X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=dd149ccb391415bea225fe1f460a7090a8bffb34;hp=ec6112afe914146d4b15e603cd2d1135fac919c3;hb=2d404ffc7fe2b2134dff553079c412a7a4096491;hpb=4e6112f95230d526c85f2ecc7176edb71a0b81e6 diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index ec6112a..dd149cc 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -6,6 +6,7 @@ use Data::Dumper; use Digest::SHA; use PVE::Tools; use PVE::QemuServer; +use File::Basename; use File::Path; use IO::File; use Net::IP; @@ -14,23 +15,497 @@ use PVE::Tools qw(run_command lock_file); use Data::Dumper; my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; +my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status"; + +my $default_log_level = 'info'; + +my $log_level_hash = { + debug => 7, + info => 6, + notice => 5, + warning => 4, + err => 3, + crit => 2, + alert => 1, + emerg => 0, +}; + +# imported/converted from: /usr/share/shorewall/macro.* +my $pve_fw_macros = { + 'Amanda' => [ + { action => 'PARAM', proto => 'udp', dport => '10080' }, + { action => 'PARAM', proto => 'tcp', dport => '10080' }, + ], + 'Auth' => [ + { action => 'PARAM', proto => 'tcp', dport => '113' }, + ], + 'BGP' => [ + { action => 'PARAM', proto => 'tcp', dport => '179' }, + ], + 'BitTorrent' => [ + { action => 'PARAM', proto => 'tcp', dport => '6881:6889' }, + { action => 'PARAM', proto => 'udp', dport => '6881' }, + ], + 'BitTorrent32' => [ + { action => 'PARAM', proto => 'tcp', dport => '6881:6999' }, + { action => 'PARAM', proto => 'udp', dport => '6881' }, + ], + 'CVS' => [ + { action => 'PARAM', proto => 'tcp', dport => '2401' }, + ], + 'Citrix' => [ + { action => 'PARAM', proto => 'tcp', dport => '1494' }, + { action => 'PARAM', proto => 'udp', dport => '1604' }, + { action => 'PARAM', proto => 'tcp', dport => '2598' }, + ], + 'DAAP' => [ + { action => 'PARAM', proto => 'tcp', dport => '3689' }, + { action => 'PARAM', proto => 'udp', dport => '3689' }, + ], + 'DCC' => [ + { action => 'PARAM', proto => 'tcp', dport => '6277' }, + ], + 'DHCPfwd' => [ + { action => 'PARAM', proto => 'udp', dport => '67:68', sport => '67:68' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '67:68', sport => '67:68' }, + ], + 'DNS' => [ + { action => 'PARAM', proto => 'udp', dport => '53' }, + { action => 'PARAM', proto => 'tcp', dport => '53' }, + ], + 'Distcc' => [ + { action => 'PARAM', proto => 'tcp', dport => '3632' }, + ], + 'Edonkey' => [ + { action => 'PARAM', proto => 'tcp', dport => '4662' }, + { action => 'PARAM', proto => 'udp', dport => '4665' }, + ], + 'FTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '21' }, + ], + 'Finger' => [ + { action => 'PARAM', proto => 'tcp', dport => '79' }, + ], + 'GNUnet' => [ + { action => 'PARAM', proto => 'tcp', dport => '2086' }, + { action => 'PARAM', proto => 'udp', dport => '2086' }, + { action => 'PARAM', proto => 'tcp', dport => '1080' }, + { action => 'PARAM', proto => 'udp', dport => '1080' }, + ], + 'GRE' => [ + { action => 'PARAM', proto => '47' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' }, + ], + 'Git' => [ + { action => 'PARAM', proto => 'tcp', dport => '9418' }, + ], + 'Gnutella' => [ + { action => 'PARAM', proto => 'tcp', dport => '6346' }, + { action => 'PARAM', proto => 'udp', dport => '6346' }, + ], + 'HKP' => [ + { action => 'PARAM', proto => 'tcp', dport => '11371' }, + ], + 'HTTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '80' }, + ], + 'HTTPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '443' }, + ], + 'ICPV2' => [ + { action => 'PARAM', proto => 'udp', dport => '3130' }, + ], + 'ICQ' => [ + { action => 'PARAM', proto => 'tcp', dport => '5190' }, + ], + 'IMAP' => [ + { action => 'PARAM', proto => 'tcp', dport => '143' }, + ], + 'IMAPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '993' }, + ], + 'IPIP' => [ + { action => 'PARAM', proto => '94' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '94' }, + ], + 'IPP' => [ + { action => 'PARAM', proto => 'tcp', dport => '631' }, + ], + 'IPPbrd' => [ + { action => 'PARAM', proto => 'udp', dport => '631' }, + ], + 'IPPserver' => [ + { action => 'PARAM', source => 'SOURCE', dest => 'DEST', proto => 'tcp', dport => '631' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '631' }, + ], + 'IPsec' => [ + { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', proto => '50' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' }, + ], + 'IPsecah' => [ + { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', proto => '51' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '51' }, + ], + 'IPsecnat' => [ + { action => 'PARAM', proto => 'udp', dport => '500' }, + { action => 'PARAM', proto => 'udp', dport => '4500' }, + { action => 'PARAM', proto => '50' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '4500' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' }, + ], + 'IRC' => [ + { action => 'PARAM', proto => 