X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=44068249992b7a78b9b6acbb31ce3d1a0ea575f9;hp=5e73d2b64f75b18627189944c4ea62ce87735b22;hb=e7b3571121372860f43ab905757c1b7e78bad19d;hpb=41524a582adfae94f2ed7ea4c0d099c1940854a5 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 5e73d2b..4406824 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -4,16 +4,34 @@ use warnings; use strict; use Data::Dumper; use Digest::SHA; +use PVE::INotify; +use PVE::Cluster; +use PVE::ProcFSTools; use PVE::Tools; -use PVE::QemuServer; use File::Basename; use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file); +# dynamically include PVE::QemuServer and PVE::OpenVZ +# to avoid dependency problems +my $have_qemu_server; +eval { + require PVE::QemuServer; + $have_qemu_server = 1; +}; + +my $have_pve_manager; +eval { + require PVE::OpenVZ; + $have_pve_manager = 1; +}; + use Data::Dumper; +my $nodename = PVE::INotify::nodename(); + my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status"; @@ -617,14 +635,36 @@ sub parse_port_name_number_or_range { return ($nbports); } +# helper function for API +sub cleanup_fw_rule { + my ($rule, $digest, $pos) = @_; + + my $r = {}; + + foreach my $k (keys %$rule) { + next if $k eq 'nbdport'; + next if $k eq 'nbsport'; + my $v = $rule->{$k}; + next if !defined($v); + $r->{$k} = $v; + $r->{digest} = $digest; + $r->{pos} = $pos; + } + + return $r; +} + my $bridge_firewall_enabled = 0; sub enable_bridge_firewall { return if $bridge_firewall_enabled; # only once - system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"); - system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables"); + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1"); + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1"); + + # make sure syncookies are enabled (which is default on newer 3.X kernels anyways) + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1"); $bridge_firewall_enabled = 1; } @@ -654,6 +694,11 @@ sub iptables_get_chains { return 1 if $name =~ m/^PVEFW-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; + + return 1 if $name =~ m/^veth\d+.\d+-(:?IN|OUT)$/; # fixme: dev name is configurable + + return 1 if $name =~ m/^venet0-\d+-(:?IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; @@ -716,13 +761,16 @@ sub iptables_rule_exist { return 1; } -sub ruleset_generate_rule { +sub ruleset_generate_cmdstr { my ($ruleset, $chain, $rule, $actions, $goto) = @_; return if $rule->{disable}; my @cmd = (); + push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in}; + push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out}; + push @cmd, "-m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1; push @cmd, "-s $rule->{source}" if $rule->{source}; push @cmd, "-m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; @@ -778,16 +826,29 @@ sub ruleset_generate_rule { push @cmd, $goto ? "-g $action" : "-j $action"; } - if (scalar(@cmd)) { - my $cmdstr = join(' ', @cmd); + return scalar(@cmd) ? join(' ', @cmd) : undef; +} + +sub ruleset_generate_rule { + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $rule, $actions, $goto)) { ruleset_addrule($ruleset, $chain, $cmdstr); } } +sub ruleset_generate_rule_insert { + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $rule, $actions, $goto)) { + ruleset_insertrule($ruleset, $chain, $cmdstr); + } +} sub ruleset_create_chain { my ($ruleset, $chain) = @_; die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28; + die "chain name may not contain collons\n" if $chain =~ m/:/; # because of log format die "chain '$chain' already exists\n" if $ruleset->{$chain}; @@ -816,69 +877,119 @@ sub ruleset_insertrule { unshift @{$ruleset->{$chain}}, "-A $chain $rule"; } +sub get_log_rule_base { + my ($chain, $vmid, $msg, $loglevel) = @_; + + die "internal error - no log level" if !defined($loglevel); + + $vmid = 0 if !defined($vmid); + + # Note: we use special format for prefix to pass further + # info to log daemon (VMID, LOGVELEL and CHAIN) + + return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\""; +} + +sub ruleset_addlog { + my ($ruleset, $chain, $vmid, $msg, $loglevel, $rule) = @_; + + return if !defined($loglevel); + + my $logrule = get_log_rule_base($chain, $vmid, $msg, $loglevel); + + $logrule = "$rule $logrule" if defined($rule); + + ruleset_addrule($ruleset, $chain, $logrule) +} + sub generate_bridge_chains { - my ($ruleset, $bridge) = @_; + my ($ruleset, $hostfw_conf, $bridge, $routing_table) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ - ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - } + my $options = $hostfw_conf->{options} || {}; + + die "error: detected direct route to bridge '$bridge'\n" + if !