X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=dd149ccb391415bea225fe1f460a7090a8bffb34;hp=aaba7f930ca38e0d04c487a1d50a03503fd4bcc2;hb=2d404ffc7fe2b2134dff553079c412a7a4096491;hpb=7fab95bcdb997acb9f466ba53584065362b6d4f5 diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index aaba7f9..dd149cc 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -6,6 +6,7 @@ use Data::Dumper; use Digest::SHA; use PVE::Tools; use PVE::QemuServer; +use File::Basename; use File::Path; use IO::File; use Net::IP; @@ -14,8 +15,21 @@ use PVE::Tools qw(run_command lock_file); use Data::Dumper; my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; +my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status"; + +my $default_log_level = 'info'; + +my $log_level_hash = { + debug => 7, + info => 6, + notice => 5, + warning => 4, + err => 3, + crit => 2, + alert => 1, + emerg => 0, +}; -# todo: define more MACROS # imported/converted from: /usr/share/shorewall/macro.* my $pve_fw_macros = { 'Amanda' => [ @@ -225,7 +239,7 @@ my $pve_fw_macros = { { action => 'PARAM', proto => 'tcp', dport => '1723' }, ], 'Ping' => [ - { action => 'PARAM', proto => 'icmp', dport => '8' }, + { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, ], 'PostgreSQL' => [ { action => 'PARAM', proto => 'tcp', dport => '5432' }, @@ -323,7 +337,7 @@ my $pve_fw_macros = { ], 'Trcrt' => [ { action => 'PARAM', proto => 'udp', dport => '33434:33524' }, - { action => 'PARAM', proto => 'icmp', dport => '8' }, + { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, ], 'VNC' => [ { action => 'PARAM', proto => 'tcp', dport => '5900:5909' }, @@ -349,10 +363,138 @@ my $pve_fw_macros = { my $pve_fw_parsed_macros; my $pve_fw_preferred_macro_names = {}; +my $pve_std_chains = { + 'PVEFW-SET-ACCEPT-MARK' => [ + "-j MARK --set-mark 1", + ], + 'PVEFW-DropBroadcast' => [ + # same as shorewall 'Broadcast' + # simply DROP BROADCAST/MULTICAST/ANYCAST + # we can use this to reduce logging + { action => 'DROP', dsttype => 'BROADCAST' }, + { action => 'DROP', dsttype => 'MULTICAST' }, + { action => 'DROP', dsttype => 'ANYCAST' }, + { action => 'DROP', dest => '224.0.0.0/4' }, + ], + 'PVEFW-reject' => [ + # same as shorewall 'reject' + { action => 'DROP', dsttype => 'BROADCAST' }, + { action => 'DROP', source => '224.0.0.0/4' }, + { action => 'DROP', proto => 'icmp' }, + "-p tcp -j REJECT --reject-with tcp-reset", + "-p udp -j REJECT --reject-with icmp-port-unreachable", + "-p icmp -j REJECT --reject-with icmp-host-unreachable", + "-j REJECT --reject-with icmp-host-prohibited", + ], + 'PVEFW-Drop' => [ + # same as shorewall 'Drop', which is equal to DROP, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, + { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, + # Drop packets with INVALID state + "-m conntrack --ctstate INVALID -j DROP", + # Drop Microsoft SMB noise + { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'DROP', proto => 'udp', dport => '137:139'}, + { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, + ], + 'PVEFW-Reject' => [ + # same as shorewall 'Reject', which is equal to Reject, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, + { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, + # Drop packets with INVALID state + "-m conntrack --ctstate INVALID -j DROP", + # Drop Microsoft SMB noise + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, + { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, + ], + 'PVEFW-tcpflags' => [ + # same as shorewall tcpflags action. + # Packets arriving on this interface are checked for som illegal combinations of TCP flags + "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", + "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + ], + 'PVEFW-smurfs' => [ + # same as shorewall smurfs action + # Filter packets for smurfs (packets with a broadcast address as the source). + "-s 0.0.0.0/32 -j RETURN", + "-m addrtype --src-type BROADCAST -g PVEFW-smurflog", + "-s 224.0.0.0/4 -g PVEFW-smurflog", + ], +}; + +# iptables -p icmp -h +my $icmp_type_names = { + any => 1, + 'echo-reply' => 1, + 'destination-unreachable' => 1, + 'network-unreachable' => 1, + 'host-unreachable' => 1, + 'protocol-unreachable' => 1, + 'port-unreachable' => 1, + 'fragmentation-needed' => 1, + 'source-route-failed' => 1, + 'network-unknown' => 1, + 'host-unknown' => 1, + 'network-prohibited' => 1, + 'host-prohibited' => 1, + 'TOS-network-unreachable' => 1, + 'TOS-host-unreachable' => 1, + 'communication-prohibited' => 1, + 'host-precedence-violation' => 1, + 'precedence-cutoff' => 1, + 'source-quench' => 1, + 'redirect' => 1, + 'network-redirect' => 1, + 'host-redirect' => 1, + 'TOS-network-redirect' => 1, + 'TOS-host-redirect' => 1, + 'echo-request' => 1, + 'router-advertisement' => 1, + 'router-solicitation' => 1, + 'time-exceeded' => 1, + 'ttl-zero-during-transit' => 1, + 'ttl-zero-during-reassembly' => 1, + 'parameter-problem' => 1, + 'ip-header-bad' => 1, + 'required-option-missing' => 1, + 'timestamp-request' => 1, + 'timestamp-reply' => 1, + 'address-mask-request' => 1, + 'address-mask-reply' => 1, +}; + sub get_firewall_macros { return $pve_fw_parsed_macros if $pve_fw_parsed_macros; - + $pve_fw_parsed_macros = {}; foreach my $k (keys %$pve_fw_macros) { @@ -389,6 +531,7 @@ sub get_etc_services { if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) { $services->{byid}->{$2}->{name} = $1; + $services->{byid}->{$2}->{port} = $2; $services->{byid}->{$2}->{$3} = 1; $services->{byname}->{$1} = $services->{byid}->{$2}; } @@ -396,8 +539,8 @@ sub get_etc_services { close($fh); - $etc_services = $services; - + $etc_services = $services; + return $etc_services; } @@ -457,13 +600,17 @@ sub parse_port_name_number_or_range { my $nbports = 0; foreach my $item (split(/,/, $str)) { my $portlist = ""; + my $oldpon = undef; + $nbports++; foreach my $pon (split(':', $item, 2)) { + $pon = $services->{byname}->{$pon}->{port} if $services->{byname}->{$pon}->{port}; if ($pon =~ m/^\d+$/){ die "invalid port '$pon'\n" if $pon < 0 && $pon > 65535; + die "port '$pon' must be bigger than port '$oldpon' \n" if $oldpon && ($pon < $oldpon); + $oldpon = $pon; }else{ die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon}; } - $nbports++; } } @@ -507,7 +654,7 @@ sub iptables_get_chains { return 1 if $name =~ m/^PVEFW-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; - return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; return undef; @@ -570,7 +717,9 @@ sub iptables_rule_exist { } sub ruleset_generate_rule { - my ($ruleset, $chain, $rule, $goto) = @_; + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + return if $rule->{disable}; my $cmd = ''; @@ -578,16 +727,56 @@ sub ruleset_generate_rule { $cmd .= " -s $rule->{source}" if $rule->{source}; $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; $cmd .= " -d $rule->{dest}" if $rule->{dest}; - $cmd .= " -p $rule->{proto}" if $rule->{proto}; - $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1; - $cmd .= " --dport $rule->{dport}" if $rule->{dport}; - $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1; - $cmd .= " --sport $rule->{sport}" if $rule->{sport}; + + if ($rule->{proto}) { + $cmd .= " -p $rule->{proto}"; + + my $multiport = 0; + $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1); + $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1); + + $cmd .= " --match multiport" if $multiport; + + die "multiport: option '--sports' cannot be used together with '--dports'\n" + if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); + + if ($rule->{dport}) { + if ($rule->{proto} && $rule->{proto} eq 'icmp') { + # Note: we use dport to store --icmp-type + die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}}); + $cmd .= " -m icmp --icmp-type $rule->{dport}"; + } else { + if ($rule->{nbdport} && $rule->{nbdport} > 1) { + if ($multiport == 2) { + $cmd .= " --ports $rule->{dport}"; + } else { + $cmd .= " --dports $rule->{dport}"; + } + } else { + $cmd .= " --dport $rule->{dport}"; + } + } + } + + if ($rule->{sport}) { + if ($rule->{nbsport} && $rule->{nbsport} > 1) { + $cmd .