'tcp', dport => '6667' }, + ], + 'JabberPlain' => [ + { action => 'PARAM', proto => 'tcp', dport => '5222' }, + ], + 'JabberSecure' => [ + { action => 'PARAM', proto => 'tcp', dport => '5223' }, + ], + 'Jabberd' => [ + { action => 'PARAM', proto => 'tcp', dport => '5269' }, + ], + 'Jetdirect' => [ + { action => 'PARAM', proto => 'tcp', dport => '9100' }, + ], + 'L2TP' => [ + { action => 'PARAM', proto => 'udp', dport => '1701' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1701' }, + ], + 'LDAP' => [ + { action => 'PARAM', proto => 'tcp', dport => '389' }, + ], + 'LDAPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '636' }, + ], + 'MSNP' => [ + { action => 'PARAM', proto => 'tcp', dport => '1863' }, + ], + 'MSSQL' => [ + { action => 'PARAM', proto => 'tcp', dport => '1433' }, + ], + 'Mail' => [ + { action => 'PARAM', proto => 'tcp', dport => '25' }, + { action => 'PARAM', proto => 'tcp', dport => '465' }, + { action => 'PARAM', proto => 'tcp', dport => '587' }, + ], + 'Munin' => [ + { action => 'PARAM', proto => 'tcp', dport => '4949' }, + ], + 'MySQL' => [ + { action => 'PARAM', proto => 'tcp', dport => '3306' }, + ], + 'NNTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '119' }, + ], + 'NNTPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '563' }, + ], + 'NTP' => [ + { action => 'PARAM', proto => 'udp', dport => '123' }, + ], + 'NTPbi' => [ + { action => 'PARAM', proto => 'udp', dport => '123' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '123' }, + ], + 'NTPbrd' => [ + { action => 'PARAM', proto => 'udp', dport => '123' }, + { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '123' }, + ], + 'OSPF' => [ + { action => 'PARAM', proto => '89' }, + ], + 'OpenVPN' => [ + { action => 'PARAM', proto => 'udp', dport => '1194' }, + ], + 'PCA' => [ + { action => 'PARAM', proto => 'udp', dport => '5632' }, + { action => 'PARAM', proto => 'tcp', dport => '5631' }, + ], + 'POP3' => [ + { action => 'PARAM', proto => 'tcp', dport => '110' }, + ], + 'POP3S' => [ + { action => 'PARAM', proto => 'tcp', dport => '995' }, + ], + 'PPtP' => [ + { action => 'PARAM', proto => '47' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' }, + { action => 'PARAM', proto => 'tcp', dport => '1723' }, + ], + 'Ping' => [ + { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, + ], + 'PostgreSQL' => [ + { action => 'PARAM', proto => 'tcp', dport => '5432' }, + ], + 'Printer' => [ + { action => 'PARAM', proto => 'tcp', dport => '515' }, + ], + 'RDP' => [ + { action => 'PARAM', proto => 'tcp', dport => '3389' }, + ], + 'RIPbi' => [ + { action => 'PARAM', proto => 'udp', dport => '520' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '520' }, + ], + 'RNDC' => [ + { action => 'PARAM', proto => 'tcp', dport => '953' }, + ], + 'Razor' => [ + { action => 'ACCEPT', proto => 'tcp', dport => '2703' }, + ], + 'Rdate' => [ + { action => 'PARAM', proto => 'tcp', dport => '37' }, + ], + 'Rsync' => [ + { action => 'PARAM', proto => 'tcp', dport => '873' }, + ], + 'SANE' => [ + { action => 'PARAM', proto => 'tcp', dport => '6566' }, + ], + 'SMB' => [ + { action => 'PARAM', proto => 'udp', dport => '135,445' }, + { action => 'PARAM', proto => 'udp', dport => '137:139' }, + { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' }, + { action => 'PARAM', proto => 'tcp', dport => '135,139,445' }, + ], + 'SMBBI' => [ + { action => 'PARAM', proto => 'udp', dport => '135,445' }, + { action => 'PARAM', proto => 'udp', dport => '137:139' }, + { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' }, + { action => 'PARAM', proto => 'tcp', dport => '135,139,445' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '135,445' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '137:139' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1024:65535', sport => '137' }, + { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'tcp', dport => '135,139,445' }, + ], + 'SMBswat' => [ + { action => 'PARAM', proto => 'tcp', dport => '901' }, + ], + 'SMTP' => [ + { action => 'PARAM', proto => 'tcp', dport => '25' }, + ], + 'SMTPS' => [ + { action => 'PARAM', proto => 'tcp', dport => '465' }, + ], + 'SNMP' => [ + { action => 'PARAM', proto => 'udp', dport => '161:162' }, + { action => 'PARAM', proto => 'tcp', dport => '161' }, + ], + 'SPAMD' => [ + { action => 'PARAM', proto => 'tcp', dport => '783' }, + ], + 'SSH' => [ + { action => 'PARAM', proto => 'tcp', dport => '22' }, + ], + 'SVN' => [ + { action => 'PARAM', proto => 'tcp', dport => '3690' }, + ], + 'SixXS' => [ + { action => 'PARAM', proto => 'tcp', dport => '3874' }, + { action => 'PARAM', proto => 'udp', dport => '3740' }, + { action => 'PARAM', proto => '41' }, + { action => 'PARAM', proto => 'udp', dport => '5072,8374' }, + ], + 'Squid' => [ + { action => 'PARAM', proto => 'tcp', dport => '3128' }, + ], + 'Submission' => [ + { action => 'PARAM', proto => 'tcp', dport => '587' }, + ], + 