X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=1a38e000a3548e12e778d6f2c0b6e1a9053b0b80;hp=2de83345d49e6d8ccd246a12d37a0b0a17eced4b;hb=961b4928a8857922ca7b49a23661030695b5ef52;hpb=a84f4d962687985c79e5715ef3116e6005424072 diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 2de8334..1a38e00 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -3,7 +3,7 @@ package PVE::Firewall; use warnings; use strict; use Data::Dumper; -use Digest::MD5; +use Digest::SHA; use PVE::Tools; use PVE::QemuServer; use File::Path; @@ -15,22 +15,39 @@ use Data::Dumper; my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; -my $macros; +# todo: define more MACROS +# inspired by: /usr/share/shorewall/macro.* +my $pve_fw_macros = { + BitTorrent => [ + { action => 'PARAM', proto => 'tcp', dport => '6881:6889' }, + { action => 'PARAM', proto => 'udp', dport => '6881' } + ], + HTTP => [ + { action => 'PARAM', proto => 'tcp', dport => '80' }, + ], + HTTPS => [ + { action => 'PARAM', proto => 'tcp', dport => '443' }, + ], +}; + +my $pve_fw_parsed_macros; +my $pve_fw_preferred_macro_names = {}; -# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.* sub get_firewall_macros { - return $macros if $macros; + return $pve_fw_parsed_macros if $pve_fw_parsed_macros; + + $pve_fw_parsed_macros = {}; - #foreach my $path () { - # if ($path =~ m|/macro\.(\S+)$|) { - # $macros->{$1} = 1; - # } - #} + foreach my $k (keys %$pve_fw_macros) { + my $name = lc($k); - $macros = {}; # fixme: implemet me + my $macro = $pve_fw_macros->{$k}; + $pve_fw_preferred_macro_names->{$name} = $k; + $pve_fw_parsed_macros->{$name} = $macro; + } - return $macros; + return $pve_fw_parsed_macros; } my $etc_services; @@ -199,7 +216,7 @@ sub iptables_get_chains { my $chain = $1; return if !&$is_pvefw_chain($chain); $res->{$chain} = "unknown"; - } elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) { + } elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) { my ($chain, $sig) = ($1, $2); return if !&$is_pvefw_chain($chain); $res->{$chain} = $sig; @@ -237,7 +254,7 @@ sub iptables_rule_exist { } sub ruleset_generate_rule { - my ($ruleset, $chain, $rule) = @_; + my ($ruleset, $chain, $rule, $goto) = @_; my $cmd = ''; @@ -250,7 +267,11 @@ sub ruleset_generate_rule { $cmd .= " --dport $rule->{dport}" if $rule->{dport}; $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1; $cmd .= " --sport $rule->{sport}" if $rule->{sport}; - $cmd .= " -j $rule->{action}" if $rule->{action}; + + if (my $action = $rule->{action}) { + $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; + $cmd .= $goto ? " -g $action" : " -j $action"; + }; ruleset_addrule($ruleset, $chain, $cmd) if $cmd; } @@ -258,6 +279,8 @@ sub ruleset_generate_rule { sub ruleset_create_chain { my ($ruleset, $chain) = @_; + die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28; + die "chain '$chain' already exists\n" if $ruleset->{$chain}; $ruleset->{$chain} = []; @@ -319,7 +342,7 @@ sub generate_bridge_chains { } sub generate_tap_rules_direction { - my ($ruleset, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; + my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; my $tapchain = "$iface-$direction"; @@ -335,17 +358,21 @@ sub generate_tap_rules_direction { if ($rules) { foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; + # we go to $bridge-IN if accept in out rules if($rule->{action} =~ m/^(GROUP-(\S+))$/){ $rule->{action} .= "-$direction"; # generate empty group rule if don't exist if(!ruleset_chain_exist($ruleset, $rule->{action})){ - generate_group_rules($ruleset, $2); + generate_group_rules($ruleset, $group_rules, $2); } + ruleset_generate_rule($ruleset, $tapchain, $rule); + ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN") + if $direction eq 'OUT'; + } else { + $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; + ruleset_generate_rule($ruleset, $tapchain, $rule); } - # we go to vmbr-IN if accept in out rules - $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; - ruleset_generate_rule($ruleset, $tapchain, $rule); - } + } } ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); @@ -364,13 +391,9 @@ sub generate_tap_rules_direction { } sub enablehostfw { - my ($ruleset) = @_; + my ($ruleset, $rules, $group_rules) = @_; - my $filename = "/etc/pve/local/host.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - return if !$fh; - - my $rules = parse_fw_rules($filename, $fh); + # fixme: allow security groups # host inbound firewall my $chain = "PVEFW-HOST-IN"; @@ -421,14 +444,12 @@ sub enablehostfw { } sub generate_group_rules { - my ($ruleset, $group) = @_; + my ($ruleset, $group_rules, $group) = @_; - my $filename = "/etc/pve/firewall/groups.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - return if !$fh; - - my $rules = parse_fw_rules($filename, $fh, $group); + my $rules = $group_rules->{$group}; + die "no such security group '$group'\n" if !