]>
git.proxmox.com Git - pve-firewall.git/log
Dietmar Maurer [Thu, 3 Mar 2016 08:43:56 +0000 (09:43 +0100)]
bump version to 2.0-21
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:17 +0000 (12:59 +0100)]
whitespace cleanup
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:16 +0000 (12:59 +0100)]
test: add test for implicitly allowed container IP
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:15 +0000 (12:59 +0100)]
ipfilter: include configured container IPs by default
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:14 +0000 (12:59 +0100)]
added the 'ipfilter' option
This effectively acts like adding an emtpy 'ipfilter-netX'
ipset for every firewall-enabled interface.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:16 +0000 (12:20 +0100)]
ipv6: fix ip_compress_address_call
This only takes an address and not a CIDR notation. It does
preserve the suffix but ended up compressing
fc00:0000::0000/64 to fc00::0000/64 instead of fc00::/64 and
thus caused the firewall to always show there are pending
changes when ipv6 addresses were available.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:21 +0000 (12:20 +0100)]
use systemctl reload-or-restart on update
dh_installinit's -R option uses 'restart' causing a
stop-start cycle with systemd. We really don't want that.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:20 +0000 (12:20 +0100)]
ipfilter: imiplicitly add the default link local address
When adding an ipset for a device via the 'ipfilter-net$NUM'
name we now implicitly add the default link local address
based on the device's MAC address and a 'nomatch' entry for
the rest of fe80::/10. This is comparable to an ARP/MAC
filter in IPv4 with the main difference that it explicitly
works at IP level.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:19 +0000 (12:20 +0100)]
split compile_ipsets() out of compile_iptables_filter()
compile_iptables_filter() is called twice, once to get the
ipv4 ruleset + ipsets and ones to get the ipv6 ruleset. The
second call still generates ipsets which are discarded so it
makes sense to do this in a separate step.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:18 +0000 (12:20 +0100)]
cleanup after old change
get_ipset_cmdlist() had a delete parameter in one commit,
removed in the one after that (
dd7a13fddc ) and this call
was not updated accordingly with the second patch.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:17 +0000 (12:20 +0100)]
ndp: use PVEFW-SET-ACCEPT-MARK and move rules further down
On host level: moved NDP to after connection tracking and
switched to RETURN instead of ACCEPT.
On VM level:
The output direction now uses the accept-mark like the dhcp
option does, too.
Also moved NDP rules below the macfilter & ipset rules.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:15 +0000 (12:20 +0100)]
only allow icmp names in the destination port field
We generate ICMP rules from the destination port field,
so allowing them in the source port field only confuses
people.
Dietmar Maurer [Mon, 29 Feb 2016 11:40:36 +0000 (12:40 +0100)]
bump version to 2.0-20
Dominik Csapak [Mon, 29 Feb 2016 11:36:19 +0000 (12:36 +0100)]
fix 901: encode unicode characters in sha digest
if we do not do this, Digest::SHA->add croaks when it detects
wide symbols
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Sat, 27 Feb 2016 09:25:12 +0000 (10:25 +0100)]
bump version to 2.0-19
Wolfgang Bumiller [Thu, 25 Feb 2016 12:07:02 +0000 (13:07 +0100)]
Add radv option to VM options.
By default firewalled VMs should not be allowed to send
router advertisement packets.
Dietmar Maurer [Fri, 19 Feb 2016 09:01:40 +0000 (10:01 +0100)]
bump version to 2.0-18
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:33 +0000 (09:43 +0100)]
Add router-solicitation to NeighborDiscovery macro
to be more consistent with the host-wide NDP option.
This macro is now mostly useful to disable NDP on VMs.
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:32 +0000 (09:43 +0100)]
Add ndp option to host and VM firewall options
It's is enabled by default.
Dietmar Maurer [Mon, 8 Feb 2016 13:09:58 +0000 (14:09 +0100)]
bump version to 2.0-17
Fabian Grünbichler [Mon, 8 Feb 2016 08:14:03 +0000 (09:14 +0100)]
Don't leave empty FW config files behind
Unlink FW config files instead of setting their content
to nothing.
