--- /dev/null
+/*.build
+/*.buildinfo
+/*.changes
+/*.deb
+/*.dsc
+/*.tar*
+/pve-firewall-*/
PACKAGE=pve-firewall
-BUILDDIR ?= ${PACKAGE}-${DEB_VERSION_UPSTREAM}
+BUILDDIR ?= $(PACKAGE)-$(DEB_VERSION)
GITVERSION:=$(shell git rev-parse HEAD)
-DEB=${PACKAGE}_${DEB_VERSION_UPSTREAM_REVISION}_${DEB_BUILD_ARCH}.deb
-DSC=${PACKAGE}_${DEB_VERSION_UPSTREAM_REVISION}.dsc
-DEB2=${PACKAGE}-dbgsym_${DEB_VERSION_UPSTREAM_REVISION}_${DEB_BUILD_ARCH}.deb
+DEB=$(PACKAGE)_$(DEB_VERSION)_$(DEB_HOST_ARCH).deb
+DSC=$(PACKAGE)_$(DEB_VERSION).dsc
+DEB2=$(PACKAGE)-dbgsym_$(DEB_VERSION)_$(DEB_HOST_ARCH).deb
DEBS=$(DEB) $(DEB2)
all: $(DEBS)
.PHONY: dinstall
-dinstall: deb
- dpkg -i $(DEBS)
+dinstall: $(DEB)
+ dpkg -i $<
-${BUILDDIR}:
- rm -rf ${BUILDDIR}
- rsync -a src/ debian ${BUILDDIR}
- echo "git clone git://git.proxmox.com/git/pve-firewall.git\\ngit checkout ${GITVERSION}" > ${BUILDDIR}/debian/SOURCE
+$(BUILDDIR):
+ rm -rf $(BUILDDIR)
+ rsync -a src/ debian $(BUILDDIR)
+ echo "git clone git://git.proxmox.com/git/pve-firewall.git\\ngit checkout $(GITVERSION)" > $(BUILDDIR)/debian/SOURCE
.PHONY: deb
deb: $(DEBS)
$(DEB2): $(DEB)
-$(DEB): ${BUILDDIR} check
- cd ${BUILDDIR}; dpkg-buildpackage -b -us -uc
- lintian ${DEBS}
+$(DEB): $(BUILDDIR)
+ cd $(BUILDDIR); dpkg-buildpackage -b -us -uc
+ lintian $(DEBS)
.PHONY: dsc
-dsc: ${DSC}
-${DSC}: ${BUILDDIR}
- cd ${BUILDDIR}; dpkg-buildpackage -S -us -uc -d
- lintian ${DSC}
+dsc:
+ rm -rf $(DSC) $(BUILDDIR)
+ $(MAKE) $(DSC)
+ lintian $(DSC)
+
+$(DSC): $(BUILDDIR)
+ cd $(BUILDDIR); dpkg-buildpackage -S -us -uc -d
+
+sbuild: $(DSC)
+ sbuild $(DSC)
-.PHONY: check
check:
make -C test check
clean:
make -C src clean
make -C test clean
- rm -rf *~ debian/*~ example/*~ *.deb *.changes *.buildinfo ${BUILDDIR} ${PACKAGE}*.tar.gz *.dsc
+ rm -rf *.deb *.dsc *.changes *.build *.buildinfo $(PACKAGE)-[0-9]*/ $(PACKAGE)*.tar*
.PHONY: upload
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
upload: $(DEBS)
- tar cf - $(DEBS) | ssh repoman@repo.proxmox.com -- upload --product pve --dist bullseye --arch ${DEB_BUILD_ARCH}
+ tar cf - $(DEBS) | ssh repoman@repo.proxmox.com -- upload --product pve --dist $(UPLOAD_DIST) --arch $(DEB_HOST_ARCH)
-pve-firewall (4.3-1) UNRELEASED; urgency=medium
+pve-firewall (5.0.7) bookworm; urgency=medium
- * allow entering IP address whith the host bits (those inside the mask) not
+ * also signal force-disable nftables if FW is completely disabled
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 30 Apr 2024 10:30:16 +0200
+
+pve-firewall (5.0.6) bookworm; urgency=medium
+
+ * add flag to signal the new nftables-based proxmox-firewall that it's
+ disabled without the need to parse the config
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 26 Apr 2024 17:19:50 +0200
+
+pve-firewall (5.0.5) bookworm; urgency=medium
+
+ * simulator: adapt to more flexible bridge naming scheme
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 23 Apr 2024 13:11:43 +0200
+
+pve-firewall (5.0.4) bookworm; urgency=medium
+
+ * fix #5335: stable sorting in cluster.fw
+
+ * add configuration option for new nftables firewall tech-preview
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2024 20:04:09 +0200
+
+pve-firewall (5.0.3) bookworm; urgency=medium
+
+ * fix resolution of scoped aliases in ipsets
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2023 10:39:28 +0200
+
+pve-firewall (5.0.2) bookworm; urgency=medium
+
+ * fix #4556: api: return scoped IPSets and aliases
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 21 Jun 2023 19:17:19 +0200
+
+pve-firewall (5.0.1) bookworm; urgency=medium
+
+ * fix #4556: support 'dc/' and 'guest/' prefix for aliases and ipsets
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 07 Jun 2023 16:06:10 +0200
+
+pve-firewall (5.0.0) bookworm; urgency=medium
+
+ * switch to native versioning scheme
+
+ * build for Proxmox VE 8 / Debian 12 Bookworm
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 22 May 2023 14:43:58 +0200
+
+pve-firewall (4.3-2) bullseye; urgency=medium
+
+ * fix variables declared in conditional statement
+
+ * fix #4730: add safeguards to prevent ICMP type misuse
+
+ -- Proxmox Support Team <support@proxmox.com> Tue, 16 May 2023 11:17:58 +0200
+
+pve-firewall (4.3-1) bullseye; urgency=medium
+
+ * allow entering IP address with the host bits (those inside the mask) not
being all zero non-zero, like 192.168.1.155/24 for example.
