X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=0f8ab646679afa52b43ecc943db8569c34d4631b;hp=7a68642c42cf2ce66c82f2efec382aae01911a9d;hb=c98c037d48f2731f03017b70ac8b2e9c8ff7a6b4;hpb=72f63fde6e68abfa9b1b4e35d63f4788086d2c1c diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 7a68642..0f8ab64 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -4,9 +4,12 @@ use warnings; use strict; use Data::Dumper; use Digest::SHA; +use PVE::INotify; +use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools; use PVE::QemuServer; +use PVE::OpenVZ; # dependeny problem?! use File::Basename; use File::Path; use IO::File; @@ -15,6 +18,8 @@ use PVE::Tools qw(run_command lock_file); use Data::Dumper; +my $nodename = PVE::INotify::nodename(); + my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status"; @@ -658,6 +663,11 @@ sub iptables_get_chains { return 1 if $name =~ m/^PVEFW-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; + + return 1 if $name =~ m/^veth\d+.\d+-(:?IN|OUT)$/; # fixme: dev name is configurable + + return 1 if $name =~ m/^venet0-\d+-(:?IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; @@ -720,13 +730,16 @@ sub iptables_rule_exist { return 1; } -sub ruleset_generate_rule { +sub ruleset_generate_cmdstr { my ($ruleset, $chain, $rule, $actions, $goto) = @_; return if $rule->{disable}; my @cmd = (); + push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in}; + push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out}; + push @cmd, "-m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; push @cmd, "-s $rule->{source}" if $rule->{source}; push @cmd, "-m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; @@ -782,11 +795,23 @@ sub ruleset_generate_rule { push @cmd, $goto ? "-g $action" : "-j $action"; } - if (scalar(@cmd)) { - my $cmdstr = join(' ', @cmd); + return scalar(@cmd) ? join(' ', @cmd) : undef; +} + +sub ruleset_generate_rule { + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $rule, $actions, $goto)) { ruleset_addrule($ruleset, $chain, $cmdstr); } } +sub ruleset_generate_rule_insert { + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $rule, $actions, $goto)) { + ruleset_insertrule($ruleset, $chain, $cmdstr); + } +} sub ruleset_create_chain { my ($ruleset, $chain) = @_; @@ -823,28 +848,16 @@ sub ruleset_insertrule { sub generate_bridge_chains { my ($ruleset, $hostfw_conf, $bridge) = @_; - my $options = $hostfw_conf->{options} || {}; - - # fixme: what log level should we use here? - my $loglevel = get_option_log_level($options, "log_level_out"); - if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { ruleset_create_chain($ruleset, "$bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); - ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); } if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { @@ -885,41 +898,38 @@ sub ruleset_add_chain_policy { } } -sub generate_tap_rules_direction { - my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; - - my $lc_direction = lc($direction); - - my $rules = $vmfw_conf->{rules}; - - my $options = $vmfw_conf->{options}; - my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); - - my $tapchain = "$iface-$direction"; +sub ruleset_create_vm_chain { + my ($ruleset, $chain, $options, $macaddr, $direction) = @_; - ruleset_create_chain($ruleset, $tapchain); + ruleset_create_chain($ruleset, $chain); if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); } if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT"); } if ($options->{tcpflags}) { - ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags"); + ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); } - ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); if ($direction eq 'OUT') { if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); + ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); } - ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark } +} + +sub ruleset_generate_vm_rules { + my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction) = @_; + + my $lc_direction = lc($direction); foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; @@ -929,19 +939,90 @@ sub generate_tap_rules_direction { if(!ruleset_chain_exist($ruleset, $group_chain)){ generate_group_rules($ruleset, $groups_conf, $rule->{action}); } - ruleset_addrule($ruleset, $tapchain, "-j $group_chain"); - ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") + ruleset_addrule($ruleset, $chain, "-j $group_chain"); + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN") if $direction eq 'OUT'; } else { next if $rule->{type} ne $lc_direction; if ($direction eq 'OUT') { - ruleset_generate_rule($ruleset, $tapchain, $rule, + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } else { - ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); } } } +} + +sub generate_venet_rules_direction { + my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_; + + parse_address_list($ip); # make sure we have a valid $ip list + + my $lc_direction = lc($direction); + + my $rules = $vmfw_conf->{rules}; + + my $options = $vmfw_conf->{options}; + my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); + + my $chain = "venet0-$vmid-$direction"; + + ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction); + + ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $chain, 'venet', $direction); + + # implement policy + my $policy; + + if ($direction eq 'OUT') { + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default + } else { + $policy = $options->{policy_in} || 'DROP'; # allow nothing by default + } + + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); + + # plug into FORWARD, INPUT and OUTPUT chain + if ($direction eq 'OUT') { + ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", { + action => $chain, + source => $ip, + iface_in => 'venet0'}); + + ruleset_generate_rule_insert($ruleset, "PVEFW-INPUT", { + action => $chain, + source => $ip, + iface_in => 'venet0'}); + } else { + ruleset_generate_rule($ruleset, "PVEFW-FORWARD", { + action => $chain, + dest => $ip, + iface_out => 'venet0'}); + + ruleset_generate_rule($ruleset, "PVEFW-OUTPUT", { + action => $chain, + dest => $ip, + iface_out => 'venet0'}); + } +} + +sub generate_tap_rules_direction { + my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; + + my $lc_direction = lc($direction); + + my $rules = $vmfw_conf->{rules}; + + my $options = $vmfw_conf->{options}; + my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); + + my $tapchain = "$iface-$direction"; + + ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction); + + ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction); # implement policy my $policy; @@ -1115,8 +1196,6 @@ sub parse_fw_rule { if ($need_iface) { $iface = undef if $iface && $iface eq '-'; - die "unknown interface '$iface'\n" - if defined($iface) && !$valid_netdev_names->{$iface}; } $proto = undef if $proto && $proto eq '-'; @@ -1399,26 +1478,39 @@ sub run_locked { sub read_local_vm_config { my $openvz = {}; - my $qemu = {}; - my $list = PVE::QemuServer::config_list(); + my $vmdata = { openvz => $openvz, qemu => $qemu }; - foreach my $vmid (keys %$list) { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; + my $vmlist = PVE::Cluster::get_vmlist(); + return $vmdata if !$vmlist || !$vmlist->{ids}; + my $ids = $vmlist->{ids}; + + foreach my $vmid (keys %$ids) { + next if !$vmid; # skip VE0 + my $d = $ids->{$vmid}; + next if !$d->{node} || $d->{node} ne $nodename; + next if !$d->{type}; + if ($d->{type} eq 'openvz') { + my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $openvz->{$vmid} = $conf; + } + } elsif ($d->{type} eq 'qemu') { + my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $qemu->{$vmid} = $conf; + } } } - - my $vmdata = { openvz => $openvz, qemu => $qemu }; - + return $vmdata; }; sub read_vm_firewall_configs { my ($vmdata) = @_; my $vmfw_configs = {}; + foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { my $filename = "/etc/pve/firewall/$vmid.fw"; my $fh = IO::File->new($filename, O_RDONLY); @@ -1519,15 +1611,12 @@ sub compile { $groups_conf = parse_group_fw_rules($filename, $fh); } - #print Dumper($rules); - my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); my $hostfw_options = {}; my $hostfw_conf = {}; @@ -1570,6 +1659,56 @@ sub compile { } } + # generate firewall rules for OpenVZ containers + foreach my $vmid (keys %{$vmdata->{openvz}}) { + my $conf = $vmdata->{openvz}->{$vmid}; + + my $vmfw_conf = $vmfw_configs->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); + + if ($conf->{ip_address} && $conf->{ip_address}->{value}) { + my $ip = $conf->{ip_address}->{value}; + generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'IN'); + generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'OUT'); + } + + if ($conf->{netif} && $conf->{netif}->{value}) { + my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value}); + foreach my $netid (keys %$netif) { + my $d = $netif->{$netid}; + my $bridge = $d->{bridge}; + if (!$bridge) { + warn "no bridge device for CT $vmid iface '$netid'\n"; + next; # fixme? + } + my $macaddr = $d->{host_mac}; + my $iface = $d->{host_ifname}; + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + } + } + } + + # fixme: this is an optimization? if so, we should also drop INVALID packages? + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + + # fixme: what log level should we use here? + my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); + + # fixme: should we really block inter-bridge traffic? + + # always allow traffic from containers? + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN"); + + # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP"); + return wantarray ? ($ruleset, $hostfw_conf) : $ruleset; } @@ -1696,10 +1835,12 @@ sub get_rulset_cmdlist { } sub apply_ruleset { - my ($ruleset, $verbose) = @_; + my ($ruleset, $hostfw_conf, $verbose) = @_; enable_bridge_firewall(); + update_nf_conntrack_max($hostfw_conf); + my $cmdlist = get_rulset_cmdlist($ruleset, $verbose); print $cmdlist if $verbose; @@ -1753,13 +1894,11 @@ sub update { my ($ruleset, $hostfw_conf) = PVE::Firewall::compile(); - update_nf_conntrack_max($hostfw_conf); - if ($start || $status eq 'active') { save_pvefw_status('active') if ($status ne 'active'); - PVE::Firewall::apply_ruleset($ruleset, $verbose); + apply_ruleset($ruleset, $hostfw_conf, $verbose); } else { print "Firewall not active (status = $status)\n" if $verbose; }