'Syslog' => [ + { action => 'PARAM', proto => 'udp', dport => '514' }, + { action => 'PARAM', proto => 'tcp', dport => '514' }, + ], + 'TFTP' => [ + { action => 'PARAM', proto => 'udp', dport => '69' }, + ], + 'Telnet' => [ + { action => 'PARAM', proto => 'tcp', dport => '23' }, + ], + 'Telnets' => [ + { action => 'PARAM', proto => 'tcp', dport => '992' }, + ], + 'Time' => [ + { action => 'PARAM', proto => 'tcp', dport => '37' }, + ], + 'Trcrt' => [ + { action => 'PARAM', proto => 'udp', dport => '33434:33524' }, + { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, + ], + 'VNC' => [ + { action => 'PARAM', proto => 'tcp', dport => '5900:5909' }, + ], + 'VNCL' => [ + { action => 'PARAM', proto => 'tcp', dport => '5500' }, + ], + 'Web' => [ + { action => 'PARAM', proto => 'tcp', dport => '80' }, + { action => 'PARAM', proto => 'tcp', dport => '443' }, + ], + 'Webcache' => [ + { action => 'PARAM', proto => 'tcp', dport => '8080' }, + ], + 'Webmin' => [ + { action => 'PARAM', proto => 'tcp', dport => '10000' }, + ], + 'Whois' => [ + { action => 'PARAM', proto => 'tcp', dport => '43' }, + ], +}; -my $macros; +my $pve_fw_parsed_macros; +my $pve_fw_preferred_macro_names = {}; + +my $pve_std_chains = { + 'PVEFW-SET-ACCEPT-MARK' => [ + "-j MARK --set-mark 1", + ], + 'PVEFW-DropBroadcast' => [ + # same as shorewall 'Broadcast' + # simply DROP BROADCAST/MULTICAST/ANYCAST + # we can use this to reduce logging + { action => 'DROP', dsttype => 'BROADCAST' }, + { action => 'DROP', dsttype => 'MULTICAST' }, + { action => 'DROP', dsttype => 'ANYCAST' }, + { action => 'DROP', dest => '224.0.0.0/4' }, + ], + 'PVEFW-reject' => [ + # same as shorewall 'reject' + { action => 'DROP', dsttype => 'BROADCAST' }, + { action => 'DROP', source => '224.0.0.0/4' }, + { action => 'DROP', proto => 'icmp' }, + "-p tcp -j REJECT --reject-with tcp-reset", + "-p udp -j REJECT --reject-with icmp-port-unreachable", + "-p icmp -j REJECT --reject-with icmp-host-unreachable", + "-j REJECT --reject-with icmp-host-prohibited", + ], + 'PVEFW-Drop' => [ + # same as shorewall 'Drop', which is equal to DROP, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, + { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, + # Drop packets with INVALID state + "-m conntrack --ctstate INVALID -j DROP", + # Drop Microsoft SMB noise + { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'DROP', proto => 'udp', dport => '137:139'}, + { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, + ], + 'PVEFW-Reject' => [ + # same as shorewall 'Reject', which is equal to Reject, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, + { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, + # Drop packets with INVALID state + "-m conntrack --ctstate INVALID -j DROP", + # Drop Microsoft SMB noise + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, + { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, + ], + 'PVEFW-tcpflags' => [ + # same as shorewall tcpflags action. + # Packets arriving on this interface are checked for som illegal combinations of TCP flags + "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", + "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + ], + 'PVEFW-smurfs' => [ + # same as shorewall smurfs action + # Filter packets for smurfs (packets with a broadcast address as the source). + "-s 0.0.0.0/32 -j RETURN", + "-m addrtype --src-type BROADCAST -g PVEFW-smurflog", + "-s 224.0.0.0/4 -g PVEFW-smurflog", + ], +}; + +# iptables -p icmp -h +my $icmp_type_names = { + any => 1, + 'echo-reply' => 1, + 'destination-unreachable' => 1, + 'network-unreachable' => 1, + 'host-unreachable' => 1, + 'protocol-unreachable' => 1, + 'port-unreachable' => 1, + 'fragmentation-needed' => 1, + 'source-route-failed' => 1, + 'network-unknown' => 1, + 'host-unknown' => 1, + 'network-prohibited' => 1, + 'host-prohibited' => 1, + 'TOS-network-unreachable' => 1, + 'TOS-host-unreachable' => 1, + 'communication-prohibited' => 1, + 'host-precedence-violation' => 1, + 'precedence-cutoff' => 1, + 'source-quench' => 1, + 'redirect' => 1, + 'network-redirect' => 1, + 'host-redirect' => 1, + 'TOS-network-redirect' => 1, + 'TOS-host-redirect' => 1, + 'echo-request' => 1, + 'router-advertisement' => 1, + 'router-solicitation' => 1, + 'time-exceeded' => 1, + 'ttl-zero-during-transit' => 1, + 'ttl-zero-during-reassembly' => 1, + 'parameter-problem' => 1, + 'ip-header-bad' => 1, + 'required-option-missing' => 1, + 'timestamp-request' => 1, + 'timestamp-reply' => 1, + 'address-mask-request' => 1, + 'address-mask-reply' => 1, +}; -# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.* sub get_firewall_macros { - return $macros if $macros; + return $pve_fw_parsed_macros if $pve_fw_parsed_macros; + + $pve_fw_parsed_macros = {}; - #foreach my $path () { - # if ($path =~ m|/macro\.