]>
git.proxmox.com Git - pve-firewall.git/log
Tom Weber [Wed, 18 Oct 2017 20:23:59 +0000 (22:23 +0200)]
prepare code for more generic firewall logging
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:23:58 +0000 (22:23 +0200)]
remove unused $rule_format
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Philip Abernethy [Mon, 16 Oct 2017 08:59:23 +0000 (10:59 +0200)]
Use run_cli_handler instead of deprecated run_cli
Fabian Grünbichler [Tue, 17 Oct 2017 12:24:01 +0000 (14:24 +0200)]
pvefw-logger: fix typo
Fabian Grünbichler [Wed, 4 Oct 2017 09:05:33 +0000 (11:05 +0200)]
build: reformat debian/control
using wrap-and-sort -abt
Wolfgang Bumiller [Tue, 12 Sep 2017 12:43:13 +0000 (14:43 +0200)]
bump version to 3.0-3
Wolfgang Bumiller [Wed, 6 Sep 2017 07:35:04 +0000 (09:35 +0200)]
buildsys: clean: remove .buildinfo files
Wolfgang Bumiller [Mon, 4 Sep 2017 08:56:59 +0000 (10:56 +0200)]
Fix #1492: logger: print timestamps only if we have one
There's no guarantee that there's a timestamp in an skb, so
nflog_get_timestamp can fail.
Wolfgang Bumiller [Mon, 17 Jul 2017 13:27:44 +0000 (15:27 +0200)]
bump version to 3.0-2
Emmanuel Kasper [Mon, 17 Jul 2017 12:50:26 +0000 (14:50 +0200)]
Fix #1446: allow pve-firewall package install twice in a row
On packages removal (!= purge) systemd units are masked.
The postinst script has then to reenable this units at the
beginning of the 'configure' step.
Our other packages are doing this manually, or automatically
when the dh_systemd_enable helpers generated a postinst,
but this was missing here.
Wolfgang Bumiller [Wed, 22 Mar 2017 11:53:34 +0000 (12:53 +0100)]
log errors encountered by the daemon to syslog
Wolfgang Bumiller [Wed, 22 Mar 2017 11:53:33 +0000 (12:53 +0100)]
forbid trailing commas in lists
iptables-restore doesn't allow them
Fabian Grünbichler [Thu, 9 Mar 2017 13:04:44 +0000 (14:04 +0100)]
bump version to 3.0-1
Fabian Grünbichler [Thu, 9 Mar 2017 13:04:06 +0000 (14:04 +0100)]
buildsys: update upload target
Fabian Grünbichler [Thu, 9 Mar 2017 13:49:20 +0000 (14:49 +0100)]
buildsys: fix deb target dependencies
Fabian Grünbichler [Thu, 9 Mar 2017 13:03:45 +0000 (14:03 +0100)]
buildsys: remove fakeroot from dpkg-buildpackage
Wolfgang Bumiller [Fri, 10 Feb 2017 12:57:59 +0000 (13:57 +0100)]
buildsys: use dpkg-architecture
Wolfgang Bumiller [Mon, 6 Feb 2017 11:07:23 +0000 (12:07 +0100)]
logger: drop gthread dependency
g_thread_new is part of glib directly, libgthread only
contains the deprecated g_thread_init() & friends which we
do not use.
This silences a build warning.
Wolfgang Bumiller [Mon, 6 Feb 2017 11:05:01 +0000 (12:05 +0100)]
buildsys: depend on lsb-base
Wolfgang Bumiller [Tue, 31 Jan 2017 10:15:22 +0000 (11:15 +0100)]
simulator: make lxc/qemu optional
Wolfgang Bumiller [Mon, 6 Feb 2017 10:52:54 +0000 (11:52 +0100)]
buildsys: make job safety
Thomas Lamprecht [Tue, 13 Dec 2016 12:13:39 +0000 (13:13 +0100)]
fix ambiguous if statements
the funciton nflog_bind_pf(...) returns an integer smaller 0 on a
failure, we negated that which results in 1 if no failure and 0 if
there was a failure.
This is ambiguous and as no parenthesis are set the GCC 6 warning
"logical-not-parentheses" gets triggered.
Use a simple
nflog_bind_pf(...) < 0
check instead.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Tue, 29 Nov 2016 11:18:41 +0000 (12:18 +0100)]
bump version to 2.0-33
Wolfgang Bumiller [Tue, 29 Nov 2016 11:06:23 +0000 (12:06 +0100)]
ipset: don't allow the creation of zero-prefix entries
Wolfgang Bumiller [Tue, 29 Nov 2016 11:06:22 +0000 (12:06 +0100)]
ipsets: catch zero-prefix entries
This way the error is visible with pve-firewall compile
without breaking the rest.
