my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
-my $default_log_level = 'info';
+my $default_log_level = 'nolog'; # avoid logs by default
my $log_level_hash = {
debug => 7,
{ action => 'PARAM', proto => 'tcp', dport => '6277' },
],
'DHCPfwd' => [
- "Forwarded DHCP traffic (bidirectional)",
+ "Forwarded DHCP traffic",
{ action => 'PARAM', proto => 'udp', dport => '67:68', sport => '67:68' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '67:68', sport => '67:68' },
],
'DNS' => [
"Domain Name System traffic (upd and tcp)",
{ action => 'PARAM', proto => 'udp', dport => '1080' },
],
'GRE' => [
- "Generic Routing Encapsulation tunneling protocol (bidirectional)",
+ "Generic Routing Encapsulation tunneling protocol",
{ action => 'PARAM', proto => '47' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' },
],
'Git' => [
"Git distributed revision control traffic",
{ action => 'PARAM', proto => 'tcp', dport => '993' },
],
'IPIP' => [
- "IPIP capsulation traffic (bidirectional)",
+ "IPIP capsulation traffic",
{ action => 'PARAM', proto => '94' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '94' },
],
'IPsec' => [
- "IPsec traffic (bidirectional)",
+ "IPsec traffic",
{ action => 'PARAM', proto => 'udp', dport => '500', sport => '500' },
{ action => 'PARAM', proto => '50' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' },
],
'IPsecah' => [
- "IPsec authentication (AH) traffic (bidirectional)",
+ "IPsec authentication (AH) traffic",
{ action => 'PARAM', proto => 'udp', dport => '500', sport => '500' },
{ action => 'PARAM', proto => '51' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '51' },
],
'IPsecnat' => [
- "IPsec traffic and Nat-Traversal (bidirectional)",
+ "IPsec traffic and Nat-Traversal",
{ action => 'PARAM', proto => 'udp', dport => '500' },
{ action => 'PARAM', proto => 'udp', dport => '4500' },
{ action => 'PARAM', proto => '50' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '4500' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' },
],
'IRC' => [
"Internet Relay Chat traffic",
'L2TP' => [
"Layer 2 Tunneling Protocol traffic",
{ action => 'PARAM', proto => 'udp', dport => '1701' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1701' },
],
'LDAP' => [
"Lightweight Directory Access Protocol traffic",
"Network Time Protocol (ntpd)",
{ action => 'PARAM', proto => 'udp', dport => '123' },
],
- 'NTPbi' => [
- "Bi-directional NTP (for NTP peers)",
- { action => 'PARAM', proto => 'udp', dport => '123' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '123' },
- ],
'OSPF' => [
"OSPF multicast traffic",
{ action => 'PARAM', proto => '89' },
'PPtP' => [
"Point-to-Point Tunneling Protocol",
{ action => 'PARAM', proto => '47' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' },
{ action => 'PARAM', proto => 'tcp', dport => '1723' },
],
'Ping' => [
"Microsoft Remote Desktop Protocol traffic",
{ action => 'PARAM', proto => 'tcp', dport => '3389' },
],
- 'RIPbi' => [
+ 'RIP' => [
"Routing Information Protocol (bidirectional)",
{ action => 'PARAM', proto => 'udp', dport => '520' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '520' },
],
'RNDC' => [
"BIND remote management protocol",
{ action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' },
{ action => 'PARAM', proto => 'tcp', dport => '135,139,445' },
],
- 'SMBBI' => [
- "Microsoft SMB traffic (bidirectional)",
- { action => 'PARAM', proto => 'udp', dport => '135,445' },
- { action => 'PARAM', proto => 'udp', dport => '137:139' },
- { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' },
- { action => 'PARAM', proto => 'tcp', dport => '135,139,445' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '135,445' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '137:139' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1024:65535', sport => '137' },
- { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'tcp', dport => '135,139,445' },
- ],
'SMBswat' => [
"Samba Web Administration Tool",
{ action => 'PARAM', proto => 'tcp', dport => '901' },
{ action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
],
'VNC' => [
- "VNC traffic for VNC display's 0 - 9",
- { action => 'PARAM', proto => 'tcp', dport => '5900:5909' },
+ "VNC traffic for VNC display's 0 - 99",
+ { action => 'PARAM', proto => 'tcp', dport => '5900:5999' },
],
'VNCL' => [
"VNC traffic from Vncservers to Vncviewers in listen mode",
return $etc_protocols;
}
+my $ipv4_mask_hash_clusternet = {
+ '255.255.0.0' => 16,
+ '255.255.128.0' => 17,
+ '255.255.192.0' => 18,
+ '255.255.224.0' => 19,
+ '255.255.240.0' => 20,
+ '255.255.248.0' => 21,
+ '255.255.252.0' => 22,
+ '255.255.254.0' => 23,
+ '255.255.255.0' => 24,
+ '255.255.255.128' => 25,
+ '255.255.255.192' => 26,
+ '255.255.255.224' => 27,
+ '255.255.255.240' => 28,
+ '255.255.255.248' => 29,
+ '255.255.255.252' => 30,
+};
+
+my $__cluster_network;
+
+sub cluster_network {
+ my ($new_value) = @_;
+
+ $__cluster_network = $new_value if defined($new_value);
+
+ return $__cluster_network if defined($__cluster_network);
+
+ eval {
+ my $nodename = PVE::INotify::nodename();
+
+ my $ip = PVE::Cluster::remote_node_ip($nodename);
+
+ my $testip = Net::IP->new($ip);
+
+ my $routes = PVE::ProcFSTools::read_proc_net_route();
+ foreach my $entry (@$routes) {
+ my $mask = $ipv4_mask_hash_clusternet->{$entry->{mask}};
+ next if !defined($mask);
+ return if $mask eq '0.0.0.0';
+ my $cidr = "$entry->{dest}/$mask";
+ my $testnet = Net::IP->new($cidr);
+ if ($testnet->overlaps($testip)) {
