]>
git.proxmox.com Git - pve-firewall.git/log
Dietmar Maurer [Wed, 12 Aug 2015 09:59:18 +0000 (11:59 +0200)]
adopt regresion tests for lxc containers
Removed OpenVZ venet code.
Alen Grizonic [Tue, 11 Aug 2015 12:50:53 +0000 (14:50 +0200)]
removed firewall code for openVZ
[PATCH 2/2] changed to [PATCH] with the following fix:
Subroutine verify_rule (re)fixed to correctly check only for "net\d+" interface device names
Dietmar Maurer [Mon, 10 Aug 2015 07:21:35 +0000 (09:21 +0200)]
bump version to 2.0-7
Alen Grizonic [Fri, 7 Aug 2015 14:18:34 +0000 (16:18 +0200)]
added firewall code for lxc
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Tue, 4 Aug 2015 09:15:11 +0000 (11:15 +0200)]
bump version to 2.0-6
Alen Grizonic [Tue, 4 Aug 2015 08:55:24 +0000 (10:55 +0200)]
firewall ipversion comparison fix
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Wolfgang Bumiller [Tue, 28 Jul 2015 06:46:05 +0000 (08:46 +0200)]
local_network: ipv6 support + correctness
Net::IP->overlaps returns more than just true or false, as
it tests both directions, we need IP_B_IN_A_OVERLAP in our
test.
Removed return on mask eq '0.0.0.0' as this doesn't exist in
the $ipv4_mask_hash_localnet.
Wolfgang Bumiller [Tue, 28 Jul 2015 06:46:04 +0000 (08:46 +0200)]
fix ipv6 address normalization
inet_ntop only takes an addres, not a CIDR notation. Since
the normalized address should just be a compressed
lower-case address, Net::IP::ip_compress_address should be
sufficient.
inet_ntop didn't succeed before, the result of which was
that ipsets weren't generated at all for ipv6 address ranges.
Dietmar Maurer [Mon, 27 Jul 2015 11:21:24 +0000 (13:21 +0200)]
bump version to 2.0-5
Wolfgang Bumiller [Mon, 6 Jul 2015 08:10:45 +0000 (10:10 +0200)]
ipv6 neighbor discovery and solicitation macros
Wolfgang Bumiller [Mon, 6 Jul 2015 08:07:49 +0000 (10:07 +0200)]
Add ipv6 macros to the macro list
Additionally there's now a way to specify ipv6-only or
ipv4-only macros.
Wolfgang Bumiller [Fri, 3 Jul 2015 08:17:21 +0000 (10:17 +0200)]
ip6tables accepts both spellings of the word neighbor
Alen Grizonic [Tue, 14 Jul 2015 12:04:57 +0000 (14:04 +0200)]
firewall - Ceph macro added
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Sat, 27 Jun 2015 14:34:40 +0000 (16:34 +0200)]
fix path for DOCDIR
Dietmar Maurer [Sat, 27 Jun 2015 14:26:48 +0000 (16:26 +0200)]
bump version to 2.0-4
Dietmar Maurer [Sat, 27 Jun 2015 14:25:44 +0000 (16:25 +0200)]
correctly install manual pages
Dietmar Maurer [Sat, 27 Jun 2015 14:24:58 +0000 (16:24 +0200)]
fix lintian warning command-with-path-in-maintainer-script
Alen Grizonic [Thu, 25 Jun 2015 09:36:42 +0000 (11:36 +0200)]
firewall instant API call apply
Alen Grizonic [Wed, 24 Jun 2015 11:46:09 +0000 (13:46 +0200)]
firewall_module_duplicate
removed duplicated line of Data::Dumper use
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Alen Grizonic [Thu, 25 Jun 2015 08:06:27 +0000 (10:06 +0200)]
firewall autodisable
firewall enable parameter type changed from boolean to integer so it can store
the timestamp of the firewall enable call to avoid an admin remote lockout
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Mon, 1 Jun 2015 10:33:27 +0000 (12:33 +0200)]
bump version to 2.0-3
Dietmar Maurer [Mon, 1 Jun 2015 10:32:17 +0000 (12:32 +0200)]
use noawait trigers for pve-api-updates
Dietmar Maurer [Tue, 5 May 2015 13:10:42 +0000 (15:10 +0200)]
bump version to 2.0-2
Dietmar Maurer [Tue, 5 May 2015 13:09:48 +0000 (15:09 +0200)]
trigger pve-api-updates event
Dietmar Maurer [Wed, 18 Mar 2015 05:08:53 +0000 (06:08 +0100)]
allow admins to delete security groups
Dietmar Maurer [Mon, 16 Mar 2015 05:30:43 +0000 (06:30 +0100)]
always use local_network alias if specified by user
Dietmar Maurer [Sun, 15 Mar 2015 09:11:00 +0000 (10:11 +0100)]
correctly emit ipv6 rules for host firewall
Dietmar Maurer [Wed, 4 Mar 2015 05:51:08 +0000 (06:51 +0100)]
add PIDFile option for systemd services
Dietmar Maurer [Tue, 3 Mar 2015 12:37:40 +0000 (13:37 +0100)]
install systemd service files
Dietmar Maurer [Mon, 2 Mar 2015 05:27:19 +0000 (06:27 +0100)]
implement permission for Alias class.