$options->{allow_bridge_route} && $routing_table->{$bridge}; if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { ruleset_create_chain($ruleset, "$bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-in -j $bridge-FW"); } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-in -j $bridge-OUT"); + ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-in -j $bridge-OUT"); } if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { ruleset_create_chain($ruleset, "$bridge-IN"); - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j $bridge-IN"); ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT"); # accept traffic to unmanaged bridge ports - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT "); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j ACCEPT "); } } -sub generate_tap_rules_direction { - my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; +sub ruleset_add_chain_policy { + my ($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action) = @_; - my $lc_direction = lc($direction); + if ($policy eq 'ACCEPT') { - my $rules = $vmfw_conf->{rules}; + ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT' }, + { ACCEPT => $accept_action}); - my $options = $vmfw_conf->{options}; - my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); + } elsif ($policy eq 'DROP') { - my $tapchain = "$iface-$direction"; + ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); + + ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); + + ruleset_addrule($ruleset, $chain, "-j DROP"); + } elsif ($policy eq 'REJECT') { + ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); - ruleset_create_chain($ruleset, $tapchain); + ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); + + ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); + } else { + # should not happen + die "internal error: unknown policy '$policy'"; + } +} + +sub ruleset_create_vm_chain { + my ($ruleset, $chain, $options, $macaddr, $direction) = @_; + + ruleset_create_chain($ruleset, $chain); if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); } if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT"); } if ($options->{tcpflags}) { - ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags"); + ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); } - ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - if ($direction eq 'OUT' && defined($macaddr) && - !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); + if ($direction eq 'OUT') { + if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { + ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); + } + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark } +} + +sub ruleset_generate_vm_rules { + my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction) = @_; + + my $lc_direction = lc($direction); foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; @@ -888,68 +999,114 @@ sub generate_tap_rules_direction { if(!ruleset_chain_exist($ruleset, $group_chain)){ generate_group_rules($ruleset, $groups_conf, $rule->{action}); } - ruleset_addrule($ruleset, $tapchain, "-j $group_chain"); - ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") + ruleset_addrule($ruleset, $chain, "-j $group_chain"); + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN") if $direction eq 'OUT'; } else { next if $rule->{type} ne $lc_direction; if ($direction eq 'OUT') { - ruleset_generate_rule($ruleset, $tapchain, $rule, + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } else { - ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); } } } +} + +sub generate_venet_rules_direction { + my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_; + + parse_address_list($ip); # make sure we have a valid $ip list + + my $lc_direction = lc($direction); + + my $rules = $vmfw_conf->{rules}; + + my $options = $vmfw_conf->{options}; + my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); + + my $chain = "venet0-$vmid-$direction"; + + ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction); + + ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $chain, 'venet', $direction); # implement policy my $policy; if ($direction eq 'OUT') { - $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default } else { - $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default + $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - if ($policy eq 'ACCEPT') { - if ($direction eq 'OUT') { - ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK"); - } else { - ruleset_addrule($ruleset, $tapchain, "-j ACCEPT"); - } - } elsif ($policy eq 'DROP') { + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action); - ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop"); + # plug into FORWARD, INPUT and OUTPUT chain + if ($direction eq 'OUT') { + ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", { + action => $chain, + source => $ip, + iface_in => 'venet0'}); + + ruleset_generate_rule_insert($ruleset, "PVEFW-INPUT", { + action => $chain, + source => $ip, + iface_in => 'venet0'}); + } else { + ruleset_generate_rule($ruleset, "PVEFW-FORWARD", { + action => $chain, + dest => $ip, + iface_out => 'venet0'}); + + ruleset_generate_rule($ruleset, "PVEFW-OUTPUT", { + action => $chain, + dest => $ip, + iface_out => 'venet0'}); + } +} - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level $loglevel") - if defined($loglevel); +sub generate_tap_rules_direction { + my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_; - ruleset_addrule($ruleset, $tapchain, "-j DROP"); - } elsif ($policy eq 'REJECT') { - ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject"); + my $lc_direction = lc($direction); + + my $rules = $vmfw_conf->{rules}; + + my $options = $vmfw_conf->{options}; + my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); + + my $tapchain = "$iface-$direction"; - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level $loglevel") - if defined($loglevel); + ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction); - ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject"); + ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction); + + # implement policy + my $policy; + + if ($direction eq 'OUT') { + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default } else { - # should not happen - die "internal error: unknown policy '$policy'"; + $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action); + # plug the tap chain to bridge chain - my $physdevdirection = $direction eq 'IN' ? "out" : "in"; - my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain"; - ruleset_insertrule($ruleset, "$bridge-$direction", $rule); - - if ($direction eq 'OUT'){ - # add tap->host rules - my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain"; - ruleset_addrule($ruleset, "PVEFW-INPUT", $rule); + if ($direction eq 'IN') { + ruleset_insertrule($ruleset, "$bridge-IN", + "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain"); + } else { + ruleset_insertrule($ruleset, "$bridge-OUT", + "-m physdev --physdev-in $iface -j $tapchain"); } } -sub enablehostfw { +sub enable_host_firewall { my ($ruleset, $hostfw_conf, $groups_conf) = @_; # fixme: allow security groups @@ -967,19 +1124,20 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync + # we use RETURN because we need to check also tap rules + my $accept_action = 'RETURN'; + foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; - # we use RETURN because we need to check also tap rules - ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }); } - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $chain, "-j DROP"); + # implement input policy + my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default + ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); # host outbound firewall $chain = "PVEFW-HOST-OUT"; @@ -991,19 +1149,20 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT"); - ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync + # we use RETURN because we may want to check other thigs later + $accept_action = 'RETURN'; + foreach my $rule (@$rules) { next if $rule->{type} ne 'out'; - # we use RETURN because we need to check also tap rules - ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }); } - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $chain, "-j DROP"); + # implement output policy + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default + ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); @@ -1014,7 +1173,7 @@ sub generate_group_rules { die "no such security group '$group'\n" if !$groups_conf->{$group}; - my $rules = $groups_conf->{$group}->{rules}; + my $rules = $groups_conf->{rules}->{$group}; my $chain = "GROUP-${group}-IN"; @@ -1101,8 +1260,6 @@ sub parse_fw_rule { if ($need_iface) { $iface = undef if $iface && $iface eq '-'; - die "unknown interface '$iface'\n" - if defined($iface) && !$valid_netdev_names->{$iface}; } $proto = undef if $proto && $proto eq '-'; @@ -1198,7 +1355,7 @@ sub parse_vmfw_option { } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); } else { @@ -1216,15 +1373,18 @@ sub parse_hostfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); + } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) { + $opt = lc($1); + $value = int($2); } else { chomp $line; die "can't parse option '$line'\n" @@ -1240,7 +1400,11 @@ sub parse_vm_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1278,6 +1442,8 @@ sub parse_vm_fw_rules { push @{$res->{$section}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1288,7 +1454,11 @@ sub parse_host_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1326,6 +1496,8 @@ sub parse_host_fw_rules { push @{$res->{$section}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1335,9 +1507,13 @@ sub parse_group_fw_rules { my $section; my $group; - my $res = { rules => [] }; + my $res = { rules => {} }; + + my $digest = Digest::SHA->new('sha1'); while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1361,9 +1537,11 @@ sub parse_group_fw_rules { next; } - push @{$res->{$group}->{$section}}, @$rules; + push @{$res->{$section}->{$group}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1382,35 +1560,63 @@ sub run_locked { sub read_local_vm_config { my $openvz = {}; - my $qemu = {}; - my $list = PVE::QemuServer::config_list(); + my $vmdata = { openvz => $openvz, qemu => $qemu }; - foreach my $vmid (keys %$list) { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; + my $vmlist = PVE::Cluster::get_vmlist(); + return $vmdata if !$vmlist || !$vmlist->{ids}; + my $ids = $vmlist->{ids}; + + foreach my $vmid (keys %$ids) { + next if !$vmid; # skip VE0 + my $d = $ids->{$vmid}; + next if !$d->{node} || $d->{node} ne $nodename; + next if !$d->{type}; + if ($d->{type} eq 'openvz') { + if ($have_pve_manager) { + my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $openvz->{$vmid} = $conf; + } + } + } elsif ($d->{type} eq 'qemu') { + if ($have_qemu_server) { + my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $qemu->{$vmid} = $conf; + } + } } } - my $vmdata = { openvz => $openvz, qemu => $qemu }; - return $vmdata; }; -sub read_vm_firewall_rules { +sub load_vmfw_conf { + my ($vmid) = @_; + + my $vmfw_conf = {}; + + my $filename = "/etc/pve/firewall/$vmid.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $vmfw_conf = parse_vm_fw_rules($filename, $fh); + } + + return $vmfw_conf; +} + +sub read_vm_firewall_configs { my ($vmdata) = @_; - my $rules = {}; - foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $filename = "/etc/pve/firewall/$vmid.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - next if !$fh; + my $vmfw_configs = {}; - $rules->{$vmid} = parse_vm_fw_rules($filename, $fh); + foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { + my $vmfw_conf = load_vmfw_conf($vmid); + next if !$vmfw_conf->{options}; # skip if file does not exists + $vmfw_configs->{$vmid} = $vmfw_conf; } - return $rules; + return $vmfw_configs; } sub get_option_log_level { @@ -1436,25 +1642,17 @@ sub generate_std_chains { my $loglevel = get_option_log_level($options, 'smurf_log_level'); # same as shorewall smurflog. - if (defined($loglevel)) { - $pve_std_chains-> {'PVEFW-smurflog'} = [ - "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel", - "-j DROP", - ]; - } else { - $pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ]; - } + my $chain = 'PVEFW-smurflog'; + + push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; + push @{$pve_std_chains->{$chain}}, "-j DROP"; # same as shorewall logflags action. $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); - if (defined($loglevel)) { - $pve_std_chains-> {'PVEFW-logflags'} = [ - "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options", - "-j DROP", - ]; - } else { - $pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ]; - } + $chain = 'PVEFW-logflags'; + # fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG) + push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; + push @{$pve_std_chains->{$chain}}, "-j DROP"; foreach my $chain (keys %$pve_std_chains) { ruleset_create_chain($ruleset, $chain); @@ -1492,9 +1690,35 @@ sub read_pvefw_status { return $status; } -sub compile { - my $vmdata = read_local_vm_config(); - my $rules = read_vm_firewall_rules($vmdata); +# fixme: move to pve-common PVE::ProcFSTools +sub read_proc_net_route { + my $filename = "/proc/net/route"; + + my $res = {}; + + my $fh = IO::File->new ($filename, "r"); + return $res if !$fh; + + my $int_to_quad = sub { + return join '.' => map { ($_[0] >> 8*(3-$_)) % 256 } (3, 2, 1, 0); + }; + + while (defined(my $line = <$fh>)) { + next if $line =~/^Iface\s+Destination/; # skip head + my ($iface, $dest, $gateway, $metric, $mask, $mtu) = (split(/\s+/, $line))[0,1,2,6,7,8]; + push @{$res->{$iface}}, { + dest => &$int_to_quad(hex($dest)), + gateway => &$int_to_quad(hex($gateway)), + mask => &$int_to_quad(hex($mask)), + metric => $metric, + mtu => $mtu, + }; + } + + return $res; +} + +sub load_security_groups { my $groups_conf = {}; my $filename = "/etc/pve/firewall/groups.fw"; @@ -1502,34 +1726,47 @@ sub compile { $groups_conf = parse_group_fw_rules($filename, $fh); } - #print Dumper($rules); + return $groups_conf; +} + +sub load_hostfw_conf { + + my $hostfw_conf = {}; + my $filename = "/etc/pve/local/host.