => 1, }, dport => { + description => "Restrict TCP/UDP destination port. $port_descr", type => 'string', format => 'pve-fw-dport-spec', optional => 1, }, comment => { + description => "Descriptive comment.", type => 'string', optional => 1, }, @@ -1374,15 +1542,22 @@ sub verify_rule { if ($rule->{dport}) { eval { parse_port_name_number_or_range($rule->{dport}, 1); }; &$add_error('dport', $@) if $@; + my $proto = $rule->{proto}; &$add_error('proto', "missing property - 'dport' requires this property") - if !$rule->{proto}; + if !$proto; + &$add_error('dport', "protocol '$proto' does not support ports") + if !$PROTOCOLS_WITH_PORTS->{$proto} && + $proto ne 'icmp' && $proto ne 'icmpv6'; # special cases } if ($rule->{sport}) { eval { parse_port_name_number_or_range($rule->{sport}, 0); }; &$add_error('sport', $@) if $@; + my $proto = $rule->{proto}; &$add_error('proto', "missing property - 'sport' requires this property") - if !$rule->{proto}; + if !$proto; + &$add_error('sport', "protocol '$proto' does not support ports") + if !$PROTOCOLS_WITH_PORTS->{$proto}; } if ($rule->{source}) { @@ -1496,8 +1671,6 @@ sub enable_bridge_firewall { $bridge_firewall_enabled = 1; } -my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n"; - sub iptables_restore_cmdlist { my ($cmdlist) = @_; @@ -1626,12 +1799,14 @@ sub ipset_get_chains { return $res; } -sub ruleset_generate_cmdstr { +sub ruleset_generate_match { my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; return if defined($rule->{enable}) && !$rule->{enable}; return if $rule->{errors}; + return $rule->{match} if defined $rule->{match}; + die "unable to emit macro - internal error" if $rule->{macro}; # should not happen my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0; @@ -1703,8 +1878,8 @@ sub ruleset_generate_cmdstr { } } - if ($rule->{proto}) { - push @cmd, "-p $rule->{proto}"; + if (my $proto = $rule->{proto}) { + push @cmd, "-p $proto"; my $multiport = 0; $multiport++ if $nbdport > 1; @@ -1716,16 +1891,18 @@ sub ruleset_generate_cmdstr { if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); if ($rule->{dport}) { - if ($rule->{proto} && $rule->{proto} eq 'icmp') { + if ($proto eq 'icmp') { # Note: we use dport to store --icmp-type die "unknown icmp-type '$rule->{dport}'\n" if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}}); push @cmd, "-m icmp --icmp-type $rule->{dport}"; - } elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') { + } elsif ($proto eq 'icmpv6') { # Note: we use dport to store --icmpv6-type die "unknown icmpv6-type '$rule->{dport}'\n" if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}}); push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}"; + } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) { + die "protocol $proto does not have ports\n"; } else { if ($nbdport > 1) { if ($multiport == 2) { @@ -1740,6 +1917,8 @@ sub ruleset_generate_cmdstr { } if ($rule->{sport}) { + die "protocol $proto does not have ports\n" + if !$PROTOCOLS_WITH_PORTS->{$proto}; if ($nbsport > 1) { push @cmd, "--sports $rule->{sport}" if $multiport != 2; } else { @@ -1753,6 +1932,16 @@ sub ruleset_generate_cmdstr { push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; + return scalar(@cmd) ? join(' ', @cmd) : undef; +} + +sub ruleset_generate_action { + my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; + + return $rule->{target} if defined $rule->{target}; + + my @cmd = (); + if (my $action = $rule->{action}) { $action = $actions->{$action} if defined($actions->{$action}); $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; @@ -1762,6 +1951,17 @@ sub ruleset_generate_cmdstr { return scalar(@cmd) ? join(' ', @cmd) : undef; } +sub ruleset_generate_cmdstr { + my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; + my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf); + my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf); + + return undef if !(defined($match) or defined($action)); + my $ret = defined($match) ? $match : ""; + $ret = "$ret $action" if defined($action); + return $ret; +} + sub ruleset_generate_rule { my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; @@ -1775,15 +1975,24 @@ sub ruleset_generate_rule { # update all or nothing - my @cmds = (); + # fixme: lots of temporary ugliness + my @mstrs = (); + my @astrs = (); + my @logging = (); + my @logmsg = (); foreach my $tmp (@$rules) { - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf)) { - push @cmds, $cmdstr; + my $m = ruleset_generate_match($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf); + my $a = ruleset_generate_action($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf); + if (defined $m or defined $a) { + push @mstrs, defined($m) ? $m : ""; + push @astrs, defined($a) ? $a : ""; + push @logging, $tmp->{log}; + push @logmsg, $tmp->{logmsg}; } } - foreach my $cmdstr (@cmds) { - ruleset_addrule($ruleset, $chain, $cmdstr); + for my $i (0 .. $#mstrs) { + ruleset_addrule($ruleset, $chain, $mstrs[$i], $astrs[$i], $logging[$i], $logmsg[$i]); } } @@ -1792,8 +2001,10 @@ sub ruleset_generate_rule_insert { die "implement me" if $rule->{macro}; # not implemented, because not needed so far - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, $rule, $actions, $goto)) { - ruleset_insertrule($ruleset, $chain, $cmdstr); + my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto); + my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto); + if (defined $match && defined $action) { + ruleset_insertrule($ruleset, $chain, $match, $action); } } @@ -1815,46 +2026,37 @@ sub ruleset_chain_exist { } sub ruleset_addrule { - my ($ruleset, $chain, $rule) = @_; + my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_; die "no such chain '$chain'\n" if !