X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=2eb8a0ec55dec82d60c835e44f476d0d1a33478e;hp=44068249992b7a78b9b6acbb31ce3d1a0ea575f9;hb=9c7e08582e838e283333e9d49d59737d5e877628;hpb=e7b3571121372860f43ab905757c1b7e78bad19d diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 4406824..2eb8a0e 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -13,6 +13,7 @@ use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file); +use Encode; # dynamically include PVE::QemuServer and PVE::OpenVZ # to avoid dependency problems @@ -654,6 +655,84 @@ sub cleanup_fw_rule { return $r; } +my $rule_properties = { + pos => { + description => "Update rule at position .", + type => 'integer', + minimum => 0, + optional => 1, + }, + digest => { + type => 'string', + optional => 1, + }, + type => { + type => 'string', + optional => 1, + enum => ['in', 'out', 'group'], + }, + action => { + type => 'string', + optional => 1, + }, + source => { + type => 'string', + optional => 1, + }, + dest => { + type => 'string', + optional => 1, + }, + proto => { + type => 'string', + optional => 1, + }, + enable => { + type => 'boolean', + optional => 1, + }, + sport => { + type => 'string', + optional => 1, + }, + dport => { + type => 'string', + optional => 1, + }, + comment => { + type => 'string', + optional => 1, + }, +}; + +sub add_rule_properties { + my ($properties) = @_; + + foreach my $k (keys %$rule_properties) { + $properties->{$k} = $rule_properties->{$k}; + } + + return $properties; +} + +sub copy_rule_data { + my ($rule, $param) = @_; + + foreach my $k (keys %$rule_properties) { + if (defined(my $v = $param->{$k})) { + if ($v eq '' || $v eq '-') { + delete $rule->{$k}; + } else { + $rule->{$k} = $v; + } + } else { + delete $rule->{$k}; + } + } + return $rule; +} + +# core functions my $bridge_firewall_enabled = 0; sub enable_bridge_firewall { @@ -699,7 +778,7 @@ sub iptables_get_chains { return 1 if $name =~ m/^venet0-\d+-(:?IN|OUT)$/; - return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT|IPS)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; return undef; @@ -764,7 +843,7 @@ sub iptables_rule_exist { sub ruleset_generate_cmdstr { my ($ruleset, $chain, $rule, $actions, $goto) = @_; - return if $rule->{disable}; + return if defined($rule->{enable}) && !$rule->{enable}; my @cmd = (); @@ -836,6 +915,7 @@ sub ruleset_generate_rule { ruleset_addrule($ruleset, $chain, $cmdstr); } } + sub ruleset_generate_rule_insert { my ($ruleset, $chain, $rule, $actions, $goto) = @_; @@ -962,13 +1042,20 @@ sub ruleset_create_vm_chain { my ($ruleset, $chain, $options, $macaddr, $direction) = @_; ruleset_create_chain($ruleset, $chain); + my $accept = generate_nfqueue($options); if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); } if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { - ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK', + proto => 'udp', sport => 68, dport => 67 }); + } else { + ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT', + proto => 'udp', sport => 67, dport => 68 }); + } } if ($options->{tcpflags}) { @@ -976,44 +1063,96 @@ sub ruleset_create_vm_chain { } ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + if($direction eq 'OUT'){ + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK"); + }else{ + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + } if ($direction eq 'OUT') { if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); } ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark } + + } sub ruleset_generate_vm_rules { - my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction) = @_; + my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction, $options) = @_; my $lc_direction = lc($direction); foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; - next if $rule->{disable}; + next if !$rule->{enable}; if ($rule->{type} eq 'group') { my $group_chain = "GROUP-$rule->{action}-$direction"; if(!ruleset_chain_exist($ruleset, $group_chain)){ generate_group_rules($ruleset, $groups_conf, $rule->{action}); } ruleset_addrule($ruleset, $chain, "-j $group_chain"); - ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN") - if $direction eq 'OUT'; + if ($direction eq 'OUT'){ + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN"); + }else{ + my $accept = generate_nfqueue($options); + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $accept"); + } + } else { next if $rule->{type} ne $lc_direction; if ($direction eq 'OUT') { ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } else { - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); + my $accept = generate_nfqueue($options); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }); } } } } +sub generate_nfqueue { + my ($options) = @_; + + my $action = ""; + if($options->{ips}){ + $action = "NFQUEUE"; + if($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) { + if(defined($3) && defined($1)) { + $action .= " --queue-balance $1:$3"; + }elsif (defined($1)) { + $action .= " --queue-num $1"; + } + } + $action .