Dietmar Maurer [Tue, 29 Nov 2016 05:42:32 +0000 (06:42 +0100)]
bump version to 2.0-32
Wolfgang Bumiller [Wed, 23 Nov 2016 09:23:36 +0000 (10:23 +0100)]
improve search for local-network
Skip zero-prefix routes as they make no sense to be
considered (and ipset doesn't allow ::/0 to be added
anyway).
Support /128 local addresses by also checking for identical
addresses beside b-in-a overlapping.
Dietmar Maurer [Thu, 6 Oct 2016 06:34:17 +0000 (08:34 +0200)]
bump version to 2.0-31
Dietmar Maurer [Thu, 6 Oct 2016 06:33:42 +0000 (08:33 +0200)]
use new repoman for upload target
Wolfgang Bumiller [Wed, 5 Oct 2016 13:36:55 +0000 (15:36 +0200)]
don't try to apply ports to rules which don't support them
Wolfgang Bumiller [Wed, 5 Oct 2016 13:36:54 +0000 (15:36 +0200)]
remove redundant checks
Dietmar Maurer [Fri, 16 Sep 2016 06:53:27 +0000 (08:53 +0200)]
bump version to 2.0-30
Emmanuel Kasper [Mon, 5 Sep 2016 14:03:26 +0000 (16:03 +0200)]
add multicast DNS to the list of Macros
multicast DNS allows to quickly access hosts without the need to
configure a DNS server
Dietmar Maurer [Mon, 5 Sep 2016 08:22:51 +0000 (10:22 +0200)]
add missing parameter descriptions
Wolfgang Bumiller [Tue, 28 Jun 2016 13:02:01 +0000 (15:02 +0200)]
build-depends: add dh-systemd
Dietmar Maurer [Fri, 3 Jun 2016 14:46:55 +0000 (16:46 +0200)]
bump version to 2.0-29
Dominik Csapak [Fri, 3 Jun 2016 14:11:27 +0000 (16:11 +0200)]
prevent overwriting ipsets/sec. groups by renaming
we did not check if the target name of the group/ipset
already existed, so we overwrote them
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 3 Jun 2016 13:14:24 +0000 (15:14 +0200)]
fix allowed group name length
the allowed length for an iptable chain is 28 chars
we had a max set of 20 but a format of
GROUP-<name>-IN and
GROUP-<name>-OUT
where <name> is the group name
but GROUP--OUT are 10 chars so we just allow 18 chars max
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 3 Jun 2016 13:14:23 +0000 (15:14 +0200)]
make group digest stable
if we had mulitple security groups and wanted to
edit one, we did not have a stable digest,
because perl hashes are not sorted
this patch sorts the keys before hashing
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Fri, 3 Jun 2016 09:02:06 +0000 (11:02 +0200)]
bump version to 2.0-28
Wolfgang Bumiller [Fri, 3 Jun 2016 08:40:13 +0000 (10:40 +0200)]
use pve-common's ipv4_mask_hash_localnet
Dietmar Maurer [Tue, 17 May 2016 06:00:12 +0000 (08:00 +0200)]
bump version to 2.0-27
Fabian Grünbichler [Fri, 13 May 2016 08:23:10 +0000 (10:23 +0200)]
fix #972: make PVEFW-FWBR-* rule order stable
by sorting the VM/CT IDs and the VM/CT config keys before
iterating over them.
Dietmar Maurer [Mon, 9 May 2016 08:02:07 +0000 (10:02 +0200)]
bump version to 2.0-26
Dietmar Maurer [Mon, 9 May 2016 07:58:15 +0000 (09:58 +0200)]
install sysctl file set set rp_filter=2
To avoid that packet gets accepted to early in fwbr. We had the
same setting in package vzctl (Proxmox VE 3.X).
Dietmar Maurer [Thu, 21 Apr 2016 07:59:01 +0000 (09:59 +0200)]
bump version to 2.0-25
Fabian Grünbichler [Wed, 20 Apr 2016 07:54:39 +0000 (09:54 +0200)]
fix #945: add uninitialized check in lxc ipset compilation
Dietmar Maurer [Wed, 6 Apr 2016 08:55:08 +0000 (10:55 +0200)]
use pve-doc-generator, bump version to 2.0-24
Dietmar Maurer [Fri, 1 Apr 2016 10:30:59 +0000 (12:30 +0200)]
move option definition to PVE::Firewall
So that we can auto-generate docs.