Dietmar Maurer [Tue, 26 Jan 2016 15:54:41 +0000 (16:54 +0100)]
pvefw-logger.c: remove unused var
Dietmar Maurer [Tue, 26 Jan 2016 15:52:44 +0000 (16:52 +0100)]
bump version to 2.0-16
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:04 +0000 (12:03 +0100)]
logger: basic ipv6 support
Support for:
* IPv6 main header
* ICMPv6:
- echo request/reply
- NDP
- redirects
* destination unreachable message
* packet too big message
* time exceeded message
* parameter problem messages:
- erroneous header
- bad next-header
- bad ipv6 option
* extension headers:
- routing
- fragmentation
- skipping over: hopopts, destopts and mobile home
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:03 +0000 (12:03 +0100)]
factor out IPPROTO switch for reuse
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:02 +0000 (12:03 +0100)]
add DHCPv6 macro
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:01 +0000 (12:03 +0100)]
add dhcpv6 support to the dhcp option
Wolfgang Bumiller [Tue, 26 Jan 2016 09:22:51 +0000 (10:22 +0100)]
make LEPRINT* macros safe to use with if/else pairs
Dietmar Maurer [Thu, 7 Jan 2016 15:36:18 +0000 (16:36 +0100)]
set RELEASE=4.1
Dietmar Maurer [Thu, 7 Jan 2016 15:34:09 +0000 (16:34 +0100)]
bump version to 2.0-15
Wolfgang Bumiller [Thu, 7 Jan 2016 13:11:35 +0000 (14:11 +0100)]
use $security_group_name_pattern in iptables_get_chains
Fixes #859
Wolfgang Bumiller [Thu, 7 Jan 2016 13:11:34 +0000 (14:11 +0100)]
fix some regular expressions mixups
Replacing some (:?...) with (?:...) which makes more sense
here.
Dietmar Maurer [Fri, 27 Nov 2015 09:53:21 +0000 (10:53 +0100)]
bump version to 2.0-14
Dietmar Maurer [Fri, 27 Nov 2015 09:50:42 +0000 (10:50 +0100)]
pve-firewall.service: WantedBy=multi-user.target
Instead of network-online.target, which is a very special systemd target
which is not always pulled.
Dietmar Maurer [Tue, 24 Nov 2015 06:45:55 +0000 (07:45 +0100)]
fix typo: s/stemd-modules-load.service/systemd-modules-load.service/
Dietmar Maurer [Fri, 23 Oct 2015 11:22:17 +0000 (13:22 +0200)]
bump version to 2.0-13
Wolfgang Bumiller [Fri, 23 Oct 2015 09:35:29 +0000 (11:35 +0200)]
allow numeric icmp types
Wolfgang Bumiller [Thu, 22 Oct 2015 13:43:38 +0000 (15:43 +0200)]
make clean fix
Dietmar Maurer [Thu, 24 Sep 2015 10:15:41 +0000 (12:15 +0200)]
bump version to 2.0-12
Dietmar Maurer [Thu, 24 Sep 2015 10:13:10 +0000 (12:13 +0200)]
use service class to generate pod and bash-completion files
Dietmar Maurer [Thu, 24 Sep 2015 08:40:24 +0000 (10:40 +0200)]
convert pve-firewall into a PVE::Service class
Dietmar Maurer [Wed, 16 Sep 2015 09:25:24 +0000 (11:25 +0200)]
add better inline documentation
Dietmar Maurer [Tue, 8 Sep 2015 05:54:52 +0000 (07:54 +0200)]
bump version to 2.0-11
Dietmar Maurer [Tue, 8 Sep 2015 05:49:10 +0000 (07:49 +0200)]
iptables_get_chains: fix veth device name
Dietmar Maurer [Tue, 25 Aug 2015 04:48:10 +0000 (06:48 +0200)]
bump version to 2.0-10
Alen Grizonic [Mon, 24 Aug 2015 09:32:37 +0000 (11:32 +0200)]
subroutine for cloning vm's firewall config file
Dietmar Maurer [Wed, 19 Aug 2015 13:43:15 +0000 (15:43 +0200)]
bump version to 2.0-9
Alen Grizonic [Wed, 19 Aug 2015 08:34:12 +0000 (10:34 +0200)]
firewall remove config file subroutine added
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Wed, 12 Aug 2015 10:02:53 +0000 (12:02 +0200)]
bump version to 2.0-8
Dietmar Maurer [Wed, 12 Aug 2015 09:59:18 +0000 (11:59 +0200)]
adopt regresion tests for lxc containers
Removed OpenVZ venet code.