(\S+)$|) { - # $macros->{$1} = 1; - # } - #} + foreach my $k (keys %$pve_fw_macros) { + my $name = lc($k); - $macros = {}; # fixme: implemet me + my $macro = $pve_fw_macros->{$k}; + $pve_fw_preferred_macro_names->{$name} = $k; + $pve_fw_parsed_macros->{$name} = $macro; + } - return $macros; + return $pve_fw_parsed_macros; } my $etc_services; @@ -56,6 +531,7 @@ sub get_etc_services { if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) { $services->{byid}->{$2}->{name} = $1; + $services->{byid}->{$2}->{port} = $2; $services->{byid}->{$2}->{$3} = 1; $services->{byname}->{$1} = $services->{byid}->{$2}; } @@ -63,8 +539,8 @@ sub get_etc_services { close($fh); - $etc_services = $services; - + $etc_services = $services; + return $etc_services; } @@ -124,13 +600,17 @@ sub parse_port_name_number_or_range { my $nbports = 0; foreach my $item (split(/,/, $str)) { my $portlist = ""; + my $oldpon = undef; + $nbports++; foreach my $pon (split(':', $item, 2)) { + $pon = $services->{byname}->{$pon}->{port} if $services->{byname}->{$pon}->{port}; if ($pon =~ m/^\d+$/){ - die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536; + die "invalid port '$pon'\n" if $pon < 0 && $pon > 65535; + die "port '$pon' must be bigger than port '$oldpon' \n" if $oldpon && ($pon < $oldpon); + $oldpon = $pon; }else{ die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon}; } - $nbports++; } } @@ -174,7 +654,7 @@ sub iptables_get_chains { return 1 if $name =~ m/^PVEFW-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; - return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; return undef; @@ -237,24 +717,66 @@ sub iptables_rule_exist { } sub ruleset_generate_rule { - my ($ruleset, $chain, $rule, $goto) = @_; + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + return if $rule->{disable}; my $cmd = ''; $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; $cmd .= " -s $rule->{source}" if $rule->{source}; $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; - $cmd .= " -d $rule->{dest}" if $rule->{destination}; - $cmd .= " -p $rule->{proto}" if $rule->{proto}; - $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1; - $cmd .= " --dport $rule->{dport}" if $rule->{dport}; - $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1; - $cmd .= " --sport $rule->{sport}" if $rule->{sport}; + $cmd .= " -d $rule->{dest}" if $rule->{dest}; + + if ($rule->{proto}) { + $cmd .= " -p $rule->{proto}"; + + my $multiport = 0; + $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1); + $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1); + + $cmd .= " --match multiport" if $multiport; + + die "multiport: option '--sports' cannot be used together with '--dports'\n" + if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); + + if ($rule->{dport}) { + if ($rule->{proto} && $rule->{proto} eq 'icmp') { + # Note: we use dport to store --icmp-type + die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}}); + $cmd .= " -m icmp --icmp-type $rule->{dport}"; + } else { + if ($rule->{nbdport} && $rule->{nbdport} > 1) { + if ($multiport == 2) { + $cmd .= " --ports $rule->{dport}"; + } else { + $cmd .= " --dports $rule->{dport}"; + } + } else { + $cmd .= " --dport $rule->{dport}"; + } + } + } + + if ($rule->{sport}) { + if ($rule->{nbsport} && $rule->{nbsport} > 1) { + $cmd .= " --sports $rule->{sport}" if $multiport != 2; + } else { + $cmd .= " --sport $rule->{sport}"; + } + } + } elsif ($rule->{dport} || $rule->{sport}) { + warn "ignoring destination port '$rule->{dport}' - no protocol specified\n" if $rule->{dport}; + warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport}; + } + + $cmd .= " -m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; if (my $action = $rule->{action}) { + $action = $actions->{$action} if defined($actions->{$action}); $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; $cmd .= $goto ? " -g $action" : " -j $action"; - }; + } ruleset_addrule($ruleset, $chain, $cmd) if $cmd; } @@ -294,71 +816,114 @@ sub ruleset_insertrule { sub generate_bridge_chains { my ($ruleset, $bridge) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){ - ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN"); - } - - if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){ - ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT"); - } - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); } - if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { - ruleset_create_chain($ruleset, "$bridge-IN"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN"); - ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT"); + if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { + ruleset_create_chain($ruleset, "$bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + } + + if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { + ruleset_create_chain($ruleset, "$bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT"); + # accept traffic to unmanaged bridge ports + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT "); } } sub generate_tap_rules_direction { - my ($ruleset, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; + my ($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; + + my $rules = $vmfw_conf->{lc($direction)}; + my $options = $vmfw_conf->{options}; my $tapchain = "$iface-$direction"; ruleset_create_chain($ruleset, $tapchain); - ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP"); - ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT"); + if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + } + + if ($options->{tcpflags}) { + ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags"); + } + + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - if ($direction eq 'OUT' && defined($macaddr)) { + if ($direction eq 'OUT' && defined($macaddr) && + !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); } if ($rules) { foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; + # we go to $bridge-IN if accept in out rules if($rule->{action} =~ m/^(GROUP-(\S+))$/){ $rule->{action} .= "-$direction"; # generate empty group rule if don't exist if(!ruleset_chain_exist($ruleset, $rule->{action})){ - generate_group_rules($ruleset, $2); + generate_group_rules($ruleset, $group_rules, $2); } ruleset_generate_rule($ruleset, $tapchain, $rule); - ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN"); + ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") + if $direction eq 'OUT'; } else { - # we go to vmbr-IN if accept in out rules - $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; - ruleset_generate_rule($ruleset, $tapchain, $rule); + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $tapchain, $rule, + { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); + } else { + ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); + } } } } - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); - ruleset_addrule($ruleset, $tapchain, "-j DROP"); + # implement policy + my $policy; + + if ($direction eq 'OUT') { + $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + } else { + $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default + } + + if ($policy eq 'ACCEPT') { + if ($direction eq 'OUT') { + ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK"); + } else { + ruleset_addrule($ruleset, $tapchain, "-j ACCEPT"); + } + } elsif ($policy eq 'DROP') { + ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop"); + ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); + ruleset_addrule($ruleset, $tapchain, "-j DROP"); + } elsif ($policy eq 'REJECT') { + ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject"); + ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level 4"); + ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject"); + } else { + # should not happen + die "internal error: unknown policy '$policy'"; + } # plug the tap chain to bridge chain my $physdevdirection = $direction eq 'IN' ? "out" : "in"; @@ -373,30 +938,25 @@ sub generate_tap_rules_direction { } sub enablehostfw { - my ($ruleset) = @_; + my ($ruleset, $rules, $group_rules) = @_; - my $filename = "/etc/pve/local/host.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - return if !$fh; - - my $rules = parse_fw_rules($filename, $fh); + # fixme: allow security groups # host inbound firewall my $chain = "PVEFW-HOST-IN"; ruleset_create_chain($ruleset, $chain); - ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m state --state RELATED,ESTABLISHED -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync if ($rules->{in}) { foreach my $rule (@{$rules->{in}}) { # we use RETURN because we need to check also tap rules - $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); } } @@ -407,36 +967,33 @@ sub enablehostfw { $chain = "PVEFW-HOST-OUT"; ruleset_create_chain($ruleset, $chain); - ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m state --state RELATED,ESTABLISHED -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { # we use RETURN because we need to check also tap rules - $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); } } ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4"); ruleset_addrule($ruleset, $chain, "-j DROP"); - + ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); } sub generate_group_rules { - my ($ruleset, $group) = @_; + my ($ruleset, $group_rules, $group) = @_; - my $filename = "/etc/pve/firewall/groups.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - return if !$fh; + my $rules = $group_rules->{$group}; - my $rules = parse_fw_rules($filename, $fh, $group); + die "no such security group '$group'\n" if !