X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=2270ad73eb159bb36699c3e9215c0d632c4cbab4;hp=f4f4377b64e3a9f67ca9b24bf2386bfeb510abdb;hb=30150dca3cfc435c08d84022b9c4214b603a6522;hpb=085fd492bf2bb317d50c7de1041958a7d4e78669

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f4f4377..2270ad7 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -19,7 +19,8 @@ use PVE::Tools qw(run_command lock_file dir_glob_foreach);
 use Encode;
 
 my $hostfw_conf_filename = "/etc/pve/local/host.fw";
-my $clusterfw_conf_filename = "/etc/pve/firewall/cluster.fw";
+my $pvefw_conf_dir = "/etc/pve/firewall";
+my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
 
 # dynamically include PVE::QemuServer and PVE::OpenVZ
 # to avoid dependency problems
@@ -759,7 +760,10 @@ sub local_network {
     return $__local_network;
 }
 
-my $max_iptables_ipset_name_length = 27;
+# ipset names are limited to 31 characters, and we use '_swap' 
+# suffix for atomic update, for example PVEFW-${VMID}-${ipset_name}_swap
+
+my $max_iptables_ipset_name_length = 31 - length("_swap");
 
 sub compute_ipset_chain_name {
     my ($vmid, $ipset_name) = @_;
@@ -776,6 +780,12 @@ sub compute_ipset_chain_name {
     return "PVEFW-$id";
 }
 
+sub compute_ipfilter_ipset_name {
+    my ($iface) = @_;
+
+    return "ipfilter-$iface";
+}
+
 sub parse_address_list {
     my ($str) = @_;
 
@@ -1204,6 +1214,46 @@ sub copy_rule_data {
     return $rule;
 }
 
+sub rules_modify_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+	return {
+	    check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+	};
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+	return {
+	    check => ['perm', '/', [ 'Sys.Modify' ]],
+	};
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+	return {
+	    check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+	}
+    }
+
+    return undef;
+}
+
+sub rules_audit_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+	return {
+	    check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+	};
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+	return {
+	    check => ['perm', '/', [ 'Sys.Audit' ]],
+	};
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+	return {
+	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+	}
+    }
+
+    return undef;
+}
+
 # core functions
 my $bridge_firewall_enabled = 0;
 
@@ -1623,7 +1673,7 @@ sub ruleset_chain_add_input_filters {
 }
 
 sub ruleset_create_vm_chain {
-    my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
+    my ($ruleset, $chain, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
 
     ruleset_create_chain($ruleset, $chain);
     my $accept = generate_nfqueue($options);
@@ -1642,6 +1692,9 @@ sub ruleset_create_vm_chain {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
 	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
 	}
+	if ($ipfilter_ipset) {
+	    ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+	}
 	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
     }
 }
@@ -1742,7 +1795,7 @@ sub generate_venet_rules_direction {
 
     my $chain = "venet0-$vmid-$direction";
 
-    ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+    ruleset_create_vm_chain($ruleset, $chain, $options, undef, undef, $direction);
 
     ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
 
@@ -1784,24 +1837,34 @@ sub generate_tap_rules_direction {
 
     my $tapchain = "$iface-$direction";
 
-    ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+    my $ipfilter_name = compute_ipfilter_ipset_name($netid);
+    my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name)
+	if $vmfw_conf->{ipset}->{$ipfilter_name};	
 
-    ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
+    # create chain with mac and ip filter
+    ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $ipfilter_ipset, $direction);
 
-    ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
+    if ($options->{enable}) {
+	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
 
-    # implement policy
-    my $policy;
+	ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
 
-    if ($direction eq 'OUT') {
-	$policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
-    } else {
+	# implement policy
+	my $policy;
+
+	if ($direction eq 'OUT') {
+	    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+	} else {
 	$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
-    }
+	}
 