= " --sports $rule->{sport}" if $multiport != 2; + } else { + $cmd .= " --sport $rule->{sport}"; + } + } + } elsif ($rule->{dport} || $rule->{sport}) { + warn "ignoring destination port '$rule->{dport}' - no protocol specified\n" if $rule->{dport}; + warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport}; + } + + $cmd .= " -m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; if (my $action = $rule->{action}) { + $action = $actions->{$action} if defined($actions->{$action}); $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; $cmd .= $goto ? " -g $action" : " -j $action"; - }; + } ruleset_addrule($ruleset, $chain, $cmd) if $cmd; } @@ -627,47 +816,60 @@ sub ruleset_insertrule { sub generate_bridge_chains { my ($ruleset, $bridge) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){ - ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN"); - } - - if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){ - ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT"); - } - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN"); } - if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { - ruleset_create_chain($ruleset, "$bridge-IN"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN"); - ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT"); + if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { + ruleset_create_chain($ruleset, "$bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + } + + if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { + ruleset_create_chain($ruleset, "$bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT"); + # accept traffic to unmanaged bridge ports + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT "); } } sub generate_tap_rules_direction { - my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; + my ($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; + + my $rules = $vmfw_conf->{lc($direction)}; + my $options = $vmfw_conf->{options}; my $tapchain = "$iface-$direction"; ruleset_create_chain($ruleset, $tapchain); + if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + } + + if ($options->{tcpflags}) { + ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags"); + } + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - if ($direction eq 'OUT' && defined($macaddr)) { + if ($direction eq 'OUT' && defined($macaddr) && + !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); } @@ -682,17 +884,46 @@ sub generate_tap_rules_direction { generate_group_rules($ruleset, $group_rules, $2); } ruleset_generate_rule($ruleset, $tapchain, $rule); - ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN") + ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") if $direction eq 'OUT'; } else { - $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; - ruleset_generate_rule($ruleset, $tapchain, $rule); + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $tapchain, $rule, + { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); + } else { + ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); + } } } } - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); - ruleset_addrule($ruleset, $tapchain, "-j DROP"); + # implement policy + my $policy; + + if ($direction eq 'OUT') { + $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + } else { + $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default + } + + if ($policy eq 'ACCEPT') { + if ($direction eq 'OUT') { + ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK"); + } else { + ruleset_addrule($ruleset, $tapchain, "-j ACCEPT"); + } + } elsif ($policy eq 'DROP') { + ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop"); + ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); + ruleset_addrule($ruleset, $tapchain, "-j DROP"); + } elsif ($policy eq 'REJECT') { + ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject"); + ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level 4"); + ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject"); + } else { + # should not happen + die "internal error: unknown