X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=d5d4950b6aaa4be45c796d37c084dc599452976c;hp=1438125b4c31e298b37a9699502253d4698b6034;hb=b22130d3fd198a3d5ad9113f87c4ae3cf68c0303;hpb=e74a87f5ce727e5e3e87869d6bd5f578eaef6a29 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 1438125..d5d4950 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -52,8 +52,18 @@ PVE::JSONSchema::register_standard_option('ipset-name', { description => "IP set name.", type => 'string', pattern => '[A-Za-z][A-Za-z0-9\-\_]+', - minLength => 2, - maxLength => 20, + minLength => 2, + maxLength => 20, +}); + +my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+'; + +PVE::JSONSchema::register_standard_option('pve-security-group-name', { + description => "Security Group name.", + type => 'string', + pattern => $security_group_pattern, + minLength => 2, + maxLength => 20, }); my $feature_ipset_nomatch = 0; @@ -774,6 +784,52 @@ sub pve_fw_verify_protocol_spec { # helper function for API +sub copy_opject_with_digest { + my ($object) = @_; + + my $sha = Digest::SHA->new('sha1'); + + my $res = {}; + foreach my $k (sort keys %$object) { + my $v = $object->{$k}; + next if !defined($v); + $res->{$k} = $v; + $sha->add($k, ':', $v, "\n"); + } + + my $digest = $sha->b64digest; + + $res->{digest} = $digest; + + return wantarray ? ($res, $digest) : $res; +} + +sub copy_list_with_digest { + my ($list) = @_; + + my $sha = Digest::SHA->new('sha1'); + + my $res = []; + foreach my $entry (@$list) { + my $data = {}; + foreach my $k (sort keys %$entry) { + my $v = $entry->{$k}; + next if !defined($v); + $data->{$k} = $v; + $sha->add($k, ':', $v, "\n"); + } + push @$res, $data; + } + + my $digest = $sha->b64digest; + + foreach my $entry (@$res) { + $entry->{digest} = $digest; + } + + return wantarray ? ($res, $digest) : $res; +} + my $rule_properties = { pos => { description => "Update rule at position .", @@ -781,21 +837,19 @@ my $rule_properties = { minimum => 0, optional => 1, }, - digest => { - type => 'string', - optional => 1, - maxLength => 27, - minLength => 27, - }, + digest => get_standard_option('pve-config-digest'), type => { type => 'string', optional => 1, enum => ['in', 'out', 'group'], }, action => { + description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.", type => 'string', optional => 1, - enum => ['ACCEPT', 'DROP', 'REJECT'], + pattern => $security_group_pattern, + maxLength => 20, + minLength => 2, }, macro => { type => 'string', @@ -833,23 +887,6 @@ my $rule_properties = { }, }; -sub cleanup_fw_rule { - my ($rule, $digest, $pos) = @_; - - my $r = {}; - - foreach my $k (keys %$rule) { - next if !$rule_properties->{$k}; - my $v = $rule->{$k}; - next if !defined($v); - $r->{$k} = $v; - $r->{digest} = $digest; - $r->{pos} = $pos; - } - - return $r; -} - sub add_rule_properties { my ($properties) = @_; @@ -942,7 +979,7 @@ sub verify_rule { raise_param_exc({ type => "security groups not allowed"}) if !$allow_groups; raise_param_exc({ action => "invalid characters in security group name"}) - if $rule->{action} !~ m/^[A-Za-z0-9_\-]+$/; + if $rule->{action} !~ m/^${security_group_pattern}$/; } else { raise_param_exc({ type => "unknown rule type '$type'"}); } @@ -1466,7 +1503,7 @@ sub generate_nfqueue { $action .= " --queue-num $1"; } } - $action .= " --queue-bypass"; + $action .= " --queue-bypass" if $feature_ipset_nomatch; #need kernel 3.10 }else{ $action = "ACCEPT"; } @@ -1595,6 +1632,7 @@ sub enable_host_firewall { # fixme: allow security groups my $options = $hostfw_conf->{options}; + my $cluster_options = $cluster_conf->{options}; my $rules = $hostfw_conf->{rules}; # host inbound firewall @@ -1627,7 +1665,7 @@ sub enable_host_firewall { } # implement input policy - my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default + my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); # host outbound firewall @@ -1652,7 +1690,7 @@ sub enable_host_firewall { } # implement output policy - $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default + $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action); ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); @@ -1740,7 +1778,7 @@ sub parse_fw_rule { die "wrong number of rule elements\n" if scalar(@data) != 3; die "groups disabled\n" if !