X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=d62fb113a329d809ccc39bb377a2d03f7bb11114;hp=0f2bc117dee14390f9d3c761805f68d67ba58dac;hb=b47ecc889a8db369a6324feebffabbe49d5516e6;hpb=782c4cde6b9e07130531b486f33d43234a2805ae diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 0f2bc11..d62fb11 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -8,17 +8,28 @@ use PVE::INotify; use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools; -use PVE::QemuServer; -use PVE::OpenVZ; # dependeny problem?! use File::Basename; use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file); +use Encode; + +# dynamically include PVE::QemuServer and PVE::OpenVZ +# to avoid dependency problems +my $have_qemu_server; +eval { + require PVE::QemuServer; + $have_qemu_server = 1; +}; -use Data::Dumper; +my $have_pve_manager; +eval { + require PVE::OpenVZ; + $have_pve_manager = 1; +}; -# fixme: remove loglevel settings? NFLOG does not have --loglevel +use Data::Dumper; my $nodename = PVE::INotify::nodename(); @@ -625,6 +636,25 @@ sub parse_port_name_number_or_range { return ($nbports); } +# helper function for API +sub cleanup_fw_rule { + my ($rule, $digest, $pos) = @_; + + my $r = {}; + + foreach my $k (keys %$rule) { + next if $k eq 'nbdport'; + next if $k eq 'nbsport'; + my $v = $rule->{$k}; + next if !defined($v); + $r->{$k} = $v; + $r->{digest} = $digest; + $r->{pos} = $pos; + } + + return $r; +} + my $bridge_firewall_enabled = 0; sub enable_bridge_firewall { @@ -735,7 +765,7 @@ sub iptables_rule_exist { sub ruleset_generate_cmdstr { my ($ruleset, $chain, $rule, $actions, $goto) = @_; - return if $rule->{disable}; + return if defined($rule->{enable}) && !$rule->{enable}; my @cmd = (); @@ -807,6 +837,7 @@ sub ruleset_generate_rule { ruleset_addrule($ruleset, $chain, $cmdstr); } } + sub ruleset_generate_rule_insert { my ($ruleset, $chain, $rule, $actions, $goto) = @_; @@ -933,13 +964,20 @@ sub ruleset_create_vm_chain { my ($ruleset, $chain, $options, $macaddr, $direction) = @_; ruleset_create_chain($ruleset, $chain); + my $accept = generate_nfqueue($options); if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); } if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { - ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK', + proto => 'udp', sport => 68, dport => 67 }); + } else { + ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT', + proto => 'udp', sport => 67, dport => 68 }); + } } if ($options->{tcpflags}) { @@ -947,44 +985,77 @@ sub ruleset_create_vm_chain { } ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); + if($direction eq 'OUT'){ + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK"); + }else{ + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + } if ($direction eq 'OUT') { if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); } ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark } + + } sub ruleset_generate_vm_rules { - my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction) = @_; + my ($ruleset, $rules, $groups_conf, $chain, $netid, $direction, $options) = @_; my $lc_direction = lc($direction); foreach my $rule (@$rules) { next if $rule->{iface} && $rule->{iface} ne $netid; - next if $rule->{disable}; + next if !$rule->{enable}; if ($rule->{type} eq 'group') { my $group_chain = "GROUP-$rule->{action}-$direction"; if(!ruleset_chain_exist($ruleset, $group_chain)){ generate_group_rules($ruleset, $groups_conf, $rule->{action}); } ruleset_addrule($ruleset, $chain, "-j $group_chain"); - ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN") - if $direction eq 'OUT'; + if ($direction eq 'OUT'){ + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j RETURN"); + }else{ + my $accept = generate_nfqueue($options); + ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $accept"); + } + } else { next if $rule->{type} ne $lc_direction; if ($direction eq 'OUT') { ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } else { - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); + my $accept = generate_nfqueue($options); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }); } } } } +sub generate_nfqueue { + my ($options) = @_; + + my $action = ""; + if($options->{ips}){ + $action = "NFQUEUE"; + if($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) { + if(defined($3) && defined($1)) { + $action .= " --queue-balance $1:$3"; + }elsif (defined($1)) { + $action .= " --queue-num $1"; + } + } + $action .= " --queue-bypass"; + }else{ + $action = "ACCEPT"; + } + + return $action; +} + sub generate_venet_rules_direction { my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_; @@ -1012,7 +1083,8 @@ sub generate_venet_rules_direction { $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + my $accept = generate_nfqueue($options); + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept; ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action); # plug into FORWARD, INPUT and OUTPUT chain @@ -1053,7 +1125,7 @@ sub generate_tap_rules_direction { ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction); - ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction); + ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction, $options); # implement policy my $policy; @@ -1064,7 +1136,8 @@ sub generate_tap_rules_direction { $policy = $options->{policy_in} || 'DROP'; # allow nothing by default } - my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT"; + my $accept = generate_nfqueue($options); + my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept; ruleset_add_chain_policy($ruleset, $tapchain, $vmid, $policy, $loglevel, $accept_action); # plug the tap chain to bridge chain @@ -1091,6 +1164,14 @@ sub enable_host_firewall { my $loglevel = get_option_log_level($options, "log_level_in"); + if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if ($options->{tcpflags}) { + ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); + } + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); @@ -1141,18 +1222,18 @@ sub enable_host_firewall { sub generate_group_rules { my ($ruleset, $groups_conf, $group) = @_; + die "no such security group '$group'\n" if !