Alen Grizonic [Tue, 11 Aug 2015 12:50:53 +0000 (14:50 +0200)]
removed firewall code for openVZ
[PATCH 2/2] changed to [PATCH] with the following fix:
Subroutine verify_rule (re)fixed to correctly check only for "net\d+" interface device names
Dietmar Maurer [Mon, 10 Aug 2015 07:21:35 +0000 (09:21 +0200)]
bump version to 2.0-7
Alen Grizonic [Fri, 7 Aug 2015 14:18:34 +0000 (16:18 +0200)]
added firewall code for lxc
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Tue, 4 Aug 2015 09:15:11 +0000 (11:15 +0200)]
bump version to 2.0-6
Alen Grizonic [Tue, 4 Aug 2015 08:55:24 +0000 (10:55 +0200)]
firewall ipversion comparison fix
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Wolfgang Bumiller [Tue, 28 Jul 2015 06:46:05 +0000 (08:46 +0200)]
local_network: ipv6 support + correctness
Net::IP->overlaps returns more than just true or false, as
it tests both directions, we need IP_B_IN_A_OVERLAP in our
test.
Removed return on mask eq '0.0.0.0' as this doesn't exist in
the $ipv4_mask_hash_localnet.
Wolfgang Bumiller [Tue, 28 Jul 2015 06:46:04 +0000 (08:46 +0200)]
fix ipv6 address normalization
inet_ntop only takes an addres, not a CIDR notation. Since
the normalized address should just be a compressed
lower-case address, Net::IP::ip_compress_address should be
sufficient.
inet_ntop didn't succeed before, the result of which was
that ipsets weren't generated at all for ipv6 address ranges.
Dietmar Maurer [Mon, 27 Jul 2015 11:21:24 +0000 (13:21 +0200)]
bump version to 2.0-5
Wolfgang Bumiller [Mon, 6 Jul 2015 08:10:45 +0000 (10:10 +0200)]
ipv6 neighbor discovery and solicitation macros
Wolfgang Bumiller [Mon, 6 Jul 2015 08:07:49 +0000 (10:07 +0200)]
Add ipv6 macros to the macro list
Additionally there's now a way to specify ipv6-only or
ipv4-only macros.
Wolfgang Bumiller [Fri, 3 Jul 2015 08:17:21 +0000 (10:17 +0200)]
ip6tables accepts both spellings of the word neighbor
Alen Grizonic [Tue, 14 Jul 2015 12:04:57 +0000 (14:04 +0200)]
firewall - Ceph macro added
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Sat, 27 Jun 2015 14:34:40 +0000 (16:34 +0200)]
fix path for DOCDIR
Dietmar Maurer [Sat, 27 Jun 2015 14:26:48 +0000 (16:26 +0200)]
bump version to 2.0-4
Dietmar Maurer [Sat, 27 Jun 2015 14:25:44 +0000 (16:25 +0200)]
correctly install manual pages
Dietmar Maurer [Sat, 27 Jun 2015 14:24:58 +0000 (16:24 +0200)]
fix lintian warning command-with-path-in-maintainer-script
Alen Grizonic [Thu, 25 Jun 2015 09:36:42 +0000 (11:36 +0200)]
firewall instant API call apply
Alen Grizonic [Wed, 24 Jun 2015 11:46:09 +0000 (13:46 +0200)]
firewall_module_duplicate
removed duplicated line of Data::Dumper use
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Alen Grizonic [Thu, 25 Jun 2015 08:06:27 +0000 (10:06 +0200)]
firewall autodisable
firewall enable parameter type changed from boolean to integer so it can store
the timestamp of the firewall enable call to avoid an admin remote lockout
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Mon, 1 Jun 2015 10:33:27 +0000 (12:33 +0200)]
bump version to 2.0-3
Dietmar Maurer [Mon, 1 Jun 2015 10:32:17 +0000 (12:32 +0200)]
use noawait trigers for pve-api-updates
Dietmar Maurer [Tue, 5 May 2015 13:10:42 +0000 (15:10 +0200)]
bump version to 2.0-2
Dietmar Maurer [Tue, 5 May 2015 13:09:48 +0000 (15:09 +0200)]
trigger pve-api-updates event
Dietmar Maurer [Wed, 18 Mar 2015 05:08:53 +0000 (06:08 +0100)]
allow admins to delete security groups
Dietmar Maurer [Mon, 16 Mar 2015 05:30:43 +0000 (06:30 +0100)]
always use local_network alias if specified by user
Dietmar Maurer [Sun, 15 Mar 2015 09:11:00 +0000 (10:11 +0100)]
correctly emit ipv6 rules for host firewall
Dietmar Maurer [Wed, 4 Mar 2015 05:51:08 +0000 (06:51 +0100)]
add PIDFile option for systemd services
Dietmar Maurer [Tue, 3 Mar 2015 12:37:40 +0000 (13:37 +0100)]
install systemd service files
Dietmar Maurer [Mon, 2 Mar 2015 05:27:19 +0000 (06:27 +0100)]
implement permission for Alias class.