policy '$policy'"; + } # plug the tap chain to bridge chain my $physdevdirection = $direction eq 'IN' ? "out" : "in"; @@ -725,8 +956,7 @@ sub enablehostfw { if ($rules->{in}) { foreach my $rule (@{$rules->{in}}) { # we use RETURN because we need to check also tap rules - $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); } } @@ -747,14 +977,13 @@ sub enablehostfw { if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { # we use RETURN because we need to check also tap rules - $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); } } ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4"); ruleset_addrule($ruleset, $chain, "-j DROP"); - + ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); } @@ -765,14 +994,14 @@ sub generate_group_rules { my $rules = $group_rules->{$group}; die "no such security group '$group'\n" if !$rules; - + my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); if ($rules->{in}) { foreach my $rule (@{$rules->{in}}) { - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); } } @@ -783,11 +1012,10 @@ sub generate_group_rules { if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { - # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to - # check also other tap rules (and group rules can be set on any bridge, - # so we can't go to VMBRXX-IN) - $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to + # check also other tap rules later + ruleset_generate_rule($ruleset, $chain, $rule, + { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }); } } } @@ -806,7 +1034,11 @@ sub parse_fw_rule { my ($action, $iface, $source, $dest, $proto, $dport, $sport); - $line =~ s/#.*$//; + # we can add single line comments to the end of the rule + my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; + + # we can disable a rule when prefixed with '|' + my $disable = 1 if $line =~ s/^\|//; my @data = split(/\s+/, $line); my $expected_elements = $need_iface ? 7 : 6; @@ -841,12 +1073,12 @@ sub parse_fw_rule { if ($need_iface) { $iface = undef if $iface && $iface eq '-'; - die "unknown interface '$iface'\n" + die "unknown interface '$iface'\n" if defined($iface) && !$valid_netdev_names->{$iface}; } $proto = undef if $proto && $proto eq '-'; - die "unknown protokol '$proto'\n" if $proto && + die "unknown protokol '$proto'\n" if $proto && !(defined($protocols->{byname}->{$proto}) || defined($protocols->{byid}->{$proto})); @@ -861,10 +1093,12 @@ sub parse_fw_rule { $nbsource = parse_address_list($source) if $source; $nbdest = parse_address_list($dest) if $dest; - + my $rules = []; my $param = { + disable => $disable, + comment => $comment, action => $action, iface => $iface, source => $source, @@ -879,19 +1113,33 @@ sub parse_fw_rule { if ($macro) { foreach my $templ (@$macro) { my $rule = {}; + my $param_used = {}; foreach my $k (keys %$templ) { my $v = $templ->{$k}; if ($v eq 'PARAM') { $v = $param->{$k}; + $param_used->{$k} = 1; } elsif ($v eq 'DEST') { $v = $param->{dest}; + $param_used->{dest} = 1; } elsif ($v eq 'SOURCE') { $v = $param->{source}; + $param_used->{source} = 1; } die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); $rule->{$k} = $v; } + foreach my $k (keys %$param) { + next if !defined($param->{$k}); + next if $param_used->{$k}; + if (defined($rule->{$k})) { + die "parameter '$k' already define in macro (value = '$rule->{$k}')\n" + if $rule->{$k} ne $param->{$k}; + } else { + $rule->{$k} = $param->{$k}; + } + } push @$rules, $rule; } } else { @@ -899,19 +1147,62 @@ sub parse_fw_rule { } foreach my $rule (@$rules) { - $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) + $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) if defined($rule->{dport}); - $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) + $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) if defined($rule->{sport}); } return $rules; } +sub parse_vmfw_option { + my ($line) = @_; + + my ($opt, $value); + + if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + $opt = lc($1); + $value = int($2); + } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + $opt = lc($1); + $value = uc($3); + } else { + chomp $line; + die "can't parse option '$line'\n" + } + + return ($opt, $value); +} + +sub parse_hostfw_option { + my ($line) = @_; + + my ($opt, $value); + + my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; + + if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + $opt = lc($1); + $value = int($2); + } elsif ($line =~ m/^(tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { + $opt = lc($1); + $value = $2 ? lc($3) : ''; + } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + $opt = lc($1); + $value = uc($3); + } else { + chomp $line; + die "can't parse option '$line'\n" + } + + return ($opt, $value); +} + sub parse_vm_fw_rules { my ($filename, $fh) = @_; - my $res = { in => [], out => [] }; + my $res = { in => [], out => [], options => {}}; my $section; @@ -922,8 +1213,9 @@ sub parse_vm_fw_rules { my $linenr = $fh->input_line_number(); my $prefix = "$filename (line $linenr)"; - if ($line =~ m/^\[(in|out)\]\s*$/i) { + if ($line =~ m/^\[(\S+)\]\s*$/i) { $section = lc($1); + warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section}; next; } if (!$section) { @@ -931,6 +1223,17 @@ sub parse_vm_fw_rules { next; } + next if !$res->{$section}; # skip undefined section + + if ($section eq 'options') { + eval { + my ($opt, $value) = parse_vmfw_option($line); + $res->{options}->{$opt} = $value; + }; + warn "$prefix: $@" if $@; + next; + } + my $rules; eval { $rules = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { @@ -947,7 +1250,7 @@ sub parse_vm_fw_rules { sub parse_host_fw_rules { my ($filename, $fh) = @_; - my $res = { in => [], out => [] }; + my $res = { in => [], out => [], options => {}}; my $section; @@ -958,8 +1261,9 @@ sub parse_host_fw_rules { my $linenr = $fh->input_line_number(); my $prefix = "$filename (line $linenr)"; - if ($line =~ m/^\[(in|out)\]\s*$/i) { + if ($line =~ m/^\[(\S+)\]\s*$/i) { $section = lc($1); + warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section}; next; } if (!$section) { @@ -967,6 +1271,18 @@ sub parse_host_fw_rules { next; } + next if !$res->{$section}; # skip undefined section + + if ($section eq 'options') { + eval { + print "PARSE:$line\n"; + my ($opt, $value) = parse_hostfw_option($line); + $res->{options}->{$opt} = $value; + }; + warn "$prefix: $@" if $@; + next; + } + my $rules; eval { $rules = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { @@ -987,7 +1303,7 @@ sub parse_group_fw_rules { my $group; my $res = { in => [], out => [] }; - + while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1064,10 +1380,89 @@ sub read_vm_firewall_rules { return $rules; } +sub get_option_log_level { + my ($options, $k) = @_; + + my $v = $options->{$k}; + return $v = $default_log_level if !defined($v); + + return undef if $v eq '' || $v eq 'nolog'; + + $v = $log_level_hash->{$v} if defined($log_level_hash->{$v}); + + return $v if ($v >= 0) && ($v <= 7); + + warn "unknown log level ($k = '$v')\n"; + + return undef; +} + +sub generate_std_chains { + my ($ruleset, $options) = @_; + + my $loglevel = get_option_log_level($options, 'smurf_log_level'); + + # same as shorewall smurflog. + if (defined($loglevel)) { + $pve_std_chains-> {'PVEFW-smurflog'} = [ + "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel", + "-j DROP", + ]; + } else { + $pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ]; + } + + # same as shorewall logflags action. + $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); + if (defined($loglevel)) { + $pve_std_chains-> {'PVEFW-logflags'} = [ + "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options", + "-j DROP", + ]; + } else { + $pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ]; + } + + foreach my $chain (keys %$pve_std_chains) { + ruleset_create_chain($ruleset, $chain); + foreach my $rule (@{$pve_std_chains->{$chain}}) { + if (ref($rule)) { + ruleset_generate_rule($ruleset, $chain, $rule); + } else { + ruleset_addrule($ruleset, $chain, $rule); + } + } + } +} + +sub save_pvefw_status { + my ($status) = @_; + + die "unknown status '$status' - internal error" + if $status !