$rules; my $chain = "GROUP-${group}-IN"; @@ -444,7 +1001,7 @@ sub generate_group_rules { if ($rules->{in}) { foreach my $rule (@{$rules->{in}}) { - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); } } @@ -455,118 +1012,325 @@ sub generate_group_rules { if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { - # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to - # check also other tap rules (and group rules can be set on any bridge, - # so we can't go to VMBRXX-IN) - $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to + # check also other tap rules later + ruleset_generate_rule($ruleset, $chain, $rule, + { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }); } } } -sub parse_fw_rules { - my ($filename, $fh, $group) = @_; - - my $section; - my $securitygroup; - my $securitygroupexist; +my $MAX_NETS = 32; +my $valid_netdev_names = {}; +for (my $i = 0; $i < $MAX_NETS; $i++) { + $valid_netdev_names->{"net$i"} = 1; +} - my $res = { in => [], out => [] }; +sub parse_fw_rule { + my ($line, $need_iface, $allow_groups) = @_; my $macros = get_firewall_macros(); my $protocols = get_etc_protocols(); - + + my ($action, $iface, $source, $dest, $proto, $dport, $sport); + + # we can add single line comments to the end of the rule + my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; + + # we can disable a rule when prefixed with '|' + my $disable = 1 if $line =~ s/^\|//; + + my @data = split(/\s+/, $line); + my $expected_elements = $need_iface ? 7 : 6; + + die "wrong number of rule elements\n" if scalar(@data) > $expected_elements; + + if ($need_iface) { + ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data + } else { + ($action, $source, $dest, $proto, $dport, $sport) = @data; + } + + die "incomplete rule\n" if !$action; + + my $macro; + my $macro_name; + + if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { + # OK + } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) { + # OK + } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { + ($macro_name, $action) = ($1, $2); + my $lc_macro_name = lc($macro_name); + my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name}; + $macro_name = $preferred_name if $preferred_name; + $macro = $macros->{$lc_macro_name}; + die "unknown macro '$macro_name'\n" if !$macro; + } else { + die "unknown action '$action'\n"; + } + + if ($need_iface) { + $iface = undef if $iface && $iface eq '-'; + die "unknown interface '$iface'\n" + if defined($iface) && !$valid_netdev_names->{$iface}; + } + + $proto = undef if $proto && $proto eq '-'; + die "unknown protokol '$proto'\n" if $proto && + !(defined($protocols->{byname}->{$proto}) || + defined($protocols->{byid}->{$proto})); + + $source = undef if $source && $source eq '-'; + $dest = undef if $dest && $dest eq '-'; + + $dport = undef if $dport && $dport eq '-'; + $sport = undef if $sport && $sport eq '-'; + + my $nbsource = undef; + my $nbdest = undef; + + $nbsource = parse_address_list($source) if $source; + $nbdest = parse_address_list($dest) if $dest; + + my $rules = []; + + my $param = { + disable => $disable, + comment => $comment, + action => $action, + iface => $iface, + source => $source, + dest => $dest, + nbsource => $nbsource, + nbdest => $nbdest, + proto => $proto, + dport => $dport, + sport => $sport, + }; + + if ($macro) { + foreach my $templ (@$macro) { + my $rule = {}; + my $param_used = {}; + foreach my $k (keys %$templ) { + my $v = $templ->{$k}; + if ($v eq 'PARAM') { + $v = $param->{$k}; + $param_used->{$k} = 1; + } elsif ($v eq 'DEST') { + $v = $param->{dest}; + $param_used->{dest} = 1; + } elsif ($v eq 'SOURCE') { + $v = $param->{source}; + $param_used->{source} = 1; + } + + die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); + $rule->{$k} = $v; + } + foreach my $k (keys %$param) { + next if !defined($param->{$k}); + next if $param_used->{$k}; + if (defined($rule->{$k})) { + die "parameter '$k' already define in macro (value = '$rule->{$k}')\n" + if $rule->{$k} ne $param->{$k}; + } else { + $rule->{$k} = $param->{$k}; + } + } + push @$rules, $rule; + } + } else { + push @$rules, $param; + } + + foreach my $rule (@$rules) { + $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) + if defined($rule->{dport}); + $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) + if defined($rule->{sport}); + } + + return $rules; +} + +sub parse_vmfw_option { + my ($line) = @_; + + my ($opt, $value); + + if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + $opt = lc($1); + $value = int($2); + } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + $opt = lc($1); + $value = uc($3); + } else { + chomp $line; + die "can't parse option '$line'\n" + } + + return ($opt, $value); +} + +sub parse_hostfw_option { + my ($line) = @_; + + my ($opt, $value); + + my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; + + if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + $opt = lc($1); + $value = int($2); + } elsif ($line =~ m/^(tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { + $opt = lc($1); + $value = $2 ? lc($3) : ''; + } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + $opt = lc($1); + $value = uc($3); + } else { + chomp $line; + die "can't parse option '$line'\n" + } + + return ($opt, $value); +} + +sub parse_vm_fw_rules { + my ($filename, $fh) = @_; + + my $res = { in => [], out => [], options => {}}; + + my $section; + while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; next if $line =~ m/^\s*$/; - if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) { + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(\S+)\]\s*$/i) { $section = lc($1); - $securitygroup = lc($3) if $3; - $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group; + warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section}; + next; + } + if (!