Dietmar Maurer [Mon, 2 Mar 2015 09:14:29 +0000 (10:14 +0100)]
do not use triggers
This make problem on jessie, complaining about cyclic dependency loop.
Dietmar Maurer [Fri, 27 Feb 2015 12:07:39 +0000 (13:07 +0100)]
fix path to ipset binary
Dietmar Maurer [Fri, 27 Feb 2015 12:05:07 +0000 (13:05 +0100)]
remove cman dependency
depending on pve-cluster should be enough.
Dietmar Maurer [Fri, 27 Feb 2015 11:27:52 +0000 (12:27 +0100)]
recompile for debian jessie, bump version to 2.0-1
Dietmar Maurer [Mon, 9 Feb 2015 08:32:53 +0000 (09:32 +0100)]
bump version to 1.0-18
Dietmar Maurer [Mon, 9 Feb 2015 08:31:18 +0000 (09:31 +0100)]
fix alias lookup
Dietmar Maurer [Thu, 15 Jan 2015 05:55:38 +0000 (06:55 +0100)]
bump version to 1.0-17
Dietmar Maurer [Thu, 15 Jan 2015 05:53:45 +0000 (06:53 +0100)]
add preinst script
Older versions of the pve-firewall daemon do not restart
with HUP, so we need to do a stop/start.
Dietmar Maurer [Thu, 15 Jan 2015 05:44:58 +0000 (06:44 +0100)]
fix call to register_restart_command (set $use_hup to true)
Dietmar Maurer [Wed, 31 Dec 2014 16:40:51 +0000 (17:40 +0100)]
remove class paramenter from register_XXX_command
Dietmar Maurer [Wed, 31 Dec 2014 16:18:53 +0000 (17:18 +0100)]
simplify code (error log is done inside Daemon.pm)
Dietmar Maurer [Wed, 31 Dec 2014 11:34:17 +0000 (12:34 +0100)]
improve logging
Dietmar Maurer [Thu, 18 Dec 2014 12:48:24 +0000 (13:48 +0100)]
fix arguments for register_restart_command
Dietmar Maurer [Thu, 18 Dec 2014 08:45:18 +0000 (09:45 +0100)]
bump version to 1.0-16
Dietmar Maurer [Tue, 16 Dec 2014 11:15:43 +0000 (12:15 +0100)]
use Daemon class from pve-common
Dietmar Maurer [Fri, 12 Dec 2014 05:33:58 +0000 (06:33 +0100)]
bump version to 1.0-15
Alexandre Derumier [Thu, 11 Dec 2014 13:25:42 +0000 (14:25 +0100)]
firewall update : load cluster conf for host rules
Currently we can't use ipsets defined in cluster in host rules
host.fw
----------
[OPTIONS]
log_level_in: debug
enable: 1
tcp_flags_log_level: debug
log_level_out: debug
tcpflags: 1
smurf_log_level: debug
[RULES]
IN ACCEPT -source +whitelist
in sub update {
my $hostfw_conf = load_hostfw_conf();
}
$VAR1 = {
'options' => {
'enable' => 1,
'log_level_in' => 'debug',
'tcp_flags_log_level' => 'debug',
'log_level_out' => 'debug',
'tcpflags' => 1,
'smurf_log_level' => 'debug'
},
'ipset' => {},
'rules' => [
{
'source' => '+whitelist',
'enable' => 1,
'errors' => {
'source' => 'no such ipset \'whitelist\''
},
'action' => 'ACCEPT',
'type' => 'in'
}
]
};
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 5 Dec 2014 12:42:07 +0000 (13:42 +0100)]
bump version to 1.0-14
Dietmar Maurer [Sat, 29 Nov 2014 07:40:46 +0000 (08:40 +0100)]
do not use ipset list chains
Instead, we directly use -v4 and -v6 names inside iptables rules.