~ m/^(stopped|active)$/; + + mkdir dirname($pve_fw_status_filename); + PVE::Tools::file_set_contents($pve_fw_status_filename, $status); +} + +sub read_pvefw_status { + + my $status = 'unknown'; + + return 'stopped' if ! -f $pve_fw_status_filename; + + eval { + $status = PVE::Tools::file_get_contents($pve_fw_status_filename); + }; + warn $@ if $@; + + return $status; +} + sub compile { my $vmdata = read_local_vm_config(); my $rules = read_vm_firewall_rules($vmdata); - + my $group_rules = {}; my $filename = "/etc/pve/firewall/groups.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { @@ -1078,23 +1473,31 @@ sub compile { my $ruleset = {}; - # setup host firewall rules ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); + ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK"); - ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1"); + my $host_options = {}; + my $host_rules; $filename = "/etc/pve/local/host.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { - my $host_rules = parse_host_fw_rules($filename, $fh); - enablehostfw($ruleset, $host_rules, $group_rules); + $host_rules = parse_host_fw_rules($filename, $fh); + $host_options = $host_rules->{options}; } - # generate firewall rules for QEMU VMs + generate_std_chains($ruleset, $host_options); + + my $hotsfw_enable = $host_rules && !(defined($host_options->{enable}) && ($host_options->{enable} == 0)); + + enablehostfw($ruleset, $host_rules, $group_rules) if $hotsfw_enable; + + # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; - next if !$rules->{$vmid}; + my $vmfw_conf = $rules->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); foreach my $netid (keys %$conf) { next if $netid !~ m/^net(\d+)$/; @@ -1107,16 +1510,19 @@ sub compile { $bridge .= "v$net->{tag}" if $net->{tag}; + generate_bridge_chains($ruleset, $bridge); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); } } - # allow traffic from lo (ourself) - ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT"); + if ($hotsfw_enable) { + # allow traffic from lo (ourself) + ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT"); + } return $ruleset; } @@ -1159,7 +1565,7 @@ sub get_ruleset_status { $statushash->{$chain}->{sig} = $sig; print "delete $chain ($sig)\n" if $verbose; } - } + } return $statushash; } @@ -1177,11 +1583,9 @@ sub print_sig_rule { return "-A $chain -m comment --comment \"PVESIG:$sig\"\n"; } -sub apply_ruleset { +sub get_rulset_cmdlist { my ($ruleset, $verbose) = @_; - enable_bridge_firewall(); - my $cmdlist = "*filter\n"; # we pass this to iptables-restore; my $statushash = get_ruleset_status($ruleset, $verbose); @@ -1234,17 +1638,30 @@ sub apply_ruleset { } foreach my $chain (keys %$statushash) { next if $statushash->{$chain}->{action} ne 'delete'; + next if $chain eq 'PVEFW-INPUT'; + next if $chain eq 'PVEFW-OUTPUT'; + next if $chain eq 'PVEFW-FORWARD'; $cmdlist .= "-X $chain\n"; } $cmdlist .= "COMMIT\n"; + return $cmdlist; +} + +sub apply_ruleset { + my ($ruleset, $verbose) = @_; + + enable_bridge_firewall(); + + my $cmdlist = get_rulset_cmdlist($ruleset, $verbose); + print $cmdlist if $verbose; iptables_restore_cmdlist($cmdlist); - # test: re-read status and check if everything is up to date - $statushash = get_ruleset_status($ruleset); + # test: re-read status and check if everything is up to date + my $statushash = get_ruleset_status($ruleset); my $errors; foreach my $chain (sort keys %$ruleset) { @@ -1258,4 +1675,26 @@ sub apply_ruleset { die "unable to apply firewall changes\n" if $errors; } +sub update { + my ($start, $verbose) = @_; + + my $code = sub { + my $status = read_pvefw_status(); + + my $ruleset = PVE::Firewall::compile(); + + if ($start || $status eq 'active') { + + save_pvefw_status('active') if ($status ne 'active'); + + PVE::Firewall::apply_ruleset($ruleset, $verbose); + } else { + print "Firewall not active (status = $status)\n" if $verbose; + } + }; + + run_locked($code); +} + + 1;