X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=44068249992b7a78b9b6acbb31ce3d1a0ea575f9;hp=760a20857be8d546b0d0c06e309b463c7c7345dd;hb=e7b3571121372860f43ab905757c1b7e78bad19d;hpb=46b40c26d64f196c1d7343b2093473b3f2f01d39 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 760a208..4406824 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -8,17 +8,27 @@ use PVE::INotify; use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools; -use PVE::QemuServer; -use PVE::OpenVZ; # dependeny problem?! use File::Basename; use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file); -use Data::Dumper; +# dynamically include PVE::QemuServer and PVE::OpenVZ +# to avoid dependency problems +my $have_qemu_server; +eval { + require PVE::QemuServer; + $have_qemu_server = 1; +}; -# fixme: use ULOG instead of LOG? +my $have_pve_manager; +eval { + require PVE::OpenVZ; + $have_pve_manager = 1; +}; + +use Data::Dumper; my $nodename = PVE::INotify::nodename(); @@ -625,6 +635,25 @@ sub parse_port_name_number_or_range { return ($nbports); } +# helper function for API +sub cleanup_fw_rule { + my ($rule, $digest, $pos) = @_; + + my $r = {}; + + foreach my $k (keys %$rule) { + next if $k eq 'nbdport'; + next if $k eq 'nbsport'; + my $v = $rule->{$k}; + next if !defined($v); + $r->{$k} = $v; + $r->{digest} = $digest; + $r->{pos} = $pos; + } + + return $r; +} + my $bridge_firewall_enabled = 0; sub enable_bridge_firewall { @@ -819,6 +848,7 @@ sub ruleset_create_chain { my ($ruleset, $chain) = @_; die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28; + die "chain name may not contain collons\n" if $chain =~ m/:/; # because of log format die "chain '$chain' already exists\n" if $ruleset->{$chain}; @@ -847,6 +877,31 @@ sub ruleset_insertrule { unshift @{$ruleset->{$chain}}, "-A $chain $rule"; } +sub get_log_rule_base { + my ($chain, $vmid, $msg, $loglevel) = @_; + + die "internal error - no log level" if !defined($loglevel); + + $vmid = 0 if !defined($vmid); + + # Note: we use special format for prefix to pass further + # info to log daemon (VMID, LOGVELEL and CHAIN) + + return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\""; +} + +sub ruleset_addlog { + my ($ruleset, $chain, $vmid, $msg, $loglevel, $rule) = @_; + + return if !defined($loglevel); + + my $logrule = get_log_rule_base($chain, $vmid, $msg, $loglevel); + + $logrule = "$rule $logrule" if defined($rule); + + ruleset_addrule($ruleset, $chain, $logrule) +} + sub generate_bridge_chains { my ($ruleset, $hostfw_conf, $bridge, $routing_table) = @_; @@ -857,27 +912,27 @@ sub generate_bridge_chains { if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { ruleset_create_chain($ruleset, "$bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-in -j $bridge-FW"); } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); - ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-in -j $bridge-OUT"); + ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-in -j $bridge-OUT"); } if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { ruleset_create_chain($ruleset, "$bridge-IN"); - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j $bridge-IN"); ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT"); # accept traffic to unmanaged bridge ports - ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT "); + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j ACCEPT "); } } sub ruleset_add_chain_policy { - my ($ruleset, $chain, $policy, $loglevel, $accept_action) = @_; + my ($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action) = @_; if ($policy eq 'ACCEPT') { @@ -888,15 +943,13 @@ sub ruleset_add_chain_policy { ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel") - if defined($loglevel); + ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); ruleset_addrule($ruleset, $chain, "-j DROP"); } elsif ($policy eq 'REJECT') { ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel") - if defined($loglevel); + ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); } else { @@ -989,7 +1042,7 @@ sub generate_venet_rules_direction { } my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; - ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); + ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action); # plug into FORWARD, INPUT and OUTPUT chain if ($direction eq 'OUT') { @@ -1016,7 +1069,7 @@ sub generate_venet_rules_direction { } sub generate_tap_rules_direction { - my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; + my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $bridge, $direction) = @_; my $lc_direction = lc($direction); @@ -1041,12 +1094,16 @@ sub generate_tap_rules_direction { } my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; - ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action); + ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action); # plug the tap chain to bridge chain - my $physdevdirection = $direction eq 'IN' ? "out" : "in"; - my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain"; - ruleset_insertrule($ruleset, "$bridge-$direction", $rule); + if ($direction eq 'IN') { + ruleset_insertrule($ruleset, "$bridge-IN", + "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain"); + } else { + ruleset_insertrule($ruleset, "$bridge-OUT", + "-m physdev --physdev-in $iface -j $tapchain"); + } } sub enable_host_firewall { @@ -1080,7 +1137,7 @@ sub enable_host_firewall { # implement input policy my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default - ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); + ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); # host outbound firewall $chain = "PVEFW-HOST-OUT"; @@ -1105,7 +1162,7 @@ sub enable_host_firewall { # implement output policy $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default - ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); + ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); @@ -1116,7 +1173,7 @@ sub generate_group_rules { die "no such security group '$group'\n" if !