So we can safely remove the preinst script.
Dietmar Maurer [Fri, 28 Nov 2014 11:46:25 +0000 (12:46 +0100)]
bump version to 1.0-13
Dietmar Maurer [Fri, 28 Nov 2014 11:43:31 +0000 (12:43 +0100)]
fix ipset remove order
Dietmar Maurer [Fri, 28 Nov 2014 10:39:47 +0000 (11:39 +0100)]
add debian/dirs file to install /var/lib/pve-firewall
Dietmar Maurer [Fri, 28 Nov 2014 08:00:13 +0000 (09:00 +0100)]
bump version to 1.0-12
Dietmar Maurer [Fri, 28 Nov 2014 07:56:21 +0000 (08:56 +0100)]
add preinst script
We need to clear ipset from older installation, because sets cannot be
swapped if there type does not match.
Dietmar Maurer [Fri, 28 Nov 2014 07:04:26 +0000 (08:04 +0100)]
bump version to 1.0-11
Dietmar Maurer [Fri, 28 Nov 2014 07:01:52 +0000 (08:01 +0100)]
verify_rule: correctly set ipversion for aliases
Dietmar Maurer [Fri, 28 Nov 2014 06:09:37 +0000 (07:09 +0100)]
save restore commands into files (debug help)
To make it easier to debug restore errors.
Dietmar Maurer [Wed, 26 Nov 2014 06:04:21 +0000 (07:04 +0100)]
bump version to 1.0-10
Dietmar Maurer [Wed, 26 Nov 2014 06:03:14 +0000 (07:03 +0100)]
pve-firewall compile: improve output format
Dietmar Maurer [Mon, 17 Nov 2014 11:41:03 +0000 (12:41 +0100)]
API2::Firewall::IPSet: fix alias check for ipv6 addresses
Dietmar Maurer [Mon, 10 Nov 2014 11:50:29 +0000 (12:50 +0100)]
get_ipset_cmdlist: avoid restore problems due to wrong order
Dietmar Maurer [Mon, 10 Nov 2014 11:49:00 +0000 (12:49 +0100)]
improve error messages
Dietmar Maurer [Mon, 10 Nov 2014 11:47:31 +0000 (12:47 +0100)]
do not emit smurfs chain for ipv6
Dietmar Maurer [Mon, 10 Nov 2014 11:45:02 +0000 (12:45 +0100)]
ipv6 addrtype does not work with kernel 2.6.32, use -d ff00::/8 instead
Alexandre Derumier [Tue, 15 Jul 2014 23:14:32 +0000 (01:14 +0200)]
add ipv6 examples
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 15 Jul 2014 23:14:31 +0000 (01:14 +0200)]
ip6tables : remove_pvefw_chains
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 15 Jul 2014 23:14:30 +0000 (01:14 +0200)]
apply ipv6 ruleset
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 15 Jul 2014 23:14:29 +0000 (01:14 +0200)]
compile ipv6 ruleset
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 15 Jul 2014 23:14:28 +0000 (01:14 +0200)]
add ip6tables standard chains
- icmp types in reject are different than ipv4
- broadcast not exist in ipv6
- I don't think that smurf attack exist (no broadcast)
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 4 Nov 2014 09:53:01 +0000 (10:53 +0100)]
add icmpv6 support
skip icmpv6 rule for iptables rules
skip icmp rule for ip6tables rules
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Dietmar Maurer [Tue, 4 Nov 2014 07:43:38 +0000 (08:43 +0100)]
add ipv6 ipset support
big change here,
we create now a ipset which include 2 others ipsets for ipv4 and ipv6
PVEFW-0-blacklist list:set
PVEFW-0-blacklist-v4 hash:net family inet4
PVEFW-0-blacklist-v6 hash:net family inet6
v4 and v6, are only created if ip address are defined in the set
in iptables rules, we use the main set.