-    my $accept = generate_nfqueue($options);
-    my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
-    ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
+	my $accept = generate_nfqueue($options);
+	my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
+	ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action);
+    } else {
+	my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : 'ACCEPT';
+	ruleset_add_chain_policy($ruleset, $tapchain, $vmid, 'ACCEPT', $loglevel, $accept_action);
+    }
 
     # plug the tap chain to bridge chain
     if ($direction eq 'IN') {
@@ -2401,7 +2464,7 @@ sub load_vmfw_conf {
 
     my $vmfw_conf = {};
 
-    $dir = "/etc/pve/firewall" if !defined($dir);
+    $dir = $pvefw_conf_dir if !defined($dir);
 
     my $filename = "$dir/$vmid.fw";
     if (my $fh = IO::File->new($filename, O_RDONLY)) {
@@ -2521,21 +2584,23 @@ sub save_vmfw_conf {
     my $raw = '';
 
     my $options = $vmfw_conf->{options};
-    $raw .= &$format_options($options) if scalar(keys %$options);
+    $raw .= &$format_options($options) if $options && scalar(keys %$options);
 
     my $aliases = $vmfw_conf->{aliases};
-    $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+    $raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
 
-    $raw .= &$format_ipsets($vmfw_conf);
+    $raw .= &$format_ipsets($vmfw_conf) if $vmfw_conf->{ipset};
 
     my $rules = $vmfw_conf->{rules} || [];
-    if (scalar(@$rules)) {
+    if ($rules && scalar(@$rules)) {
 	$raw .= "[RULES]\n\n";
 	$raw .= &$format_rules($rules, 1);
 	$raw .= "\n";
     }
 
-    my $filename = "/etc/pve/firewall/$vmid.fw";
+    mkdir $pvefw_conf_dir;
+
+    my $filename = "$pvefw_conf_dir/$vmid.fw";
     PVE::Tools::file_set_contents($filename, $raw);
 }
 
@@ -2685,33 +2750,36 @@ sub save_clusterfw_conf {
     my $raw = '';
 
     my $options = $cluster_conf->{options};
-    $raw .= &$format_options($options) if scalar(keys %$options);
+    $raw .= &$format_options($options) if $options && scalar(keys %$options);
 
     my $aliases = $cluster_conf->{aliases};
-    $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+    $raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
 
-    $raw .= &$format_ipsets($cluster_conf);
+    $raw .= &$format_ipsets($cluster_conf) if $cluster_conf->{ipset};
  
     my $rules = $cluster_conf->{rules};
-    if (scalar(@$rules)) {
+    if ($rules && scalar(@$rules)) {
 	$raw .= "[RULES]\n\n";
 	$raw .= &$format_rules($rules, 1);
 	$raw .= "\n";
     }
 
-    foreach my $group (sort keys %{$cluster_conf->{groups}}) {
-	my $rules = $cluster_conf->{groups}->{$group};
-	if (my $comment = $cluster_conf->{group_comments}->{$group}) {
-	    my $utf8comment = encode('utf8', $comment);
-	    $raw .= "[group $group] # $utf8comment\n\n";
-	} else {
-	    $raw .= "[group $group]\n\n";
-	}
+    if ($cluster_conf->{groups}) {
+	foreach my $group (sort keys %{$cluster_conf->{groups}}) {
+	    my $rules = $cluster_conf->{groups}->{$group};
+	    if (my $comment = $cluster_conf->{group_comments}->{$group}) {
+		my $utf8comment = encode('utf8', $comment);
+		$raw .= "[group $group] # $utf8comment\n\n";
+	    } else {
+		$raw .= "[group $group]\n\n";
+	    }
 
-	$raw .= &$format_rules($rules, 0);
-	$raw .= "\n";
+	    $raw .= &$format_rules($rules, 0);
+	    $raw .= "\n";
+	}
     }
 
+    mkdir $pvefw_conf_dir;
     PVE::Tools::file_set_contents($clusterfw_conf_filename, $raw);
 }
 
