parser: fix scoped alias resolution We tried to resolve aliases in some places where the cluster configuration didn't get set. It's probably better to handle these cases directly in the function at hand, instead of at every place where this issues might arise. This seemingly fixes the issues reported on pve-user and the forum: * https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/ * https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/ Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
fix #4556: introduce 'dc' and 'vm' prefix for aliases since they had the same issue as IPSets, detailed in #4556. The format works the same as for IPSets: dc/alias Looks for the alias on the Datacenter level. vm/alias Looks for the alias on the VM level. alias Uses the previous method of scoping, where it first looks at the VM level and then at the Datacenter level. Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
fix #4556: introduce 'dc' and 'vm' prefix for IPSets to differentiate whether they should be taken from the datacenter config or from the local config. The parser now accepts IPSets in the following format: +dc/ipset Looks for the IPSet on the Datacenter level. +vm/ipset Looks for the IPSet on the VM level. +ipset Uses the previous method of scoping, where it first looks at the VM level and then at the Datacenter level. Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
fix #4730: add safeguards to prevent ICMP type misuse without this additional conditions, it's possible to break the firewall by setting an ICMP-type value as dport for non-ICMP protocols, e.g. 'any' for 'tcp'. by rejecting the invalid rule/parameter, the rest of the ruleset is still applied properly, and the error messages are a lot more informative as well. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
fix variables declared in conditional statement as that can trigger hard to reproduce/debug bugs; as with such statements the variable won't be necessarily undef if the post-if evaluates to false, but rather will hold the (now bogus) value from the last time it evaluated to true. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fix #4550 : host options: add nf_conntrack_helpers kernel 6.1 have removed auto helpers loading. This was deprecaded since multiple years. We simply need to add rules in PREROUTING to load theses helpers. supported protocols : - amanda - ftp - irc (ipv4 only) - netbios-ns (ipv4 only) - pptp (ipv4 only) - sane - sip - snmp (ipv4 only) - tftp Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
allow non zero ip address host bits to be entered They can already be set directly via the cluster.fw file. Net::IP is just a bit more picky with what it allows: For example: error: 192.168.1.155/24 correct: 192.168.1.0/24 This cleans the entered IP and removes the non zero host bits. Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
fix #4204: automatically update usages of group when it is renamed When renaming a group, the usages didn't get updated automatically. To get around problems with atomicity, the old rule is first cloned with the new name, the usages are updated and only when updating has finished, the old rule is deleted. The subroutines that lock/update host configs had to be changed so that it's possible to lock any config, not just the one of the current host. Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
macros: s/SPICE/SPICEproxy/ while I'm still a bit on the edge about the usefulness of this macro, it should better convey for what it is, as SPICE itself doesn't really have a direct port (in PVE that is), but all runs through our spiceproxy, so name the macro that way. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
fix #4175: ignore non-filter ebtables tables we only ever add rules to the filter table, without this we'd add all rules from other tables (which might have been manually filled by the admin) to the filter table as well - adding another copy on every iteration of the firewall update cycle! note that ebtables-restore seems to flush tables contained in its input, but leave those alone which are not referenced at all. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>