Dietmar Maurer [Fri, 1 Apr 2016 05:36:19 +0000 (07:36 +0200)]
bump version to 2.0-23
Wolfgang Bumiller [Thu, 31 Mar 2016 11:59:46 +0000 (13:59 +0200)]
use only the top bit for our accept marks
This way we can let the remaining 31 bits be used by the
user.
Note that the routing decision has already been made when
these tables are being traversed, so the fwmark will not be
usable for routing rules (ip-rule(8)), but the mark can
still be used for other tasks such as traffic control (tc)
which happens on the outgoing interface.
Dietmar Maurer [Fri, 1 Apr 2016 05:29:29 +0000 (07:29 +0200)]
add description to DHCPv6 macro
Dietmar Maurer [Thu, 31 Mar 2016 08:06:48 +0000 (10:06 +0200)]
cleanup descriptions (use single quote instead of backticks)
Dietmar Maurer [Thu, 31 Mar 2016 07:59:39 +0000 (09:59 +0200)]
cleanup descriptions (correctly quote backslash)
Dietmar Maurer [Thu, 31 Mar 2016 06:06:02 +0000 (08:06 +0200)]
add property descriptions to improve docs
Dietmar Maurer [Tue, 8 Mar 2016 10:47:55 +0000 (11:47 +0100)]
bump version to 2.0-22
Fabian Grünbichler [Mon, 7 Mar 2016 11:42:02 +0000 (12:42 +0100)]
Use cfs_config_path from PVE::QemuConfig
update after refactoring
Fabian Grünbichler [Thu, 3 Mar 2016 09:43:36 +0000 (10:43 +0100)]
LXC refactoring
call cfs_config_path and parse_lxc_network in
PVE::LXC::Config instead of PVE::LXC
Dietmar Maurer [Thu, 3 Mar 2016 08:43:56 +0000 (09:43 +0100)]
bump version to 2.0-21
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:17 +0000 (12:59 +0100)]
whitespace cleanup
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:16 +0000 (12:59 +0100)]
test: add test for implicitly allowed container IP
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:15 +0000 (12:59 +0100)]
ipfilter: include configured container IPs by default
Wolfgang Bumiller [Wed, 2 Mar 2016 11:59:14 +0000 (12:59 +0100)]
added the 'ipfilter' option
This effectively acts like adding an emtpy 'ipfilter-netX'
ipset for every firewall-enabled interface.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:16 +0000 (12:20 +0100)]
ipv6: fix ip_compress_address_call
This only takes an address and not a CIDR notation. It does
preserve the suffix but ended up compressing
fc00:0000::0000/64 to fc00::0000/64 instead of fc00::/64 and
thus caused the firewall to always show there are pending
changes when ipv6 addresses were available.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:21 +0000 (12:20 +0100)]
use systemctl reload-or-restart on update
dh_installinit's -R option uses 'restart' causing a
stop-start cycle with systemd. We really don't want that.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:20 +0000 (12:20 +0100)]
ipfilter: imiplicitly add the default link local address
When adding an ipset for a device via the 'ipfilter-net$NUM'
name we now implicitly add the default link local address
based on the device's MAC address and a 'nomatch' entry for
the rest of fe80::/10. This is comparable to an ARP/MAC
filter in IPv4 with the main difference that it explicitly
works at IP level.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:19 +0000 (12:20 +0100)]
split compile_ipsets() out of compile_iptables_filter()
compile_iptables_filter() is called twice, once to get the
ipv4 ruleset + ipsets and ones to get the ipv6 ruleset. The
second call still generates ipsets which are discarded so it
makes sense to do this in a separate step.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:18 +0000 (12:20 +0100)]
cleanup after old change
get_ipset_cmdlist() had a delete parameter in one commit,
removed in the one after that (
dd7a13fddc ) and this call
was not updated accordingly with the second patch.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:17 +0000 (12:20 +0100)]
ndp: use PVEFW-SET-ACCEPT-MARK and move rules further down
On host level: moved NDP to after connection tracking and
switched to RETURN instead of ACCEPT.
On VM level:
The output direction now uses the accept-mark like the dhcp
option does, too.
Also moved NDP rules below the macfilter & ipset rules.
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:15 +0000 (12:20 +0100)]
only allow icmp names in the destination port field
We generate ICMP rules from the destination port field,
so allowing them in the source port field only confuses
people.