$section) { + warn "$prefix: skip line - no section"; next; } - next if !$section; - next if $group && $securitygroup ne $group; - my ($action, $iface, $source, $dest, $proto, $dport, $sport) = - split(/\s+/, $line); + next if !$res->{$section}; # skip undefined section - if (!$action) { - warn "skip incomplete line\n"; + if ($section eq 'options') { + eval { + my ($opt, $value) = parse_vmfw_option($line); + $res->{options}->{$opt} = $value; + }; + warn "$prefix: $@" if $@; next; } - my $service; - if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) { - # OK - } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { - ($service, $action) = ($1, $2); - if (!$macros->{$service}) { - warn "unknown service '$service'\n"; - next; - } - } else { - warn "unknown action '$action'\n"; + my $rules; + eval { $rules = parse_fw_rule($line, 1, 1); }; + if (my $err = $@) { + warn "$prefix: $err"; next; } - $iface = undef if $iface && $iface eq '-'; - if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) { - warn "unknown interface '$iface'\n"; + push @{$res->{$section}}, @$rules; + } + + return $res; +} + +sub parse_host_fw_rules { + my ($filename, $fh) = @_; + + my $res = { in => [], out => [], options => {}}; + + my $section; + + while (defined(my $line = <$fh>)) { + next if $line =~ m/^#/; + next if $line =~ m/^\s*$/; + + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(\S+)\]\s*$/i) { + $section = lc($1); + warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section}; next; } - - $proto = undef if $proto && $proto eq '-'; - if ($proto && !(defined($protocols->{byname}->{$proto}) || - defined($protocols->{byid}->{$proto}))) { - warn "unknown protokol '$proto'\n"; + if (!$section) { + warn "$prefix: skip line - no section"; next; } - $source = undef if $source && $source eq '-'; - $dest = undef if $dest && $dest eq '-'; + next if !$res->{$section}; # skip undefined section - $dport = undef if $dport && $dport eq '-'; - $sport = undef if $sport && $sport eq '-'; - my $nbdport = undef; - my $nbsport = undef; - my $nbsource = undef; - my $nbdest = undef; + if ($section eq 'options') { + eval { + print "PARSE:$line\n"; + my ($opt, $value) = parse_hostfw_option($line); + $res->{options}->{$opt} = $value; + }; + warn "$prefix: $@" if $@; + next; + } - eval { - $nbsource = parse_address_list($source) if $source; - $nbdest = parse_address_list($dest) if $dest; - $nbdport = parse_port_name_number_or_range($dport) if $dport; - $nbsport = parse_port_name_number_or_range($sport) if $sport; - }; + my $rules; + eval { $rules = parse_fw_rule($line, 1, 1); }; if (my $err = $@) { - warn $err; + warn "$prefix: $err"; next; - } + push @{$res->{$section}}, @$rules; + } - my $rule = { - action => $action, - service => $service, - iface => $iface, - source => $source, - dest => $dest, - nbsource => $nbsource, - nbdest => $nbdest, - proto => $proto, - dport => $dport, - sport => $sport, - nbdport => $nbdport, - nbsport => $nbsport, + return $res; +} + +sub parse_group_fw_rules { + my ($filename, $fh) = @_; - }; + my $section; + my $group; - push @{$res->{$section}}, $rule; + my $res = { in => [], out => [] }; + + while (defined(my $line = <$fh>)) { + next if $line =~ m/^#/; + next if $line =~ m/^\s*$/; + + my $linenr = $fh->input_line_number(); + my $prefix = "$filename (line $linenr)"; + + if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) { + $section = lc($1); + $group = lc($2); + next; + } + if (!$section || !$group) { + warn "$prefix: skip line - no section"; + next; + } + + my $rules; + eval { $rules = parse_fw_rule($line, 0, 0); }; + if (my $err = $@) { + warn "$prefix: $err"; + next; + } + + push @{$res->{$group}->{$section}}, @$rules; } - die "security group $group don't exist" if $group && !$securitygroupexist; return $res; } @@ -610,33 +1374,130 @@ sub read_vm_firewall_rules { my $fh = IO::File->new($filename, O_RDONLY); next if !