$allow_groups; - die "invalid characters in group name\n" if $action !~ m/^[A-Za-z0-9_\-]+$/; + die "invalid characters in group name\n" if $action !~ m/^${security_group_pattern}$/; } else { die "unknown rule type '$type'\n"; } @@ -1813,16 +1851,13 @@ sub parse_hostfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) { $opt = lc($1); $value = $2 ? lc($3) : ''; - } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { - $opt = lc($1); - $value = uc($3); - } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) { + } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) { $opt = lc($1); $value = int($2); } else { @@ -1841,6 +1876,9 @@ sub parse_clusterfw_option { if ($line =~ m/^(enable):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); + } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { + $opt = lc($1); + $value = uc($3); } else { chomp $line; die "can't parse option '$line'\n" @@ -1856,11 +1894,7 @@ sub parse_vm_fw_rules { my $section; - my $digest = Digest::SHA->new('sha1'); - while (defined(my $line = <$fh>)) { - $digest->add($line); - next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1898,8 +1932,6 @@ sub parse_vm_fw_rules { push @{$res->{$section}}, $rule; } - $res->{digest} = $digest->b64digest; - return $res; } @@ -1910,11 +1942,7 @@ sub parse_host_fw_rules { my $section; - my $digest = Digest::SHA->new('sha1'); - while (defined(my $line = <$fh>)) { - $digest->add($line); - next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1952,8 +1980,6 @@ sub parse_host_fw_rules { push @{$res->{$section}}, $rule; } -$res->{digest} = $digest->b64digest; - return $res; } @@ -1963,13 +1989,16 @@ sub parse_cluster_fw_rules { my $section; my $group; - my $res = { rules => [], options => {}, groups => {}, ipset => {} }; - - my $digest = Digest::SHA->new('sha1'); + my $res = { + rules => [], + options => {}, + groups => {}, + group_comments => {}, + ipset => {} , + ipset_comments => {}, + }; while (defined(my $line = <$fh>)) { - $digest->add($line); - next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1981,10 +2010,13 @@ sub parse_cluster_fw_rules { next; } - if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) { + if ($line =~ m/^\[group\s+(\S+)\]\s*(?:#\s*(.*?)\s*)?$/i) { $section = 'groups'; $group = lc($1); + my $comment = $2; $res->{$section}->{$group} = []; + $res->{group_comments}->{$group} = decode('utf8', $comment) + if $comment; next; } @@ -1993,10 +2025,13 @@ sub parse_cluster_fw_rules { next; } - if ($line =~ m/^\[ipset\s+(\S+)\]\s*$/i) { + if ($line =~ m/^\[ipset\s+(\S+)\]\s*(?:#\s*(.*?)\s*)?$/i) { $section = 'ipset'; $group = lc($1); + my $comment = $2; $res->{$section}->{$group} = []; + $res->{ipset_comments}->{$group} = decode('utf8', $comment) + if $comment; next; } @@ -2051,7 +2086,6 @@ sub parse_cluster_fw_rules { } } - $res->{digest} = $digest->b64digest; return $res; } @@ -2122,7 +2156,7 @@ my $format_rules = sub { my $raw = ''; foreach my $rule (@$rules) { - if ($rule->{type} eq 'in' || $rule->{type} eq 'out') { + if ($rule->{type} eq 'in' || $rule->{type} eq 'out' || $rule->{type} eq 'group') { $raw .= '|' if defined($rule->{enable}) && !$rule->{enable}; $raw .= uc($rule->{type}); if ($rule->{macro}) { @@ -2131,16 +2165,20 @@ my $format_rules = sub { $raw .= " " . $rule->{action}; } $raw .= " " . ($rule->{iface} || '-') if $need_iface; - $raw .= " " . ($rule->{source} || '-'); - $raw .= " " . ($rule->{dest} || '-'); - $raw .