$ruleset->{$chain}; - push @{$ruleset->{$chain}}, "-A $chain $rule"; + if (defined($log) && $log) { + my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log); + push @{$ruleset->{$chain}}, "-A $chain $match $logaction"; + } + push @{$ruleset->{$chain}}, "-A $chain $match $action"; } sub ruleset_insertrule { - my ($ruleset, $chain, $rule) = @_; + my ($ruleset, $chain, $match, $action, $log) = @_; die "no such chain '$chain'\n" if !$ruleset->{$chain}; - unshift @{$ruleset->{$chain}}, "-A $chain $rule"; + unshift @{$ruleset->{$chain}}, "-A $chain $match $action"; } sub get_log_rule_base { my ($chain, $vmid, $msg, $loglevel) = @_; - die "internal error - no log level" if !defined($loglevel); - $vmid = 0 if !defined($vmid); + $msg = "" if !defined($msg); # Note: we use special format for prefix to pass further - # info to log daemon (VMID, LOGVELEL and CHAIN) + # info to log daemon (VMID, LOGLEVEL and CHAIN) return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\""; } -sub ruleset_addlog { - my ($ruleset, $chain, $vmid, $msg, $loglevel, $rule) = @_; - - return if !defined($loglevel); - - my $logrule = get_log_rule_base($chain, $vmid, $msg, $loglevel); - - $logrule = "$rule $logrule" if defined($rule); - - ruleset_addrule($ruleset, $chain, $logrule); -} - sub ruleset_add_chain_policy { my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) = @_; @@ -1865,17 +2067,13 @@ sub ruleset_add_chain_policy { } elsif ($policy eq 'DROP') { - ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); - - ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); + ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop"); - ruleset_addrule($ruleset, $chain, "-j DROP"); + ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: ", $vmid); } elsif ($policy eq 'REJECT') { - ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); + ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject"); - ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); - - ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); + ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy $policy:", $vmid); } else { # should not happen die "internal error: unknown policy '$policy'"; @@ -1886,19 +2084,19 @@ sub ruleset_chain_add_ndp { my ($ruleset, $chain, $ipversion, $options, $direction, $accept) = @_; return if $ipversion != 6 || (defined($options->{ndp}) && !$options->{ndp}); - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation $accept"); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation", $accept); if ($direction ne 'OUT' || $options->{radv}) { - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement $accept"); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", $accept); } - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation $accept"); - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement $accept"); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation", $accept); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement", $accept); } sub ruleset_chain_add_conn_filters { my ($ruleset, $chain, $accept) = @_; - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept"); } sub ruleset_chain_add_input_filters { @@ -1907,21 +2105,20 @@ sub ruleset_chain_add_input_filters { if ($cluster_conf->{ipset}->{blacklist}){ if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) { ruleset_create_chain($ruleset, "PVEFW-blacklist"); - ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel; - ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP"); + ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP", $loglevel, "DROP: "); } my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion); - ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src -j PVEFW-blacklist"); + ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src", "-j PVEFW-blacklist"); } if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { if ($ipversion == 4) { - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW", "-j PVEFW-smurfs"); } } if ($options->{tcpflags}) { - ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); + ruleset_addrule($ruleset, $chain, "-p tcp", "-j PVEFW-tcpflags"); } } @@ -1958,15 +2155,15 @@ sub ruleset_create_vm_chain { if ($direction eq 'OUT') { if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { - ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); + ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr", "-j DROP"); } if ($ipversion == 6 && !