$rules; + my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); @@ -442,120 +463,235 @@ sub generate_group_rules { $chain = "GROUP-${group}-OUT"; ruleset_create_chain($ruleset, $chain); + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { - # we go the PVEFW-BRIDGE-IN because we need to check also other tap rules - # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN) - $rule->{action} = 'PVEFW-BRIDGE-IN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($rule, $chain, $rule); + # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to + # check also other tap rules (and group rules can be set on any bridge, + # so we can't go to VMBRXX-IN) + $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT'; + ruleset_generate_rule($ruleset, $chain, $rule); } } } -sub parse_fw_rules { - my ($filename, $fh, $group) = @_; +my $MAX_NETS = 32; +my $valid_netdev_names = {}; +for (my $i = 0; $i < $MAX_NETS; $i++) { + $valid_netdev_names->{"net$i"} = 1; +} - my $section; - my $securitygroup; - my $securitygroupexist; - - my $res = { in => [], out => [] }; +sub parse_fw_rule { + my ($line, $need_iface, $allow_groups) = @_; my $macros = get_firewall_macros(); my $protocols = get_etc_protocols(); - + + my ($action, $iface, $source, $dest, $proto, $dport, $sport); + + $line =~ s/#.*$//; + + my @data = split(/\s+/, $line); + my $expected_elements = $need_iface ? 7 : 6; + + die "wrong number of rule elements\n" if scalar(@data) > $expected_elements; + + if ($need_iface) { + ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data + } else { + ($action, $source, $dest, $proto, $dport, $sport) = @data; + } + + die "incomplete rule\n" if !$action; + + my $macro; + my $macro_name; + + if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { + # OK + } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) { + # OK + } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { + ($macro_name, $action) = ($1, $2); + my $lc_macro_name = lc($macro_name); + my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name}; + $macro_name = $preferred_name if $preferred_name; + $macro = $macros->{$lc_macro_name}; + die "unknown macro '$macro_name'\n" if !$macro; + } else { + die "unknown action '$action'\n"; + } + + if ($need_iface) { + $iface = undef if $iface && $iface eq '-'; + die "unknown interface '$iface'\n" + if defined($iface) && !$valid_netdev_names->{$iface}; + } + + $proto = undef if $proto && $proto eq '-'; + die "unknown protokol '$proto'\n" if $proto && + !(defined($protocols->{byname}->{$proto}) || + defined($protocols->{byid}->{$proto})); + + $source = undef if $source && $source eq '-'; + $dest = undef if $dest && $dest eq '-'; + + $dport = undef if $dport && $dport eq '-'; + $sport = undef if $sport && $sport eq '-'; + + my $nbsource = undef; + my $nbdest = undef; + + $nbsource = parse_address_list($source) if $source; + $nbdest = parse_address_list($dest) if $dest; + + my $rules = []; + + my $param = { + action => $action, + iface => $iface, + source => $source, + dest => $dest, + nbsource => $nbsource, + nbdest => $nbdest, + proto => $proto, + dport => $dport, + sport => $sport, + }; + + if ($macro) { + foreach my $templ (@$macro) { + my $rule = {}; + foreach my $k (keys %$templ) { + my $v = $templ->{$k}; + $v = $param->{$k} if $v eq 'PARAM'; + die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); + $rule->{$k} = $v; + } + push @$rules, $rule; + } + } else { + push @$rules, $param; + } + + foreach my $rule (@$rules) { + $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) + if defined($rule->{dport}); + $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) + if defined($rule->{sport}); + } + + return $rules; +} + +sub parse_vm_fw_rules { + my ($filename, $fh) = @_; + + my $res = { in => [], out => [] }; + + my $section; + while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; next if $line =~ m/^\s*$/; - if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) { + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(in|out)\]\s*$/i) { $section = lc($1); - $securitygroup = lc($3) if $3; - $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group; next; } - next if !$section; - next if $group && $securitygroup ne $group; - - my ($action, $iface, $source, $dest, $proto, $dport, $sport) = - split(/\s+/, $line); - - if (!$action) { - warn "skip incomplete line\n"; + if (!$section) { + warn "$prefix: skip line - no section"; next; } - my $service; - if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) { - # OK - } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { - ($service, $action) = ($1, $2); - if (!