@@ -2733,10 +2801,10 @@ sub save_hostfw_conf {
     my $raw = '';
 
     my $options = $hostfw_conf->{options};
-    $raw .= &$format_options($options) if scalar(keys %$options);
+    $raw .= &$format_options($options) if $options && scalar(keys %$options);
 
     my $rules = $hostfw_conf->{rules};
-    if (scalar(@$rules)) {
+    if ($rules && scalar(@$rules)) {
 	$raw .= "[RULES]\n\n";
 	$raw .= &$format_rules($rules, 1);
 	$raw .= "\n";
@@ -2834,7 +2902,6 @@ sub compile {
 	    my $conf = $vmdata->{qemu}->{$vmid};
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
 	    return if !$vmfw_conf;
-	    return if !$vmfw_conf->{options}->{enable};
 
 	    generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
 
@@ -2861,32 +2928,34 @@ sub compile {
 
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
 	    return if !$vmfw_conf;
-	    return if !$vmfw_conf->{options}->{enable};
 
 	    generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
 
-	    if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
-		my $ip = $conf->{ip_address}->{value};
-		$ip =~ s/\s+/,/g;
-		parse_address_list($ip); # make sure we have a valid $ip list
+	    if ($vmfw_conf->{options}->{enable}) {
+		if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
+		    my $ip = $conf->{ip_address}->{value};
+		    $ip =~ s/\s+/,/g;
+		    parse_address_list($ip); # make sure we have a valid $ip list
 
-		my @ips = split(',', $ip);
+		    my @ips = split(',', $ip);
 
-		foreach my $singleip (@ips) {
-		    my $venet0ipset = {};
-		    $venet0ipset->{cidr} = $singleip;
-		    push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
-		}
+		    foreach my $singleip (@ips) {
+			my $venet0ipset = {};
+			$venet0ipset->{cidr} = $singleip;
+			push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
+		    }
 
-		generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
-		generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+		    generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
+		    generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+		}
 	    }
 
 	    if ($conf->{netif} && $conf->{netif}->{value}) {
 		my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value});
 		foreach my $netid (keys %$netif) {
 		    my $d = $netif->{$netid};
-
+		    my $bridge = $d->{bridge};
+		    next if !$bridge || $bridge !~ m/^vmbr\d+(v(\d+))?f$/; # firewall enabled ?
 		    my $macaddr = $d->{mac};
 		    my $iface = $d->{host_ifname};
 		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
@@ -2971,8 +3040,9 @@ sub get_ruleset_cmdlist {
     }
 
     foreach my $h (qw(INPUT OUTPUT FORWARD)) {
-	if (!$hooks->{$h}) {
-	    $cmdlist .= "-A $h -j PVEFW-$h\n";
+	my $chain = "PVEFW-$h";
+	if ($ruleset->{$chain} && !$hooks->{$h}) {
+	    $cmdlist .= "-A $h -j $chain\n";
 	}
     }
 
@@ -3172,6 +3242,17 @@ sub remove_pvefw_chains {
     $cmdlist .= "COMMIT\n";
 
     iptables_restore_cmdlist($cmdlist);
+
+    my $ipset_chains = ipset_get_chains();
+
+    $cmdlist = "";
+ 
+    foreach my $chain (keys %$ipset_chains) {
+       $cmdlist .= "flush $chain\n";
+       $cmdlist .= "destroy $chain\n";
+    }
+
+    ipset_restore_cmdlist($cmdlist) if $cmdlist; 
 }
 
 sub init {
@@ -3190,11 +3271,7 @@ sub update {
 	my $cluster_conf = load_clusterfw_conf();
 	my $cluster_options = $cluster_conf->{options};
 
-	my $enable = $cluster_options->{enable};
-
-	die "Firewall is disabled - cannot start\n" if !$enable;
-
-	if (!$enable) {
+	if (!$cluster_options->{enable}) {
 	    PVE::Firewall::remove_pvefw_chains();
 	    return;
 	}