+ $__cluster_network = $cidr;
+ return;
+ }
+ }
+ };
+ warn $@ if $@;
+
+ return $__cluster_network;
+}
+
sub parse_address_list {
my ($str) = @_;
}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $options, $host_options, $macaddr, $direction) = @_;
+ my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
}
sub generate_venet_rules_direction {
- my ($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
+ my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
my $lc_direction = lc($direction);
my $rules = $vmfw_conf->{rules};
my $options = $vmfw_conf->{options};
- my $hostfw_options = $vmfw_conf->{options};
my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
my $chain = "venet0-$vmid-$direction";
- ruleset_create_vm_chain($ruleset, $chain, $options, $hostfw_options, undef, $direction);
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction);
}
sub generate_tap_rules_direction {
- my ($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
+ my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
my $lc_direction = lc($direction);
my $rules = $vmfw_conf->{rules};
my $options = $vmfw_conf->{options};
- my $hostfw_options = $hostfw_conf->{options};
my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
my $tapchain = "$iface-$direction";
- ruleset_create_vm_chain($ruleset, $tapchain, $options, $hostfw_options, $macaddr, $direction);
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options);
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
-
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
delete $rule->{iface_in};
}
+ # allow standard traffic for management ipset (includes cluster network)
+ my $mngmntsrc = "-m set --match-set PVEFW-management src";
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH
+
+ my $clusternet = cluster_network();
+
+ # corosync
+ if ($clusternet) {
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ }
+
# implement input policy
my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
- ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
- ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
-
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
delete $rule->{iface_out};
}
+ # allow standard traffic on cluster network
+ if ($clusternet) {
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-d $clusternet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
+ }
+
# implement output policy
$policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
return ($opt, $value);
}
-sub parse_clusterfw_alias {
+sub parse_alias {
my ($line) = @_;
# we can add single line comments to the end of the line
sub parse_vm_fw_rules {
my ($filename, $fh) = @_;
- my $res = { rules => [], options => {}};
+ my $res = {
+ rules => [],
+ options => {},
+ aliases => {},
+ };
my $section;
next;
}
+ if ($section eq 'aliases') {
+ eval {
+ my $data = parse_alias($line);
+ $res->{aliases}->{lc($data->{name})} = $data;
+ };
+ warn "$prefix: $@" if $@;
+ next;
+ }
+
my $rule;
eval { $rule = parse_fw_rule($line, 1, 1); };
if (my $err = $@) {
warn "$prefix: $@" if $@;
} elsif ($section eq 'aliases') {
eval {
- my $data = parse_clusterfw_alias($line);
+ my $data = parse_alias($line);
$res->{aliases}->{lc($data->{name})} = $data;
};
warn "$prefix: $@" if $@;
my $options = $vmfw_conf->{options};
$raw .= &$format_options($options) if scalar(keys %$options);
+ my $aliases = $vmfw_conf->{aliases};
+ $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+
my $rules = $vmfw_conf->{rules} || [];
if (scalar(@$rules)) {
$raw .= "[RULES]\n\n";
if ($vmdata) { # test mode
my $testdir = $vmdata->{testdir} || die "no test directory specified";
my $filename = "$testdir/cluster.fw";
- die "missing test file '$filename'\n" if ! -f $filename;
$cluster_conf = load_clusterfw_conf($filename);
$filename = "$testdir/host.fw";
- die "missing test file '$filename'\n" if ! -f $filename;
$hostfw_conf = load_hostfw_conf($filename);
$vmfw_configs = read_vm_firewall_configs($vmdata, $testdir);
$cluster_conf->{ipset}->{venet0} = [];
-
+
+ my $clusternet = cluster_network() || '127.0.0.0/8';
+ push @{$cluster_conf->{ipset}->{management}}, { cidr => $clusternet };
+
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");
my $conf = $vmdata->{qemu}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
next if !$vmfw_conf;
- next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
+ next if !$vmfw_conf->{options}->{enable};
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $iface = "tap${vmid}i$1";
my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'OUT');
}
}
my $vmfw_conf = $vmfw_configs->{$vmid};
next if !$vmfw_conf;
- next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
+ next if !$vmfw_conf->{options}->{enable};
if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
my $ip = $conf->{ip_address}->{value};
push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
}
- generate_venet_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, 'IN');
- generate_venet_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
}
if ($conf->{netif} && $conf->{netif}->{value}) {
my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'OUT');
}
}
iptables_restore_cmdlist($cmdlist);
}
+sub init {
+ my $cluster_conf = load_clusterfw_conf();
+ my $cluster_options = $cluster_conf->{options};
+ my $enable = $cluster_options->{enable};
+
+ return if !$enable;
+
+ # load required modules here
+}
+
sub update {
my ($verbose) = @_;
run_locked($code);
}
-
1;
projects / pve-firewall.git / blobdiff