$fh; - $rules->{$vmid} = parse_fw_rules($filename, $fh); + $rules->{$vmid} = parse_vm_fw_rules($filename, $fh); } return $rules; } +sub get_option_log_level { + my ($options, $k) = @_; + + my $v = $options->{$k}; + return $v = $default_log_level if !defined($v); + + return undef if $v eq '' || $v eq 'nolog'; + + $v = $log_level_hash->{$v} if defined($log_level_hash->{$v}); + + return $v if ($v >= 0) && ($v <= 7); + + warn "unknown log level ($k = '$v')\n"; + + return undef; +} + +sub generate_std_chains { + my ($ruleset, $options) = @_; + + my $loglevel = get_option_log_level($options, 'smurf_log_level'); + + # same as shorewall smurflog. + if (defined($loglevel)) { + $pve_std_chains-> {'PVEFW-smurflog'} = [ + "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel", + "-j DROP", + ]; + } else { + $pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ]; + } + + # same as shorewall logflags action. + $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); + if (defined($loglevel)) { + $pve_std_chains-> {'PVEFW-logflags'} = [ + "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options", + "-j DROP", + ]; + } else { + $pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ]; + } + + foreach my $chain (keys %$pve_std_chains) { + ruleset_create_chain($ruleset, $chain); + foreach my $rule (@{$pve_std_chains->{$chain}}) { + if (ref($rule)) { + ruleset_generate_rule($ruleset, $chain, $rule); + } else { + ruleset_addrule($ruleset, $chain, $rule); + } + } + } +} + +sub save_pvefw_status { + my ($status) = @_; + + die "unknown status '$status' - internal error" + if $status !~ m/^(stopped|active)$/; + + mkdir dirname($pve_fw_status_filename); + PVE::Tools::file_set_contents($pve_fw_status_filename, $status); +} + +sub read_pvefw_status { + + my $status = 'unknown'; + + return 'stopped' if ! -f $pve_fw_status_filename; + + eval { + $status = PVE::Tools::file_get_contents($pve_fw_status_filename); + }; + warn $@ if $@; + + return $status; +} + sub compile { my $vmdata = read_local_vm_config(); my $rules = read_vm_firewall_rules($vmdata); + my $group_rules = {}; + my $filename = "/etc/pve/firewall/groups.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $group_rules = parse_group_fw_rules($filename, $fh); + } + #print Dumper($rules); my $ruleset = {}; - # setup host firewall rules ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); + ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK"); - ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1"); + my $host_options = {}; + my $host_rules; + + $filename = "/etc/pve/local/host.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $host_rules = parse_host_fw_rules($filename, $fh); + $host_options = $host_rules->{options}; + } - enablehostfw($ruleset); + generate_std_chains($ruleset, $host_options); - # generate firewall rules for QEMU VMs + my $hotsfw_enable = $host_rules && !(defined($host_options->{enable}) && ($host_options->{enable} == 0)); + + enablehostfw($ruleset, $host_rules, $group_rules) if $hotsfw_enable; + + # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; - next if !$rules->{$vmid}; + my $vmfw_conf = $rules->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); foreach my $netid (keys %$conf) { next if $netid !~ m/^net(\d+)$/; @@ -649,13 +1510,20 @@ sub compile { $bridge .= "v$net->{tag}" if $net->{tag}; + generate_bridge_chains($ruleset, $bridge); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); } } + + if ($hotsfw_enable) { + # allow traffic from lo (ourself) + ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT"); + } + return $ruleset; } @@ -697,7 +1565,7 @@ sub get_ruleset_status { $statushash->{$chain}->{sig} = $sig; print "delete $chain ($sig)\n" if $verbose; } - } + } return $statushash; } @@ -715,11 +1583,9 @@ sub print_sig_rule { return "-A $chain -m comment --comment \"PVESIG:$sig\"\n"; } -sub apply_ruleset { +sub get_rulset_cmdlist { my ($ruleset, $verbose) = @_; - enable_bridge_firewall(); - my $cmdlist = "*filter\n"; # we pass this to iptables-restore; my $statushash = get_ruleset_status($ruleset, $verbose); @@ -772,17 +1638,30 @@ sub apply_ruleset { } foreach my $chain (keys %$statushash) { next if $statushash->{$chain}->{action} ne 'delete'; + next if $chain eq 'PVEFW-INPUT'; + next if $chain eq 'PVEFW-OUTPUT'; + next if $chain eq 'PVEFW-FORWARD'; $cmdlist .= "-X $chain\n"; } $cmdlist .= "COMMIT\n"; + return $cmdlist; +} + +sub apply_ruleset { + my ($ruleset, $verbose) = @_; + + enable_bridge_firewall(); + + my $cmdlist = get_rulset_cmdlist($ruleset, $verbose); + print $cmdlist if $verbose; iptables_restore_cmdlist($cmdlist); - # test: re-read status and check if everything is up to date - $statushash = get_ruleset_status($ruleset); + # test: re-read status and check if everything is up to date + my $statushash = get_ruleset_status($ruleset); my $errors; foreach my $chain (sort keys %$ruleset) { @@ -796,4 +1675,26 @@ sub apply_ruleset { die "unable to apply firewall changes\n" if $errors; } +sub update { + my ($start, $verbose) = @_; + + my $code = sub { + my $status = read_pvefw_status(); + + my $ruleset = PVE::Firewall::compile(); + + if ($start || $status eq 'active') { + + save_pvefw_status('active') if ($status ne 'active'); + + PVE::Firewall::apply_ruleset($ruleset, $verbose); + } else { + print "Firewall not active (status = $status)\n" if $verbose; + } + }; + + run_locked($code); +} + + 1;