* api: firewall logger: add optional parameters `since` and `until` for
Section: admin
Priority: optional
Maintainer: Proxmox Support Team <support@proxmox.com>
-Build-Depends: debhelper (>= 12),
+Build-Depends: debhelper-compat (= 13),
+ libanyevent-perl,
libglib2.0-dev,
libnetfilter-conntrack-dev,
libnetfilter-log-dev,
libpve-common-perl (>= 7.3-2),
pve-cluster (>= 6.0-4),
pve-doc-generator (>= 5.3-3),
-Standards-Version: 4.5.1
+Standards-Version: 4.6.2
Package: pve-firewall
Architecture: any
libpve-access-control,
libpve-cluster-perl,
libpve-common-perl (>= 7.3-2),
- lsb-base,
pve-cluster (>= 6.1-6),
${misc:Depends},
${perl:Depends},
DESTDIR=
PREFIX= /usr
-BINDIR=${DESTDIR}/${PREFIX}/bin
-SBINDIR=${DESTDIR}/${PREFIX}/sbin
-MANDIR=${DESTDIR}/${PREFIX}/share/man
-DOCDIR=${DESTDIR}/${PREFIX}/share/doc/pve-firewall
-MAN1DIR=${MANDIR}/man1/
-MAN8DIR=${MANDIR}/man8/
-BASHCOMPLDIR=${DESTDIR}/${PREFIX}/share/bash-completion/completions
-ZSHCOMPLDIR=${DESTDIR}/${PREFIX}/share/zsh/vendor-completions
-
-export NOVIEW=1
-include /usr/share/pve-doc-generator/pve-doc-generator.mk
+BINDIR=$(DESTDIR)/$(PREFIX)/bin
+SBINDIR=$(DESTDIR)/$(PREFIX)/sbin
+MANDIR=$(DESTDIR)/$(PREFIX)/share/man
+DOCDIR=$(DESTDIR)/$(PREFIX)/share/doc/pve-firewall
+MAN1DIR=$(MANDIR)/man1/
+MAN8DIR=$(MANDIR)/man8/
+BASHCOMPLDIR=$(DESTDIR)/$(PREFIX)/share/bash-completion/completions
+ZSHCOMPLDIR=$(DESTDIR)/$(PREFIX)/share/zsh/vendor-completions
+
+-include /usr/share/pve-doc-generator/pve-doc-generator.mk
all: pve-firewall.8 pvefw-logger
.PHONY: install
install: pve-firewall pve-firewall.8 pve-firewall.bash-completion pve-firewall.zsh-completion pvefw-logger
make -C PVE install
- install -d -m 0755 ${SBINDIR}
- install -m 0755 pve-firewall ${SBINDIR}
- install -m 0755 pvefw-logger ${SBINDIR}
- install -d ${MAN8DIR}
- install -m 0644 pve-firewall.8 ${MAN8DIR}
- install -m 0644 -D pve-firewall.bash-completion ${BASHCOMPLDIR}/pve-firewall
- install -m 0644 -D pve-firewall.zsh-completion ${ZSHCOMPLDIR}/_pve-firewall
- install -d -m 0755 ${DESTDIR}/usr/lib/sysctl.d/
- install -m 0644 pve-firewall-sysctl.conf ${DESTDIR}/usr/lib/sysctl.d/pve-firewall.conf
+ install -d -m 0755 $(SBINDIR)
+ install -m 0755 pve-firewall $(SBINDIR)
+ install -m 0755 pvefw-logger $(SBINDIR)
+ install -d $(MAN8DIR)
+ install -m 0644 pve-firewall.8 $(MAN8DIR)
+ install -m 0644 -D pve-firewall.bash-completion $(BASHCOMPLDIR)/pve-firewall
+ install -m 0644 -D pve-firewall.zsh-completion $(ZSHCOMPLDIR)/_pve-firewall
+ install -d -m 0755 $(DESTDIR)/usr/lib/sysctl.d/
+ install -m 0644 pve-firewall-sysctl.conf $(DESTDIR)/usr/lib/sysctl.d/pve-firewall.conf
.PHONY: clean