Benchmark show no performance impact
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Dietmar Maurer [Tue, 4 Nov 2014 06:44:37 +0000 (07:44 +0100)]
ipset_match: implement simulation of list type ipsets
Dietmar Maurer [Mon, 3 Nov 2014 05:23:26 +0000 (06:23 +0100)]
resolve_alias: use better regex to detect alias
Dietmar Maurer [Fri, 31 Oct 2014 12:06:52 +0000 (13:06 +0100)]
code cleanup
Alexandre Derumier [Tue, 15 Jul 2014 23:14:24 +0000 (01:14 +0200)]
check ipversion of aliases
also add support for ipv6
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 15 Jul 2014 23:14:22 +0000 (01:14 +0200)]
skip group rules generation if rule ipversion don't match iptables version
we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables
if rule ipversion is undef, we apply to both iptables and ip6tables
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 31 Oct 2014 11:08:10 +0000 (12:08 +0100)]
use integer compare for $ipversion
Alexandre Derumier [Tue, 15 Jul 2014 23:14:21 +0000 (01:14 +0200)]
enable hostfw for ipv4 only
currently pveproxy don't works with ipv6,
so let's generate host fw ipv4 only for the moment
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 31 Oct 2014 11:03:17 +0000 (12:03 +0100)]
fix venet rule generation: venet can have ipv4 and ipv6 address
Dietmar Maurer [Thu, 30 Oct 2014 12:35:55 +0000 (13:35 +0100)]
$ipversion is interger, so use '!=' instead of string 'ne'
Alexandre Derumier [Tue, 15 Jul 2014 23:14:20 +0000 (01:14 +0200)]
skip vms rules generation if rule ipversion don't match iptables version
we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables
if rule ipversion is undef, we apply to both iptables and ip6tables
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Thu, 30 Oct 2014 12:27:01 +0000 (13:27 +0100)]
verify_rule: detected mixed ipv4/ipv6 addresses
Dietmar Maurer [Thu, 30 Oct 2014 12:12:58 +0000 (13:12 +0100)]
parse_address_list: improve type detection
Dietmar Maurer [Thu, 30 Oct 2014 11:58:09 +0000 (12:58 +0100)]
parse_address_list: make sure we only have one type of addresses (ipv4 or ipv6)
Dietmar Maurer [Thu, 30 Oct 2014 11:52:29 +0000 (12:52 +0100)]
fix error message
Dietmar Maurer [Thu, 30 Oct 2014 11:43:52 +0000 (12:43 +0100)]
rename pve-fw-v4addr-spec to pve-fw-addr-spec
Because we allow ipv4 and ipv6 addresses now.
Alexandre Derumier [Tue, 15 Jul 2014 23:14:19 +0000 (01:14 +0200)]
parse_rules src && dst ipversion
check the ipversion of src and dst in rules
(fixme : parse ip in range)
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Thu, 30 Oct 2014 11:21:00 +0000 (12:21 +0100)]
cleanup generate_std_chains: don't overwrite global variable $pve_std_chains
Instead, pass $ipversion and use local var $std_chains.
Alexandre Derumier [Tue, 15 Jul 2014 23:14:18 +0000 (01:14 +0200)]
move $pve_std_chains to $pve_std_chains->{$ipversion}
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 15 Jul 2014 23:14:17 +0000 (01:14 +0200)]
split compile to compile_iptables_filter
compile just read configs file and will call compile_iptables_filter for iptables and ip6tables
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 14 Oct 2014 14:30:01 +0000 (16:30 +0200)]
bump version to 1.0-9
Dietmar Maurer [Tue, 14 Oct 2014 14:28:44 +0000 (16:28 +0200)]
fix max ipset name lenght
Dietmar Maurer [Mon, 8 Sep 2014 11:06:39 +0000 (13:06 +0200)]
make dependency to cman/clvm optional
Dietmar Maurer [Mon, 8 Sep 2014 10:25:13 +0000 (12:25 +0200)]
do not start daemons during installation
Dietmar Maurer [Mon, 8 Sep 2014 10:17:02 +0000 (12:17 +0200)]
bump version to 1.0-8
Dietmar Maurer [Mon, 21 Jul 2014 08:48:00 +0000 (10:48 +0200)]
Firewall/IPSet: implement permission
Facor out common code into PVE/Firewall.
Dietmar Maurer [Mon, 21 Jul 2014 08:24:09 +0000 (10:24 +0200)]
Firewall/Rules: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:54:42 +0000 (09:54 +0200)]
Firewall/Groups: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:52:01 +0000 (09:52 +0200)]
Firewall/VM: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:40:34 +0000 (09:40 +0200)]
Firewall/Host: add permissions