= " " . ($rule->{proto} || '-'); - $raw .= " " . ($rule->{dport} || '-'); - $raw .= " " . ($rule->{sport} || '-'); + + if ($rule->{type} ne 'group') { + $raw .= " " . ($rule->{source} || '-'); + $raw .= " " . ($rule->{dest} || '-'); + $raw .= " " . ($rule->{proto} || '-'); + $raw .= " " . ($rule->{dport} || '-'); + $raw .= " " . ($rule->{sport} || '-'); + } + $raw .= " # " . encode('utf8', $rule->{comment}) if $rule->{comment} && $rule->{comment} !~ m/^\s*$/; $raw .= "\n"; } else { - die "implement me '$rule->{type}'"; + die "unknown rule type '$rule->{type}'"; } } @@ -2383,7 +2421,12 @@ sub save_clusterfw_conf { $raw .= &$format_options($options) if scalar(keys %$options); foreach my $ipset (sort keys %{$cluster_conf->{ipset}}) { - $raw .= "[IPSET $ipset]\n\n"; + if (my $comment = $cluster_conf->{ipset_comments}->{$ipset}) { + my $utf8comment = encode('utf8', $comment); + $raw .= "[IPSET $ipset] # $utf8comment\n\n"; + } else { + $raw .= "[IPSET $ipset]\n\n"; + } my $options = $cluster_conf->{ipset}->{$ipset}; $raw .= &$format_ipset($options); $raw .= "\n"; @@ -2398,7 +2441,13 @@ sub save_clusterfw_conf { foreach my $group (sort keys %{$cluster_conf->{groups}}) { my $rules = $cluster_conf->{groups}->{$group}; - $raw .= "[group $group]\n\n"; + if (my $comment = $cluster_conf->{group_comments}->{$group}) { + my $utf8comment = encode('utf8', $comment); + $raw .= "[group $group] # $utf8comment\n\n"; + } else { + $raw .= "[group $group]\n\n"; + } + $raw .= &$format_rules($rules, 0); $raw .= "\n"; } @@ -2434,12 +2483,16 @@ sub save_hostfw_conf { } sub compile { + my ($cluster_conf, $hostfw_conf) = @_; + + $cluster_conf = load_clusterfw_conf() if !$cluster_conf; + $hostfw_conf = load_hostfw_conf() if !$hostfw_conf; + my $vmdata = read_local_vm_config(); my $vmfw_configs = read_vm_firewall_configs($vmdata); my $routing_table = read_proc_net_route(); - my $cluster_conf = load_clusterfw_conf(); my $ipset_ruleset = {}; generate_ipset_chains($ipset_ruleset, $cluster_conf); @@ -2451,7 +2504,6 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - my $hostfw_conf = load_hostfw_conf(); my $hostfw_options = $hostfw_conf->{options} || {}; generate_std_chains($ruleset, $hostfw_options); @@ -2547,7 +2599,7 @@ sub compile { ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP"); - return wantarray ? ($ruleset, $hostfw_conf, $ipset_ruleset) : $ruleset; + return ($ruleset, $ipset_ruleset); } sub get_ruleset_status { @@ -2716,6 +2768,8 @@ sub apply_ruleset { update_nf_conntrack_max($hostfw_conf); + update_nf_conntrack_tcp_timeout_established($hostfw_conf); + my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) = get_ipset_cmdlist($ipset_ruleset, undef, $verbose); @@ -2780,6 +2834,16 @@ sub update_nf_conntrack_max { } } +sub update_nf_conntrack_tcp_timeout_established { + my ($hostfw_conf) = @_; + + my $options = $hostfw_conf->{options} || {}; + + my $value = defined($options->{nf_conntrack_tcp_timeout_established}) ? $options->{nf_conntrack_tcp_timeout_established} : 432000; + + PVE::ProcFSTools::write_proc_entry("/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established", $value); +} + sub remove_pvefw_chains { my ($chash, $hooks) = iptables_get_chains(); @@ -2807,9 +2871,25 @@ sub update { my ($start, $verbose) = @_; my $code = sub { + + my $cluster_conf = load_clusterfw_conf(); + my $cluster_options = $cluster_conf->{options}; + + my $enable = $cluster_options->{enable}; + my $status = read_pvefw_status(); - my ($ruleset, $hostfw_conf, $ipset_ruleset) = compile(); + die "Firewall is disabled - cannot start\n" if !$enable && $start; + + if (!$enable) { + PVE::Firewall::remove_pvefw_chains(); + print "Firewall disabled\n" if $verbose; + return; + } + + my $hostfw_conf = load_hostfw_conf(); + + my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf); if ($start || $status eq 'active') {