clean:
make -C PVE clean
- make cleanup-docgen
- rm -rf pvefw-logger
- find . -name '*~' -exec rm {} ';'
+ rm -f *.xml.tmp *.1 *.5 *.8 *{synopsis,opts}.adoc docinfo.xml *~
+ rm -rf pvefw-logger
.PHONY: distclean
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;
my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
- my $cidr = PVE::Firewall::clean_cidr($param->{cidr});
- if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
+ my $cidr = $param->{cidr};
+ if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
+ my $scope = $1 // "";
+ my $alias = $2;
# make sure alias exists (if $cidr is an alias)
- PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
+ PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
} else {
+ $cidr = PVE::Firewall::clean_cidr($cidr);
# normalize like config parser, otherwise duplicates might slip through
$cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
}
DESTDIR=
PREFIX=/usr
-PERLDIR=${DESTDIR}/${PREFIX}/share/perl5
+PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
LIB_SOURCES= \
Aliases.pm \
.PHONY: install
install:
- install -d -m 0755 ${PERLDIR}/PVE/API2/Firewall
- for i in ${LIB_SOURCES}; do install -D -m 0644 $$i ${PERLDIR}/PVE/API2/Firewall/$$i; done
+ install -d -m 0755 $(PERLDIR)/PVE/API2/Firewall
+ for i in $(LIB_SOURCES); do install -D -m 0644 $$i $(PERLDIR)/PVE/API2/Firewall/$$i; done
.PHONY: clean
name => {
type => 'string',
},
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
-
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- return $res;
+ return [@$dc_refs, @$vm_refs];
}});
}
DESTDIR=
PREFIX=/usr
-PERLDIR=${DESTDIR}/${PREFIX}/share/perl5
+PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
all:
.PHONY: install
install:
- install -d -m 0755 ${PERLDIR}/PVE/API2
+ install -d -m 0755 $(PERLDIR)/PVE/API2
make -C Firewall install
.PHONY: clean
sub pve_verify_ip_or_cidr_or_alias {
my ($cidr, $noerr) = @_;
- return if $cidr =~ m/^(?:$ip_alias_pattern)$/;
+ return if $cidr =~ m@^(dc/|guest/)?(?:$ip_alias_pattern)$@;
return pve_verify_ip_or_cidr($cidr, $noerr);
}
}
};
+my $proto_is_icmp = sub {
+ my $proto = shift;
+ return $proto eq 'icmp' || $proto eq 'icmpv6' || $proto eq 'ipv6-icmp';
+};
+
sub init_firewall_macros {
$pve_fw_parsed_macros = {};
return;
}
- if ($str =~ m/^${ip_alias_pattern}$/) {
+ if ($str =~ m@^(dc/|guest/)?${ip_alias_pattern}$@) {
die "alias name too long\n" if length($str) > $max_alias_name_length;
return;
}
return $ipversion;
}
+# $dport must only be set to 1 if the parsed parameter is dport and the
+# protocol is one of the ICMP variants - ICMP type values used to be stored in
+# the dport parameter.