Dietmar Maurer [Mon, 2 Mar 2015 09:14:29 +0000 (10:14 +0100)]
do not use triggers
This make problem on jessie, complaining about cyclic dependency loop.
Dietmar Maurer [Fri, 27 Feb 2015 12:07:39 +0000 (13:07 +0100)]
fix path to ipset binary
Dietmar Maurer [Fri, 27 Feb 2015 12:05:07 +0000 (13:05 +0100)]
remove cman dependency
depending on pve-cluster should be enough.
Dietmar Maurer [Fri, 27 Feb 2015 11:27:52 +0000 (12:27 +0100)]
recompile for debian jessie, bump version to 2.0-1
Dietmar Maurer [Mon, 9 Feb 2015 08:32:53 +0000 (09:32 +0100)]
bump version to 1.0-18
Dietmar Maurer [Mon, 9 Feb 2015 08:31:18 +0000 (09:31 +0100)]
fix alias lookup
Dietmar Maurer [Thu, 15 Jan 2015 05:55:38 +0000 (06:55 +0100)]
bump version to 1.0-17
Dietmar Maurer [Thu, 15 Jan 2015 05:53:45 +0000 (06:53 +0100)]
add preinst script
Older versions of the pve-firewall daemon do not restart
with HUP, so we need to do a stop/start.
Dietmar Maurer [Thu, 15 Jan 2015 05:44:58 +0000 (06:44 +0100)]
fix call to register_restart_command (set $use_hup to true)
Dietmar Maurer [Wed, 31 Dec 2014 16:40:51 +0000 (17:40 +0100)]
remove class paramenter from register_XXX_command
Dietmar Maurer [Wed, 31 Dec 2014 16:18:53 +0000 (17:18 +0100)]
simplify code (error log is done inside Daemon.pm)
Dietmar Maurer [Wed, 31 Dec 2014 11:34:17 +0000 (12:34 +0100)]
improve logging
Dietmar Maurer [Thu, 18 Dec 2014 12:48:24 +0000 (13:48 +0100)]
fix arguments for register_restart_command
Dietmar Maurer [Thu, 18 Dec 2014 08:45:18 +0000 (09:45 +0100)]
bump version to 1.0-16
Dietmar Maurer [Tue, 16 Dec 2014 11:15:43 +0000 (12:15 +0100)]
use Daemon class from pve-common
Dietmar Maurer [Fri, 12 Dec 2014 05:33:58 +0000 (06:33 +0100)]
bump version to 1.0-15
Alexandre Derumier [Thu, 11 Dec 2014 13:25:42 +0000 (14:25 +0100)]
firewall update : load cluster conf for host rules
Currently we can't use ipsets defined in cluster in host rules
host.fw
----------
[OPTIONS]
log_level_in: debug
enable: 1
tcp_flags_log_level: debug
log_level_out: debug
tcpflags: 1
smurf_log_level: debug
[RULES]
IN ACCEPT -source +whitelist
in sub update {
my $hostfw_conf = load_hostfw_conf();
}
$VAR1 = {
'options' => {
'enable' => 1,
'log_level_in' => 'debug',
'tcp_flags_log_level' => 'debug',
'log_level_out' => 'debug',
'tcpflags' => 1,
'smurf_log_level' => 'debug'
},
'ipset' => {},
'rules' => [
{
'source' => '+whitelist',
'enable' => 1,
'errors' => {
'source' => 'no such ipset \'whitelist\''
},
'action' => 'ACCEPT',
'type' => 'in'
}
]
};
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 5 Dec 2014 12:42:07 +0000 (13:42 +0100)]
bump version to 1.0-14
Dietmar Maurer [Sat, 29 Nov 2014 07:40:46 +0000 (08:40 +0100)]
do not use ipset list chains
Instead, we directly use -v4 and -v6 names inside iptables rules.
So we can safely remove the preinst script.
Dietmar Maurer [Fri, 28 Nov 2014 11:46:25 +0000 (12:46 +0100)]
bump version to 1.0-13
Dietmar Maurer [Fri, 28 Nov 2014 11:43:31 +0000 (12:43 +0100)]
fix ipset remove order