X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=a0374ff7eada0714cef0626570fac0e824142562;hp=e0e7a67da806e9fc88023874882bf3ec03f4bc00;hb=954f24b10939dd0812bc6741c083ba4f586f934a;hpb=12cc9946363b9667f6bb2625f88090e205b47de3 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index e0e7a67..a0374ff 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -4,9 +4,12 @@ use warnings; use strict; use Data::Dumper; use Digest::SHA; +use PVE::INotify; +use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools; use PVE::QemuServer; +use PVE::OpenVZ; # dependeny problem?! use File::Basename; use File::Path; use IO::File; @@ -15,6 +18,8 @@ use PVE::Tools qw(run_command lock_file); use Data::Dumper; +my $nodename = PVE::INotify::nodename(); + my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; my $pve_fw_status_filename = "/var/lib/pve-firewall/pvefw.status"; @@ -658,6 +663,9 @@ sub iptables_get_chains { return 1 if $name =~ m/^PVEFW-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; + + return 1 if $name =~ m/^veth\d+.\d+-(:?IN|OUT)$/; # fixme: dev name is configurable + return 1 if $name =~ m/^vmbr\d+-(:?FW|IN|OUT)$/; return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/; @@ -821,19 +829,24 @@ sub ruleset_insertrule { } sub generate_bridge_chains { - my ($ruleset, $bridge) = @_; + my ($ruleset, $hostfw_conf, $bridge) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ - ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - } + my $options = $hostfw_conf->{options} || {}; + + # fixme: what log level should we use here? + my $loglevel = get_option_log_level($options, "log_level_out"); if (!ruleset_chain_exist($ruleset, "$bridge-FW")) { ruleset_create_chain($ruleset, "$bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing + # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j PVEFW-Drop"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { @@ -942,9 +955,9 @@ sub generate_tap_rules_direction { my $policy; if ($direction eq 'OUT') { - $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default } else { - $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default + $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; @@ -986,7 +999,7 @@ sub enable_host_firewall { } # implement input policy - my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default + my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); # host outbound firewall @@ -1011,7 +1024,7 @@ sub enable_host_firewall { } # implement output policy - $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default + $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); @@ -1207,7 +1220,7 @@ sub parse_vmfw_option { } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); } else { @@ -1231,9 +1244,12 @@ sub parse_hostfw_option { } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); + } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) { + $opt = lc($1); + $value = int($2); } else { chomp $line; die "can't parse option '$line'\n" @@ -1391,35 +1407,48 @@ sub run_locked { sub read_local_vm_config { my $openvz = {}; - my $qemu = {}; - my $list = PVE::QemuServer::config_list(); + my $vmdata = { openvz => $openvz, qemu => $qemu }; - foreach my $vmid (keys %$list) { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; + my $vmlist = PVE::Cluster::get_vmlist(); + return $vmdata if !$vmlist || !$vmlist->{ids}; + my $ids = $vmlist->{ids}; + + foreach my $vmid (keys %$ids) { + next if !$vmid; # skip VE0 + my $d = $ids->{$vmid}; + next if !$d->{node} || $d->{node} ne $nodename; + next if !$d->{type}; + if ($d->{type} eq 'openvz') { + my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $openvz->{$vmid} = $conf; + } + } elsif ($d->{type} eq 'qemu') { + my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $qemu->{$vmid} = $conf; + } } } - - my $vmdata = { openvz => $openvz, qemu => $qemu }; - + return $vmdata; }; -sub read_vm_firewall_rules { +sub read_vm_firewall_configs { my ($vmdata) = @_; - my $rules = {}; + my $vmfw_configs = {}; + foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { my $filename = "/etc/pve/firewall/$vmid.fw"; my $fh = IO::File->new($filename, O_RDONLY); next if !