$groups_conf->{$group}; - my $rules = $groups_conf->{$group}->{rules}; + my $rules = $groups_conf->{rules}->{$group}; my $chain = "GROUP-${group}-IN"; @@ -1343,7 +1400,11 @@ sub parse_vm_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1381,6 +1442,8 @@ sub parse_vm_fw_rules { push @{$res->{$section}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1391,7 +1454,11 @@ sub parse_host_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1429,6 +1496,8 @@ sub parse_host_fw_rules { push @{$res->{$section}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1438,9 +1507,13 @@ sub parse_group_fw_rules { my $section; my $group; - my $res = { rules => [] }; + my $res = { rules => {} }; + + my $digest = Digest::SHA->new('sha1'); while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1464,9 +1537,11 @@ sub parse_group_fw_rules { next; } - push @{$res->{$group}->{$section}}, @$rules; + push @{$res->{$section}->{$group}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1499,31 +1574,46 @@ sub read_local_vm_config { next if !$d->{node} || $d->{node} ne $nodename; next if !$d->{type}; if ($d->{type} eq 'openvz') { - my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $openvz->{$vmid} = $conf; + if ($have_pve_manager) { + my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $openvz->{$vmid} = $conf; + } } } elsif ($d->{type} eq 'qemu') { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; + if ($have_qemu_server) { + my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $qemu->{$vmid} = $conf; + } } } } - + return $vmdata; }; +sub load_vmfw_conf { + my ($vmid) = @_; + + my $vmfw_conf = {}; + + my $filename = "/etc/pve/firewall/$vmid.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $vmfw_conf = parse_vm_fw_rules($filename, $fh); + } + + return $vmfw_conf; +} + sub read_vm_firewall_configs { my ($vmdata) = @_; my $vmfw_configs = {}; foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $filename = "/etc/pve/firewall/$vmid.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - next if !$fh; - - $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh); + my $vmfw_conf = load_vmfw_conf($vmid); + next if !$vmfw_conf->{options}; # skip if file does not exists + $vmfw_configs->{$vmid} = $vmfw_conf; } return $vmfw_configs; @@ -1552,25 +1642,17 @@ sub generate_std_chains { my $loglevel = get_option_log_level($options, 'smurf_log_level'); # same as shorewall smurflog. - if (defined($loglevel)) { - $pve_std_chains-> {'PVEFW-smurflog'} = [ - "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel", - "-j DROP", - ]; - } else { - $pve_std_chains-> {'PVEFW-smurflog'} = [ "-j DROP" ]; - } + my $chain = 'PVEFW-smurflog'; + + push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; + push @{$pve_std_chains->{$chain}}, "-j DROP"; # same as shorewall logflags action. $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); - if (defined($loglevel)) { - $pve_std_chains-> {'PVEFW-logflags'} = [ - "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options", - "-j DROP", - ]; - } else { - $pve_std_chains-> {'PVEFW-logflags'} = [ "-j DROP" ]; - } + $chain = 'PVEFW-logflags'; + # fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG) + push @{$pve_std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; + push @{$pve_std_chains->{$chain}}, "-j DROP"; foreach my $chain (keys %$pve_std_chains) { ruleset_create_chain($ruleset, $chain); @@ -1636,11 +1718,7 @@ sub read_proc_net_route { return $res; } -sub compile { - my $vmdata = read_local_vm_config(); - my $vmfw_configs = read_vm_firewall_configs($vmdata); - - my $routing_table = read_proc_net_route(); +sub load_security_groups { my $groups_conf = {}; my $filename = "/etc/pve/firewall/groups.fw"; @@ -1648,6 +1726,27 @@ sub compile { $groups_conf = parse_group_fw_rules($filename, $fh); } + return $groups_conf; +} + +sub load_hostfw_conf { + + my $hostfw_conf = {}; + my $filename = "/etc/pve/local/host.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $hostfw_conf = parse_host_fw_rules($filename, $fh); + } + return $hostfw_conf; +} + +sub compile { + my $vmdata = read_local_vm_config(); + my $vmfw_configs = read_vm_firewall_configs($vmdata); + + my $routing_table = read_proc_net_route(); + + my $groups_conf = load_security_groups(); + my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); @@ -1655,14 +1754,8 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - my $hostfw_options = {}; - my $hostfw_conf = {}; - - $filename = "/etc/pve/local/host.fw"; - if (my $fh = IO::File->new($filename, O_RDONLY)) { - $hostfw_conf = parse_host_fw_rules($filename, $fh); - $hostfw_options = $hostfw_conf->{options}; - } + my $hostfw_conf = load_hostfw_conf(); + my $hostfw_options = $hostfw_conf->{options} || {}; generate_std_chains($ruleset, $hostfw_options); @@ -1691,8 +1784,10 @@ sub compile { generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'OUT'); } } @@ -1722,10 +1817,12 @@ sub compile { generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table); - my $macaddr = $d->{host_mac}; + my $macaddr = $d->{mac}; my $iface = $d->{host_ifname}; - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, + $vmfw_conf, $vmid, $bridge, 'OUT'); } } } @@ -1744,8 +1841,8 @@ sub compile { # disable interbridge routing ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-o vmbr+"); + ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-i vmbr+"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");