$groups_conf->{rules}->{$group}; - die "no such security group '$group'\n" if !$groups_conf->{$group}; - - my $rules = $groups_conf->{$group}->{rules}; + my $rules = $groups_conf->{rules}->{$group}; my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); + ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; - ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); } $chain = "GROUP-${group}-OUT"; @@ -1184,10 +1265,12 @@ sub parse_fw_rule { my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport); # we can add single line comments to the end of the rule - my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; + my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//; # we can disable a rule when prefixed with '|' - my $disable = 1 if $line =~ s/^\|//; + my $enable = 1; + + $enable = 0 if $line =~ s/^\|//; my @data = split(/\s+/, $line); my $expected_elements = $need_iface ? 8 : 7; @@ -1254,7 +1337,7 @@ sub parse_fw_rule { my $param = { type => $type, - disable => $disable, + enable => $enable, comment => $comment, action => $action, iface => $iface, @@ -1320,7 +1403,7 @@ sub parse_vmfw_option { my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog"; - if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags|ips):\s*(0|1)\s*$/i) { $opt = lc($1); $value = int($2); } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) { @@ -1329,6 +1412,9 @@ sub parse_vmfw_option { } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); + } elsif ($line =~ m/^(ips_queues):\s*((\d+)(:(\d+))?)\s*$/i) { + $opt = lc($1); + $value = $2; } else { chomp $line; die "can't parse option '$line'\n" @@ -1371,7 +1457,11 @@ sub parse_vm_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1409,6 +1499,8 @@ sub parse_vm_fw_rules { push @{$res->{$section}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1419,7 +1511,11 @@ sub parse_host_fw_rules { my $section; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1457,6 +1553,8 @@ sub parse_host_fw_rules { push @{$res->{$section}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1466,9 +1564,13 @@ sub parse_group_fw_rules { my $section; my $group; - my $res = { rules => [] }; + my $res = { rules => {} }; + + my $digest = Digest::SHA->new('sha1'); while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1492,9 +1594,11 @@ sub parse_group_fw_rules { next; } - push @{$res->{$group}->{$section}}, @$rules; + push @{$res->{$section}->{$group}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } @@ -1527,31 +1631,46 @@ sub read_local_vm_config { next if !$d->{node} || $d->{node} ne $nodename; next if !$d->{type}; if ($d->{type} eq 'openvz') { - my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $openvz->{$vmid} = $conf; + if ($have_pve_manager) { + my $cfspath = PVE::OpenVZ::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $openvz->{$vmid} = $conf; + } } } elsif ($d->{type} eq 'qemu') { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; + if ($have_qemu_server) { + my $cfspath = PVE::QemuServer::cfs_config_path($vmid); + if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { + $qemu->{$vmid} = $conf; + } } } } - + return $vmdata; }; +sub load_vmfw_conf { + my ($vmid) = @_; + + my $vmfw_conf = {}; + + my $filename = "/etc/pve/firewall/$vmid.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $vmfw_conf = parse_vm_fw_rules($filename, $fh); + } + + return $vmfw_conf; +} + sub read_vm_firewall_configs { my ($vmdata) = @_; my $vmfw_configs = {}; foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $filename = "/etc/pve/firewall/$vmid.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - next if !$fh; - - $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh); + my $vmfw_conf = load_vmfw_conf($vmid); + next if !$vmfw_conf->{options}; # skip if file does not exists + $vmfw_configs->{$vmid} = $vmfw_conf; } return $vmfw_configs; @@ -1656,11 +1775,7 @@ sub read_proc_net_route { return $res; } -sub compile { - my $vmdata = read_local_vm_config(); - my $vmfw_configs = read_vm_firewall_configs($vmdata); - - my $routing_table = read_proc_net_route(); +sub load_security_groups { my $groups_conf = {}; my $filename = "/etc/pve/firewall/groups.fw"; @@ -1668,6 +1783,27 @@ sub compile { $groups_conf = parse_group_fw_rules($filename, $fh); } + return $groups_conf; +} + +sub load_hostfw_conf { + + my $hostfw_conf = {}; + my $filename = "/etc/pve/local/host.fw"; + if (my $fh = IO::File->new($filename, O_RDONLY)) { + $hostfw_conf = parse_host_fw_rules($filename, $fh); + } + return $hostfw_conf; +} + +sub compile { + my $vmdata = read_local_vm_config(); + my $vmfw_configs = read_vm_firewall_configs($vmdata); + + my $routing_table = read_proc_net_route(); + + my $groups_conf = load_security_groups(); + my $ruleset = {}; ruleset_create_chain($ruleset, "PVEFW-INPUT"); @@ -1675,14 +1811,8 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - my $hostfw_options = {}; - my $hostfw_conf = {}; - - $filename = "/etc/pve/local/host.fw"; - if (my $fh = IO::File->new($filename, O_RDONLY)) { - $hostfw_conf = parse_host_fw_rules($filename, $fh); - $hostfw_options = $hostfw_conf->{options}; - } + my $hostfw_conf = load_hostfw_conf(); + my $hostfw_options = $hostfw_conf->{options} || {}; generate_std_chains($ruleset, $hostfw_options); @@ -1754,9 +1884,6 @@ sub compile { } } - # fixme: this is an optimization? if so, we should also drop INVALID packages? - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - # fixme: what log level should we use here? my $loglevel = get_option_log_level($hostfw_options, "log_level_out");