$fh; - $rules->{$vmid} = parse_vm_fw_rules($filename, $fh); + $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh); } - return $rules; + return $vmfw_configs; } sub get_option_log_level { @@ -1447,7 +1476,7 @@ sub generate_std_chains { # same as shorewall smurflog. if (defined($loglevel)) { $pve_std_chains-> {'PVEFW-smurflog'} = [ - "-j LOG --log-prefix \"smurfs-dropped\" --log-level $loglevel", + "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel", "-j DROP", ]; } else { @@ -1458,7 +1487,7 @@ sub generate_std_chains { $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); if (defined($loglevel)) { $pve_std_chains-> {'PVEFW-logflags'} = [ - "-j LOG --log-prefix \"logflags-dropped:\" --log-level $loglevel --log-ip-options", + "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options", "-j DROP", ]; } else { @@ -1503,7 +1532,7 @@ sub read_pvefw_status { sub compile { my $vmdata = read_local_vm_config(); - my $rules = read_vm_firewall_rules($vmdata); + my $vmfw_configs = read_vm_firewall_configs($vmdata); my $groups_conf = {}; my $filename = "/etc/pve/firewall/groups.fw"; @@ -1511,16 +1540,16 @@ sub compile { $groups_conf = parse_group_fw_rules($filename, $fh); } - #print Dumper($rules); - my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); + ruleset_create_chain($ruleset, "PVEFW-FORWARD"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); my $hostfw_options = {}; - my $hostfw_conf; + my $hostfw_conf = {}; $filename = "/etc/pve/local/host.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { @@ -1530,15 +1559,14 @@ sub compile { generate_std_chains($ruleset, $hostfw_options); - my $hostfw_enable = $hostfw_conf && - !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); + my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable; # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; - my $vmfw_conf = $rules->{$vmid}; + my $vmfw_conf = $vmfw_configs->{$vmid}; next if !$vmfw_conf; next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); @@ -1553,7 +1581,7 @@ sub compile { $bridge .= "v$net->{tag}" if $net->{tag}; - generate_bridge_chains($ruleset, $bridge); + generate_bridge_chains($ruleset, $hostfw_conf, $bridge); my $macaddr = $net->{macaddr}; generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); @@ -1561,7 +1589,38 @@ sub compile { } } - return $ruleset; + # generate firewall rules for OpenVZ containers + foreach my $vmid (keys %{$vmdata->{openvz}}) { + my $conf = $vmdata->{openvz}->{$vmid}; + + my $vmfw_conf = $vmfw_configs->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); + + if ($conf->{ip_address} && $conf->{ip_address}->{value}) { + my $ip = $conf->{ip_address}->{value}; + die "implement me"; + } + + if ($conf->{netif} && $conf->{netif}->{value}) { + my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value}); + print Dumper($netif); + foreach my $netid (keys %$netif) { + my $d = $netif->{$netid}; + my $bridge = $d->{bridge}; + if (!$bridge) { + warn "no bridge device for CT $vmid iface '$netid'\n"; + next; # fixme? + } + my $macaddr = $d->{host_mac}; + my $iface = $d->{host_ifname}; + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); + } + } + } + + return wantarray ? ($ruleset, $hostfw_conf) : $ruleset; } sub get_ruleset_status { @@ -1712,13 +1771,39 @@ sub apply_ruleset { die "unable to apply firewall changes\n" if $errors; } +sub update_nf_conntrack_max { + my ($hostfw_conf) = @_; + + my $max = 65536; # reasonable default + + my $options = $hostfw_conf->{options} || {}; + + if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) { + $max = $options->{nf_conntrack_max}; + $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192 + } + + my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max"; + my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize"; + + my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max); + + if ($current != $max) { + my $hashsize = int($max/4); + PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize); + PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max); + } +} + sub update { my ($start, $verbose) = @_; my $code = sub { my $status = read_pvefw_status(); - my $ruleset = PVE::Firewall::compile(); + my ($ruleset, $hostfw_conf) = PVE::Firewall::compile(); + + update_nf_conntrack_max($hostfw_conf); if ($start || $status eq 'active') {