$options->{radv}) { - ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type router-advertisement -j DROP'); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", "-j DROP"); } if ($ipfilter_ipset) { - ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP"); + ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src", "-j DROP"); } - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark } my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-MARK' : "-j $accept"; @@ -1983,14 +2180,14 @@ sub ruleset_add_group_rule { } if ($direction eq 'OUT' && $rule->{iface_out}) { - ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out} -j $group_chain"); + ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out}", "-j $group_chain"); } elsif ($direction eq 'IN' && $rule->{iface_in}) { - ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in} -j $group_chain"); + ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in}", "-j $group_chain"); } else { - ruleset_addrule($ruleset, $chain, "-j $group_chain"); + ruleset_addrule($ruleset, $chain, "", "-j $group_chain"); } - ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $action"); + ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON", "-j $action"); } sub ruleset_generate_vm_rules { @@ -2055,7 +2252,7 @@ sub ruleset_generate_vm_ipsrules { ruleset_create_chain($ruleset, "PVEFW-IPS"); } - ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue"); + ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged", "-j $nfqueue"); } } @@ -2073,7 +2270,7 @@ sub generate_tap_rules_direction { my $ipfilter_name = compute_ipfilter_ipset_name($netid); my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion) - if $vmfw_conf->{ipset}->{$ipfilter_name}; + if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name}; # create chain with mac and ip filter ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction); @@ -2103,10 +2300,10 @@ sub generate_tap_rules_direction { # plug the tap chain to bridge chain if ($direction eq 'IN') { ruleset_addrule($ruleset, "PVEFW-FWBR-IN", - "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain"); + "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain"); } else { ruleset_addrule($ruleset, "PVEFW-FWBR-OUT", - "-m physdev --physdev-is-bridged --physdev-in $iface -j $tapchain"); + "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain"); } } @@ -2124,7 +2321,7 @@ sub enable_host_firewall { my $loglevel = get_option_log_level($options, "log_level_in"); - ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-i lo", "-j ACCEPT"); ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'IN', '-j RETURN'); @@ -2133,7 +2330,7 @@ sub enable_host_firewall { # we use RETURN because we need to check also tap rules my $accept_action = 'RETURN'; - ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast + ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast # add host rules first, so that cluster wide rules can be overwritten foreach my $rule (@$rules, @$cluster_rules) { @@ -2158,19 +2355,19 @@ sub enable_host_firewall { # allow standard traffic for management ipset (includes cluster network) my $mngmnt_ipset_chain = compute_ipset_chain_name(0, "management", $ipversion); my $mngmntsrc = "-m set --match-set ${mngmnt_ipset_chain} src"; - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006", "-j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j $accept_action"); # SSH my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr}; my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion}; # corosync if ($localnet && ($ipversion == $localnet_ver)) { - my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; - ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule"); - ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule"); + my $corosync_rule = "-p udp --dport 5404:5405"; + ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule", "-j $accept_action"); + ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action"); } # implement input policy @@ -2183,7 +2380,7 @@ sub enable_host_firewall { $loglevel = get_option_log_level($options, "log_level_out"); - ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-o lo", "-j ACCEPT"); ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); @@ -2191,7 +2388,7 @@ sub enable_host_firewall { $accept_action = 'RETURN'; ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'OUT', "-j $accept_action"); - ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast + ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast # add host rules first, so that cluster wide rules can be overwritten foreach my $rule (@$rules, @$cluster_rules) { @@ -2214,22 +2411,22 @@ sub enable_host_firewall { # allow standard traffic on cluster network if ($localnet && ($ipversion == $localnet_ver)) { - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006 -j $accept_action"); # PVE API - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22 -j $accept_action"); # SSH - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", "-j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j $accept_action"); # SSH + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy - my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; - ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule"); - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule"); + my $corosync_rule = "-p udp --dport 5404:5405"; + ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule", "-j $accept_action"); + ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action"); } # implement output policy $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default ruleset_add_chain_policy($ruleset, $chain, $ipversion, 0, $policy, $loglevel, $accept_action); - ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); - ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); + ruleset_addrule($ruleset, "PVEFW-OUTPUT", "", "-j PVEFW-HOST-OUT"); + ruleset_addrule($ruleset, "PVEFW-INPUT", "", "-j PVEFW-HOST-IN"); } sub generate_group_rules { @@ -2245,7 +2442,7 @@ sub generate_group_rules { my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; @@ -2258,7 +2455,7 @@ sub generate_group_rules { $chain = "GROUP-${group}-OUT"; ruleset_create_chain($ruleset, $chain); - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'out'; @@ -2277,6 +2474,14 @@ for (my $i = 0; $i < $MAX_NETS; $i++) { $valid_netdev_names->{"net$i"} = 1; } +sub get_mark_values { + my ($value, $mask) = @_; + $value = hex($value) if $value =~ /^0x/; + $mask = hex($mask) if defined($mask) && $mask =~ /^0x/; + $mask = 0xffffffff if !defined($mask); + return ($value, $mask); +} + sub parse_fw_rule { my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_; @@ -2343,10 +2548,14 @@ sub parse_fw_rule { die "unable to parse rule parameters: $line\n" if length($line); $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1); - if ($verbose && $rule->{errors}) { - warn "$prefix - errors in rule parameters: $orig_line\n"; + if ($rule->{errors}) { + # The verbose flag really means we're running from the CLI and want + # output on the console - in the other case we really want such errors + # to go into the syslog instead. + my $log = $verbose ? sub { warn @_ } : sub { syslog(err => @_) }; + $log->("$prefix - errors in rule parameters: $orig_line\n"); foreach my $p (keys %{$rule->{errors}}) { - warn " $p: $rule->{errors}->{$p}\n"; + $log->(" $p: $rule->{errors}->{$p}\n"); } } @@ -2360,7 +2569,7 @@ sub parse_vmfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|ndp|radv|macfilter|ips):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|ndp|radv|macfilter|ipfilter|ips):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { @@ -2614,6 +2823,10 @@ sub generic_fw_config_parser { $errors->{cidr} = $err; } + if ($cidr =~ m!/0+$!) { + $errors->{cidr} = "a zero prefix is not allowed in ipset entries\n"; + } + my $entry = { cidr => $cidr }; $entry->{nomatch} = 1 if $nomatch; $entry->{comment} = $comment if $comment; @@ -2707,14 +2920,14 @@ sub read_local_vm_config { next if !$d->{type}; if ($d->{type} eq 'qemu') { if ($have_qemu_server) { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + my $cfspath = PVE::QemuConfig->cfs_config_path($vmid); if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { $qemu->{$vmid} = $conf; } } } elsif ($d->{type} eq 'lxc') { if ($have_lxc) { - my $cfspath = PVE::LXC::cfs_config_path($vmid); + my $cfspath = PVE::LXC::Config->cfs_config_path($vmid); if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { $lxc->{$vmid} = $conf; } @@ -2938,26 +3151,21 @@ sub generate_std_chains { my $std_chains = $pve_std_chains->{$ipversion} || die "internal error"; my $loglevel = get_option_log_level($options, 'smurf_log_level'); - - my $chain; - - if ($ipversion == 4) { - # same as shorewall smurflog. - $chain = 'PVEFW-smurflog'; - $std_chains->{$chain} = []; - - push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; - push @{$std_chains->{$chain}}, "-j DROP"; + my $chain = 'PVEFW-smurflog'; + if ( $std_chains->{$chain} ) { + foreach my $r (@{$std_chains->{$chain}}) { + $r->{log} = $loglevel; + } } # same as shorewall logflags action. $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); $chain = 'PVEFW-logflags'; - $std_chains->{$chain} = []; - - # fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG) - push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; - push @{$std_chains->{$chain}}, "-j DROP"; + if ( $std_chains->{$chain} ) { + foreach my $r (@{$std_chains->{$chain}}) { + $r->{log} = $loglevel; + } + } foreach my $chain (keys %$std_chains) { ruleset_create_chain($ruleset, $chain); @@ -2965,18 +3173,18 @@ sub generate_std_chains { if (ref($rule)) { ruleset_generate_rule($ruleset, $chain, $ipversion, $rule); } else { - ruleset_addrule($ruleset, $chain, $rule); + die "rule $rule as string - should not happen"; } } } } sub generate_ipset_chains { - my ($ipset_ruleset, $clusterfw_conf, $fw_conf, $device_ips) = @_; #fixme + my ($ipset_ruleset, $clusterfw_conf, $fw_conf, $device_ips, $ipsets) = @_; - foreach my $ipset (keys %{$fw_conf->{ipset}}) { + foreach my $ipset (keys %{$ipsets}) { - my $options = $fw_conf->{ipset}->{$ipset}; + my $options = $ipsets->{$ipset}; if ($device_ips && $ipset =~ /^ipfilter-(net\d+)$/) { if (my $ips = $device_ips->{$1}) { @@ -3148,6 +3356,9 @@ sub compile { my $vmfw_configs; + # fixme: once we read standard chains from config this needs to be put in test/standard cases below + $pve_std_chains = dclone($pve_std_chains_conf); + if ($vmdata) { # test mode my $testdir = $vmdata->{testdir} || die "no test directory specified"; my $filename = "$testdir/cluster.fw"; @@ -3208,10 +3419,10 @@ sub compile_iptables_filter { ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $ipversion, $hostfw_options, $cluster_conf, $loglevel); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+", "-j PVEFW-FWBR-IN"); ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+", "-j PVEFW-FWBR-OUT"); generate_std_chains($ruleset, $hostfw_options, $ipversion); @@ -3223,13 +3434,13 @@ sub compile_iptables_filter { } # generate firewall rules for QEMU VMs - foreach my $vmid (keys %{$vmdata->{qemu}}) { + foreach my $vmid (sort keys %{$vmdata->{qemu}}) { eval { my $conf = $vmdata->{qemu}->{$vmid}; my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf; - foreach my $netid (keys %$conf) { + foreach my $netid (sort keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$netid}); next if !$net->{firewall}; @@ -3246,16 +3457,16 @@ sub compile_iptables_filter { } # generate firewall rules for LXC containers - foreach my $vmid (keys %{$vmdata->{lxc}}) { + foreach my $vmid (sort keys %{$vmdata->{lxc}}) { eval { my $conf = $vmdata->{lxc}->{$vmid}; my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf; if ($vmfw_conf->{options}->{enable}) { - foreach my $netid (keys %$conf) { + foreach my $netid (sort keys %$conf) { next if $netid !~ m/^net(\d+)$/; - my $net = PVE::LXC::parse_lxc_network($conf->{$netid}); + my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid}); next if !$net->{firewall}; my $iface = "veth${vmid}i$1"; my $macaddr = $net->{hwaddr}; @@ -3270,7 +3481,7 @@ sub compile_iptables_filter { } if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){ - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS"); + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED", "-j PVEFW-IPS"); } return $ruleset; @@ -3314,12 +3525,24 @@ sub compile_ipsets { my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf; + # When the 'ipfilter' option is enabled every device for which there + # is no 'ipfilter-netX' ipset defiend gets an implicit empty default + # ipset. + # The reason is that ipfilter ipsets are always filled with standard + # IPv6 link-local filters. + my $ipsets = $vmfw_conf->{ipset}; + my $implicit_sets = {}; + my $device_ips = {}; foreach my $netid (keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$netid}); next if !$net->{firewall}; + if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) { + $implicit_sets->{"ipfilter-$netid"} = []; + } + my $macaddr = $net->{macaddr}; my $linklocal = mac_to_linklocal($macaddr); $device_ips->{$netid} = [ @@ -3328,38 +3551,59 @@ sub compile_ipsets { ]; } - generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips); + generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $ipsets); + generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $implicit_sets); }; warn $@ if $@; # just to be sure - should not happen } # generate firewall rules for LXC containers foreach my $vmid (keys %{$vmdata->{lxc}}) { - eval { - my $conf = $vmdata->{lxc}->{$vmid}; - my $vmfw_conf = $vmfw_configs->{$vmid}; - return if !$vmfw_conf; + eval { + my $conf = $vmdata->{lxc}->{$vmid}; + my $vmfw_conf = $vmfw_configs->{$vmid}; + return if !$vmfw_conf; + + # When the 'ipfilter' option is enabled every device for which there + # is no 'ipfilter-netX' ipset defiend gets an implicit empty default + # ipset. + # The reason is that ipfilter ipsets are always filled with standard + # IPv6 link-local filters, as well as the IP addresses configured + # for the container. + my $ipsets = $vmfw_conf->{ipset}; + my $implicit_sets = {}; my $device_ips = {}; foreach my $netid (keys %$conf) { next if $netid !~ m/^net(\d+)$/; - my $net = PVE::LXC::parse_lxc_network($conf->{$netid}); + my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid}); next if !$net->{firewall}; + if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) { + $implicit_sets->{"ipfilter-$netid"} = []; + } + my $macaddr = $net->{hwaddr}; my $linklocal = mac_to_linklocal($macaddr); - $device_ips->{$netid} = [ + my $set = $device_ips->{$netid} = [ { cidr => $linklocal }, { cidr => 'fe80::/10', nomatch => 1 } ]; + if (defined($net->{ip}) && $net->{ip} =~ m!^($IPV4RE)(?:/\d+)?$!) { + push @$set, { cidr => $1 }; + } + if (defined($net->{ip6}) && $net->{ip6} =~ m!^($IPV6RE)(?:/\d+)?$!) { + push @$set, { cidr => $1 }; + } } - generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips); - }; - warn $@ if $@; # just to be sure - should not happen + generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $ipsets); + generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $implicit_sets); + }; + warn $@ if $@; # just to be sure - should not happen } - generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef); + generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef, $cluster_conf->{ipset}); return $ipset_ruleset; }