$macros->{$service}) { - warn "unknown service '$service'\n"; - next; - } - } else { - warn "unknown action '$action'\n"; + my $rules; + eval { $rules = parse_fw_rule($line, 1, 1); }; + if (my $err = $@) { + warn "$prefix: $err"; next; } - $iface = undef if $iface && $iface eq '-'; - if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) { - warn "unknown interface '$iface'\n"; + push @{$res->{$section}}, @$rules; + } + + return $res; +} + +sub parse_host_fw_rules { + my ($filename, $fh) = @_; + + my $res = { in => [], out => [] }; + + my $section; + + while (defined(my $line = <$fh>)) { + next if $line =~ m/^#/; + next if $line =~ m/^\s*$/; + + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(in|out)\]\s*$/i) { + $section = lc($1); next; } - - $proto = undef if $proto && $proto eq '-'; - if ($proto && !(defined($protocols->{byname}->{$proto}) || - defined($protocols->{byid}->{$proto}))) { - warn "unknown protokol '$proto'\n"; + if (!$section) { + warn "$prefix: skip line - no section"; next; } - $source = undef if $source && $source eq '-'; - $dest = undef if $dest && $dest eq '-'; - - $dport = undef if $dport && $dport eq '-'; - $sport = undef if $sport && $sport eq '-'; - my $nbdport = undef; - my $nbsport = undef; - my $nbsource = undef; - my $nbdest = undef; - - eval { - $nbsource = parse_address_list($source) if $source; - $nbdest = parse_address_list($dest) if $dest; - $nbdport = parse_port_name_number_or_range($dport) if $dport; - $nbsport = parse_port_name_number_or_range($sport) if $sport; - }; + my $rules; + eval { $rules = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { - warn $err; + warn "$prefix: $err"; next; - } + push @{$res->{$section}}, @$rules; + } - my $rule = { - action => $action, - service => $service, - iface => $iface, - source => $source, - dest => $dest, - nbsource => $nbsource, - nbdest => $nbdest, - proto => $proto, - dport => $dport, - sport => $sport, - nbdport => $nbdport, - nbsport => $nbsport, + return $res; +} - }; +sub parse_group_fw_rules { + my ($filename, $fh) = @_; - push @{$res->{$section}}, $rule; + my $section; + my $group; + + my $res = { in => [], out => [] }; + + while (defined(my $line = <$fh>)) { + next if $line =~ m/^#/; + next if $line =~ m/^\s*$/; + + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) { + $section = lc($1); + $group = lc($2); + next; + } + if (!$section || !$group) { + warn "$prefix: skip line - no section"; + next; + } + + my $rules; + eval { $rules = parse_fw_rule($line, 0, 0); }; + if (my $err = $@) { + warn "$prefix: $err"; + next; + } + + push @{$res->{$group}->{$section}}, @$rules; } - die "security group $group don't exist" if $group && !$securitygroupexist; return $res; } @@ -599,7 +735,7 @@ sub read_vm_firewall_rules { my $fh = IO::File->new($filename, O_RDONLY); next if !$fh; - $rules->{$vmid} = parse_fw_rules($filename, $fh); + $rules->{$vmid} = parse_vm_fw_rules($filename, $fh); } return $rules; @@ -608,6 +744,12 @@ sub read_vm_firewall_rules { sub compile { my $vmdata = read_local_vm_config(); my $rules = read_vm_firewall_rules($vmdata); + + my $group_rules = {}; + my $filename = "/etc/pve/firewall/groups.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $group_rules = parse_group_fw_rules($filename, $fh); + } #print Dumper($rules); @@ -617,7 +759,14 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); - enablehostfw($ruleset); + ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK"); + ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1"); + + $filename = "/etc/pve/local/host.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + my $host_rules = parse_host_fw_rules($filename, $fh); + enablehostfw($ruleset, $host_rules, $group_rules); + } # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { @@ -638,8 +787,8 @@ sub compile { generate_bridge_chains($ruleset, $bridge); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); } } return $ruleset; @@ -653,7 +802,7 @@ sub get_ruleset_status { my $statushash = {}; foreach my $chain (sort keys %$ruleset) { - my $digest = Digest::MD5->new(); + my $digest = Digest::SHA->new('sha1'); foreach my $cmd (@{$ruleset->{$chain}}) { $digest->add("$cmd\n"); } @@ -697,9 +846,8 @@ sub print_ruleset { sub print_sig_rule { my ($chain, $sig) = @_; - # Note: This rule should never match! We just use this hack to store a SHA1 checksum - # used to detect changes - return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n"; + # We just use this to store a SHA1 checksum used to detect changes + return "-A $chain -m comment --comment \"PVESIG:$sig\"\n"; } sub apply_ruleset { @@ -745,8 +893,7 @@ sub apply_ruleset { } $cmdlist .= print_sig_rule($chain, $stat->{sig}); } elsif ($stat->{action} eq 'delete') { - $cmdlist .= "-F $chain\n"; - $cmdlist .= "-X $chain\n"; + die "internal error"; # this should not happen } elsif ($stat->{action} eq 'exists') { # do nothing } else { @@ -754,6 +901,15 @@ sub apply_ruleset { } } + foreach my $chain (keys %$statushash) { + next if $statushash->{$chain}->{action} ne 'delete'; + $cmdlist .= "-F $chain\n"; + } + foreach my $chain (keys %$statushash) { + next if $statushash->{$chain}->{action} ne 'delete'; + $cmdlist .= "-X $chain\n"; + } + $cmdlist .= "COMMIT\n"; print $cmdlist if $verbose;