Dietmar Maurer [Mon, 29 Feb 2016 11:40:36 +0000 (12:40 +0100)]
bump version to 2.0-20
Dominik Csapak [Mon, 29 Feb 2016 11:36:19 +0000 (12:36 +0100)]
fix 901: encode unicode characters in sha digest
if we do not do this, Digest::SHA->add croaks when it detects
wide symbols
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Sat, 27 Feb 2016 09:25:12 +0000 (10:25 +0100)]
bump version to 2.0-19
Wolfgang Bumiller [Thu, 25 Feb 2016 12:07:02 +0000 (13:07 +0100)]
Add radv option to VM options.
By default firewalled VMs should not be allowed to send
router advertisement packets.
Dietmar Maurer [Fri, 19 Feb 2016 09:01:40 +0000 (10:01 +0100)]
bump version to 2.0-18
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:33 +0000 (09:43 +0100)]
Add router-solicitation to NeighborDiscovery macro
to be more consistent with the host-wide NDP option.
This macro is now mostly useful to disable NDP on VMs.
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:32 +0000 (09:43 +0100)]
Add ndp option to host and VM firewall options
It's is enabled by default.
Dietmar Maurer [Mon, 8 Feb 2016 13:09:58 +0000 (14:09 +0100)]
bump version to 2.0-17
Fabian Grünbichler [Mon, 8 Feb 2016 08:14:03 +0000 (09:14 +0100)]
Don't leave empty FW config files behind
Unlink FW config files instead of setting their content
to nothing.
Dietmar Maurer [Tue, 26 Jan 2016 15:54:41 +0000 (16:54 +0100)]
pvefw-logger.c: remove unused var
Dietmar Maurer [Tue, 26 Jan 2016 15:52:44 +0000 (16:52 +0100)]
bump version to 2.0-16
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:04 +0000 (12:03 +0100)]
logger: basic ipv6 support
Support for:
* IPv6 main header
* ICMPv6:
- echo request/reply
- NDP
- redirects
* destination unreachable message
* packet too big message
* time exceeded message
* parameter problem messages:
- erroneous header
- bad next-header
- bad ipv6 option
* extension headers:
- routing
- fragmentation
- skipping over: hopopts, destopts and mobile home
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:03 +0000 (12:03 +0100)]
factor out IPPROTO switch for reuse
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:02 +0000 (12:03 +0100)]
add DHCPv6 macro
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:01 +0000 (12:03 +0100)]
add dhcpv6 support to the dhcp option
Wolfgang Bumiller [Tue, 26 Jan 2016 09:22:51 +0000 (10:22 +0100)]
make LEPRINT* macros safe to use with if/else pairs
Dietmar Maurer [Thu, 7 Jan 2016 15:36:18 +0000 (16:36 +0100)]
set RELEASE=4.1
Dietmar Maurer [Thu, 7 Jan 2016 15:34:09 +0000 (16:34 +0100)]
bump version to 2.0-15
Wolfgang Bumiller [Thu, 7 Jan 2016 13:11:35 +0000 (14:11 +0100)]
use $security_group_name_pattern in iptables_get_chains
Fixes #859
Wolfgang Bumiller [Thu, 7 Jan 2016 13:11:34 +0000 (14:11 +0100)]
fix some regular expressions mixups
Replacing some (:?...) with (?:...) which makes more sense
here.
Dietmar Maurer [Fri, 27 Nov 2015 09:53:21 +0000 (10:53 +0100)]
bump version to 2.0-14
Dietmar Maurer [Fri, 27 Nov 2015 09:50:42 +0000 (10:50 +0100)]
pve-firewall.service: WantedBy=multi-user.target
Instead of network-online.target, which is a very special systemd target
which is not always pulled.
Dietmar Maurer [Tue, 24 Nov 2015 06:45:55 +0000 (07:45 +0100)]
fix typo: s/stemd-modules-load.service/systemd-modules-load.service/
Dietmar Maurer [Fri, 23 Oct 2015 11:22:17 +0000 (13:22 +0200)]
bump version to 2.0-13
Wolfgang Bumiller [Fri, 23 Oct 2015 09:35:29 +0000 (11:35 +0200)]
allow numeric icmp types
Wolfgang Bumiller [Thu, 22 Oct 2015 13:43:38 +0000 (15:43 +0200)]
make clean fix
Dietmar Maurer [Thu, 24 Sep 2015 10:15:41 +0000 (12:15 +0200)]
bump version to 2.0-12
Dietmar Maurer [Thu, 24 Sep 2015 10:13:10 +0000 (12:13 +0200)]
use service class to generate pod and bash-completion files
Dietmar Maurer [Thu, 24 Sep 2015 08:40:24 +0000 (10:40 +0200)]
convert pve-firewall into a PVE::Service class
Dietmar Maurer [Wed, 16 Sep 2015 09:25:24 +0000 (11:25 +0200)]
add better inline documentation