= " --queue-bypass"; + }else{ + $action = "ACCEPT"; + } + + return $action; +} + +sub ruleset_generate_vm_ipsrules { + my ($ruleset, $options, $direction, $iface, $bridge) = @_; + + if ($options->{ips} && $direction eq 'IN') { + my $nfqueue = generate_nfqueue($options); + + if (!ruleset_chain_exist($ruleset, "$bridge-IPS")) { + ruleset_create_chain($ruleset, "PVEFW-IPS"); + } + + if (!ruleset_chain_exist($ruleset, "$bridge-IPS")) { + ruleset_create_chain($ruleset, "$bridge-IPS"); + ruleset_insertrule($ruleset, "PVEFW-IPS", "-o $bridge -m physdev --physdev-is-out -j $bridge-IPS"); + } + + ruleset_addrule($ruleset, "$bridge-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue"); + } +} + sub generate_venet_rules_direction { my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_; @@ -1041,7 +1180,8 @@ sub generate_venet_rules_direction { $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + my $accept = generate_nfqueue($options); + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept; ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action); # plug into FORWARD, INPUT and OUTPUT chain @@ -1082,7 +1222,9 @@ sub generate_tap_rules_direction { ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction); - ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction); + ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction, $options); + + ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface, $bridge); # implement policy my $policy; @@ -1093,7 +1235,8 @@ sub generate_tap_rules_direction { $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + my $accept = generate_nfqueue($options); + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept; ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action); # plug the tap chain to bridge chain @@ -1120,6 +1263,14 @@ sub enable_host_firewall { my $loglevel = get_option_log_level($options, "log_level_in"); + if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if ($options->{tcpflags}) { + ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); + } + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); @@ -1170,18 +1321,18 @@ sub enable_host_firewall { sub generate_group_rules { my ($ruleset, $groups_conf, $group) = @_; - - die "no such security group '$group'\n" if !$groups_conf->{$group}; + die "no such security group '$group'\n" if !$groups_conf->{rules}->{$group}; my $rules = $groups_conf->{rules}->{$group}; my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } $chain = "GROUP-${group}-OUT"; @@ -1213,10 +1364,12 @@ sub parse_fw_rule { my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport); # we can add single line comments to the end of the rule - my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; + my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//; # we can disable a rule when prefixed with '|' - my $disable = 1 if $line =~ s/^\|//; + my $enable = 1; + + $enable = 0 if $line =~ s/^\|//; my @data = split(/\s+/, $line); my $expected_elements = $need_iface ? 8 : 7; @@ -1283,7 +1436,7 @@ sub parse_fw_rule { my $param = { type => $type, - disable => $disable, + enable => $enable, comment => $comment, action => $action, iface => $iface, @@ -1349,7 +1502,7 @@ sub parse_vmfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags|ips):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { @@ -1358,6 +1511,9 @@ sub parse_vmfw_option { } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); + } elsif ($line =~ m/^(ips_queues):\s*((\d+)(:(\d+))?)\s*$/i) { + $opt = lc($1); + $value = $2; } else { chomp $line; die "can't parse option '$line'\n" @@ -1373,7 +1529,7 @@ sub parse_hostfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { @@ -1729,6 +1885,40 @@ sub load_security_groups { return $groups_conf; } +sub save_security_groups { + my ($groups_conf) = @_; + + my $raw = ''; + my $filename = "/etc/pve/firewall/groups.fw"; + + foreach my $group (sort keys %{$groups_conf->{rules}}) { + my $rules = $groups_conf->{rules}->{$group}; + $raw .= "[group $group]\n\n"; + + foreach my $rule (@$rules) { + if ($rule->{type} eq 'in' || $rule->{type} eq 'out') { + $raw .= '|' if defined($rule->{enable}) && !$rule->{enable}; + $raw .= uc($rule->{type}); + $raw .= " " . $rule->{action}; + $raw .= " " . ($rule->{source} || '-'); + $raw .= " " . ($rule->{dest} || '-'); + $raw .= " " . ($rule->{proto} || '-'); + $raw .= " " . ($rule->{dport} || '-'); + $raw .= " " . ($rule->{sport} || '-'); + $raw .= " # " . encode('utf8', $rule->{comment}) + if $rule->{comment} && $rule->{comment} !~ m/^\s*$/; + $raw .= "\n"; + } else { + die "implement me '$rule->{type}'"; + } + } + + $raw .= "\n"; + } + + PVE::Tools::file_set_contents($filename, $raw); +} + sub load_hostfw_conf { my $hostfw_conf = {}; @@ -1763,6 +1953,8 @@ sub compile { enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; + my $ips_enable = undef; + # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; @@ -1770,6 +1962,8 @@ sub compile { next if !$vmfw_conf; next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); + $ips_enable = 1 if $vmfw_conf->{options}->{ips}; + foreach my $netid (keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$netid}); @@ -1799,6 +1993,8 @@ sub compile { next if !$vmfw_conf; next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); + $ips_enable = 1 if $vmfw_conf->{options}->{ips}; + if ($conf->{ip_address} && $conf->{ip_address}->{value}) { my $ip = $conf->{ip_address}->{value}; generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'IN'); @@ -1827,8 +2023,12 @@ sub compile { } } - # fixme: this is an optimization? if so, we should also drop INVALID packages? - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + if($hostfw_options->{optimize}){ + + my $accept = $ips_enable ? "PVEFW-IPS" : "ACCEPT"; + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP"); + } # fixme: what log level should we use here? my $loglevel = get_option_log_level($hostfw_options, "log_level_out");