X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=440d12b98252aa6a0580b906627ab95a64545cf5;hp=3a4f2f41bc352ac7ead9227e44fb898a1e7374ec;hb=2f3d8d7615139301d55ceaacad06a2b18b0420dc;hpb=5f0a912c4f27d3ebd743920a029c7f6cad2fdd64 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 3a4f2f4..440d12b 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -627,6 +627,9 @@ sub enable_bridge_firewall { PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1"); PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1"); + # make sure syncookies are enabled (which is default on newer 3.X kernels anyways) + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1"); + $bridge_firewall_enabled = 1; } @@ -818,24 +821,30 @@ sub ruleset_insertrule { } sub generate_bridge_chains { - my ($ruleset, $bridge) = @_; + my ($ruleset, $hostfw_conf, $bridge) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ - ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - } + my $options = $hostfw_conf->{options}; + + # fixme: what log level should we use here? + my $loglevel = get_option_log_level($options, "log_level_out"); if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { ruleset_create_chain($ruleset, "$bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing + # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); } if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { @@ -847,6 +856,35 @@ sub generate_bridge_chains { } } +sub ruleset_add_chain_policy { + my ($ruleset, $chain, $policy, $loglevel, $accept_action) = @_; + + if ($policy eq 'ACCEPT') { + + ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT' }, + { ACCEPT => $accept_action}); + + } elsif ($policy eq 'DROP') { + + ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); + + ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel") + if defined($loglevel); + + ruleset_addrule($ruleset, $chain, "-j DROP"); + } elsif ($policy eq 'REJECT') { + ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); + + ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel") + if defined($loglevel); + + ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); + } else { + # should not happen + die "internal error: unknown policy '$policy'"; + } +} + sub generate_tap_rules_direction { my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; @@ -876,9 +914,11 @@ sub generate_tap_rules_direction { ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - if ($direction eq 'OUT' && defined($macaddr) && - !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { - ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); + if ($direction eq 'OUT') { + if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); + } + ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark } foreach my $rule (@$rules) { @@ -909,48 +949,19 @@ sub generate_tap_rules_direction { if ($direction eq 'OUT') { $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default } else { - $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default + $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default } - if ($policy eq 'ACCEPT') { - if ($direction eq 'OUT') { - ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK"); - } else { - ruleset_addrule($ruleset, $tapchain, "-j ACCEPT"); - } - } elsif ($policy eq 'DROP') { - - ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop"); - - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $tapchain, "-j DROP"); - } elsif ($policy eq 'REJECT') { - ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject"); - - ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject"); - } else { - # should not happen - die "internal error: unknown policy '$policy'"; - } + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action); # plug the tap chain to bridge chain my $physdevdirection = $direction eq 'IN' ? "out" : "in"; my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain"; ruleset_insertrule($ruleset, "$bridge-$direction", $rule); - - if ($direction eq 'OUT'){ - # add tap->host rules - my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain"; - ruleset_addrule($ruleset, "PVEFW-INPUT", $rule); - } } -sub enablehostfw { +sub enable_host_firewall { my ($ruleset, $hostfw_conf, $groups_conf) = @_; # fixme: allow security groups @@ -971,16 +982,17 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync + # we use RETURN because we need to check also tap rules + my $accept_action = 'RETURN'; + foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; - # we use RETURN because we need to check also tap rules - ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }); } - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $chain, "-j DROP"); + # implement input policy + my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default + ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); # host outbound firewall $chain = "PVEFW-HOST-OUT"; @@ -995,16 +1007,17 @@ sub enablehostfw { ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync + # we use RETURN because we may want to check other thigs later + $accept_action = 'RETURN'; + foreach my $rule (@$rules) { next if $rule->{type} ne 'out'; - # we use RETURN because we need to check also tap rules - ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }); } - ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level $loglevel") - if defined($loglevel); - - ruleset_addrule($ruleset, $chain, "-j DROP"); + # implement output policy + $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); @@ -1439,7 +1452,7 @@ sub generate_std_chains { # same as shorewall smurflog. if (defined($loglevel)) { $pve_std_chains-> {'PVEFW-smurflog'} = [ - "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel", + "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel", "-j DROP", ]; } else { @@ -1450,7 +1463,7 @@ sub generate_std_chains { $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); if (defined($loglevel)) { $pve_std_chains-> {'PVEFW-logflags'} = [ - "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options", + "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options", "-j DROP", ]; } else { @@ -1509,7 +1522,9 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); + ruleset_create_chain($ruleset, "PVEFW-FORWARD"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); my $hostfw_options = {}; my $hostfw_conf; @@ -1525,7 +1540,7 @@ sub compile { my $hostfw_enable = $hostfw_conf && !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); - enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; + enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { @@ -1545,7 +1560,7 @@ sub compile { $bridge .= "v$net->{tag}" if $net->{tag}; - generate_bridge_chains($ruleset, $bridge); + generate_bridge_chains($ruleset, $hostfw_conf, $bridge); my $macaddr = $net->{macaddr}; generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); @@ -1553,11 +1568,6 @@ sub compile { } } - if ($hostfw_enable) { - # allow traffic from lo (ourself) - ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT"); - } - return $ruleset; }