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $hostfw_conf = parse_host_fw_rules($filename, $fh); + } + return $hostfw_conf; +} + +sub compile { + my $vmdata = read_local_vm_config(); + my $vmfw_configs = read_vm_firewall_configs($vmdata); + + my $routing_table = read_proc_net_route(); + + my $groups_conf = load_security_groups(); my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); - ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - my $hostfw_options = {}; - my $hostfw_conf; + ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - $filename = "/etc/pve/local/host.fw"; - if (my $fh = IO::File->new($filename, O_RDONLY)) { - $hostfw_conf = parse_host_fw_rules($filename, $fh); - $hostfw_options = $hostfw_conf->{options}; - } + my $hostfw_conf = load_hostfw_conf(); + my $hostfw_options = $hostfw_conf->{options} || {}; generate_std_chains($ruleset, $hostfw_options); - my $hostfw_enable = $hostfw_conf && - !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); + my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); - enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; + enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; - my $vmfw_conf = $rules->{$vmid}; + my $vmfw_conf = $vmfw_configs->{$vmid}; next if !$vmfw_conf; next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); @@ -1544,20 +1781,72 @@ sub compile { $bridge .= "v$net->{tag}" if $net->{tag}; - generate_bridge_chains($ruleset, $bridge); + generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'OUT'); } } - if ($hostfw_enable) { - # allow traffic from lo (ourself) - ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT"); + # generate firewall rules for OpenVZ containers + foreach my $vmid (keys %{$vmdata->{openvz}}) { + my $conf = $vmdata->{openvz}->{$vmid}; + + my $vmfw_conf = $vmfw_configs->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); + + if ($conf->{ip_address} && $conf->{ip_address}->{value}) { + my $ip = $conf->{ip_address}->{value}; + generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'IN'); + generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'OUT'); + } + + if ($conf->{netif} && $conf->{netif}->{value}) { + my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value}); + foreach my $netid (keys %$netif) { + my $d = $netif->{$netid}; + my $bridge = $d->{bridge}; + if (!$bridge) { + warn "no bridge device for CT $vmid iface '$netid'\n"; + next; # fixme? + } + + generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table); + + my $macaddr = $d->{mac}; + my $iface = $d->{host_ifname}; + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'OUT'); + } + } } - return $ruleset; + # fixme: this is an optimization? if so, we should also drop INVALID packages? + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + + # fixme: what log level should we use here? + my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); + + # fixme: should we really block inter-bridge traffic? + + # always allow traffic from containers? + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN"); + + # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop"); + ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-o vmbr+"); + ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-i vmbr+"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP"); + + return wantarray ? ($ruleset, $hostfw_conf) : $ruleset; } sub get_ruleset_status { @@ -1683,10 +1972,12 @@ sub get_rulset_cmdlist { } sub apply_ruleset { - my ($ruleset, $verbose) = @_; + my ($ruleset, $hostfw_conf, $verbose) = @_; enable_bridge_firewall(); + update_nf_conntrack_max($hostfw_conf); + my $cmdlist = get_rulset_cmdlist($ruleset, $verbose); print $cmdlist if $verbose; @@ -1708,19 +1999,43 @@ sub apply_ruleset { die "unable to apply firewall changes\n" if $errors; } +sub update_nf_conntrack_max { + my ($hostfw_conf) = @_; + + my $max = 65536; # reasonable default + + my $options = $hostfw_conf->{options} || {}; + + if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) { + $max = $options->{nf_conntrack_max}; + $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192 + } + + my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max"; + my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize"; + + my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max); + + if ($current != $max) { + my $hashsize = int($max/4); + PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize); + PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max); + } +} + sub update { my ($start, $verbose) = @_; my $code = sub { my $status = read_pvefw_status(); - my $ruleset = PVE::Firewall::compile(); + my ($ruleset, $hostfw_conf) = PVE::Firewall::compile(); if ($start || $status eq 'active') { save_pvefw_status('active') if ($status ne 'active'); - PVE::Firewall::apply_ruleset($ruleset, $verbose); + apply_ruleset($ruleset, $hostfw_conf, $verbose); } else { print "Firewall not active (status = $status)\n" if $verbose; }