sub parse_port_name_number_or_range {
my ($str, $dport) = @_;
default => 0,
optional => 1
},
+ nftables => {
+ description => "Enable nftables based firewall (tech preview)",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+ },
};
our $vm_option_properties = {
optional => 1,
},
'icmp-type' => {
- description => "Specify icmp-type. Only valid if proto equals 'icmp'.",
+ description => "Specify icmp-type. Only valid if proto equals 'icmp' or 'icmpv6'/'ipv6-icmp'.",
type => 'string', format => 'pve-fw-icmp-type-spec',
optional => 1,
},
if (my $value = $rule->{$name}) {
if ($value =~ m/^\+/) {
- if ($value =~ m/^\+(${ipset_name_pattern})$/) {
- &$add_error($name, "no such ipset '$1'")
- if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+ if ($value =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) {
+ &$add_error($name, "no such ipset '$2'")
+ if !($cluster_conf->{ipset}->{$2} || ($fw_conf && $fw_conf->{ipset}->{$2}));
} else {
&$add_error($name, "invalid ipset name '$value'");
}
- } elsif ($value =~ m/^${ip_alias_pattern}$/){
- my $alias = lc($value);
+ } elsif ($value =~ m@^(guest/|dc/)?(${ip_alias_pattern})$@){
+ my $scope = $1 // "";
+ my $alias = lc($2);
&$add_error($name, "no such alias '$value'")
if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}));
- my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
- $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+
+ my $e;
+ if ($scope ne 'dc/' && $fw_conf) {
+ $e = $fw_conf->{aliases}->{$alias};
+ }
+ if ($scope ne 'guest/' && !$e && $cluster_conf) {
+ $e = $cluster_conf->{aliases}->{$alias};
+ }
&$set_ip_version($e->{ipversion});
}
}
}
+ my $is_icmp = 0;
if ($rule->{proto}) {
eval { pve_fw_verify_protocol_spec($rule->{proto}); };
&$add_error('proto', $@) if $@;
&$set_ip_version(4) if $rule->{proto} eq 'icmp';
&$set_ip_version(6) if $rule->{proto} eq 'icmpv6';
&$set_ip_version(6) if $rule->{proto} eq 'ipv6-icmp';
+ $is_icmp = $proto_is_icmp->($rule->{proto});
}
if ($rule->{dport}) {
- eval { parse_port_name_number_or_range($rule->{dport}, 1); };
+ eval { parse_port_name_number_or_range($rule->{dport}, $is_icmp); };
&$add_error('dport', $@) if $@;
my $proto = $rule->{proto};
&$add_error('proto', "missing property - 'dport' requires this property")
if !$proto;
&$add_error('dport', "protocol '$proto' does not support ports")
- if !$PROTOCOLS_WITH_PORTS->{$proto} &&
- $proto ne 'icmp' && $proto ne 'icmpv6'; # special cases
+ if !$PROTOCOLS_WITH_PORTS->{$proto} && !$is_icmp; #special cases
}
if (my $icmp_type = $rule ->{'icmp-type'}) {
my $proto = $rule->{proto};
&$add_error('proto', "missing property - 'icmp-type' requires this property")
- if $proto ne 'icmp' && $proto ne 'icmpv6' && $proto ne 'ipv6-icmp';
+ if !$is_icmp;
&$add_error('icmp-type', "'icmp-type' cannot be specified together with 'dport'")
if $rule->{dport};
if ($proto eq 'icmp' && !$icmp_type_names->{$icmp_type}) {
my $match;
if ($adr =~ m/^\+/) {
- if ($adr =~ m/^\+(${ipset_name_pattern})$/) {
- my $name = $1;
+ if ($adr =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) {
+ my $scope = $1 // "";
+ my $name = $2;
my $ipset_chain;
- if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ if ($scope ne 'dc/' && $fw_conf && $fw_conf->{ipset}->{$name}) {
$ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
- } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ } elsif ($scope ne 'guest/' && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
$ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
} else {
die "no such ipset '$name'\n";
} else {
die "invalid security group name '$adr'\n";
}
- } elsif ($adr =~ m/^${ip_alias_pattern}$/){
- my $alias = lc($adr);
- my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
- $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+ } elsif ($adr =~ m@^(dc/|guest/)?(${ip_alias_pattern})$@){
+ my $scope = $1 // "";
+ my $alias = lc($2);
+ my $e;
+ if ($scope ne 'dc/' && $fw_conf) {
+ $e = $fw_conf->{aliases}->{$alias};
+ }
+ if ($scope ne 'guest/' && !$e && $cluster_conf) {
+ $e = $cluster_conf->{aliases}->{$alias};
+ }
die "no such alias '$adr'\n" if !$e;
$match = "-${dir} $e->{cidr}";
} elsif ($adr =~ m/\-/){
if (my $proto = $rule->{proto}) {
push @match, "-p $proto";
+ my $is_icmp = $proto_is_icmp->($proto);
- my $multidport = defined($rule->{dport}) && parse_port_name_number_or_range($rule->{dport}, 1);
+ my $multidport = defined($rule->{dport}) && parse_port_name_number_or_range($rule->{dport}, $is_icmp);
my $multisport = defined($rule->{sport}) && parse_port_name_number_or_range($rule->{sport}, 0);
my $add_dport = sub {
return if !defined($rule->{'icmp-type'}) || $rule->{'icmp-type'} eq '';
die "'icmp-type' can only be set if 'icmp', 'icmpv6' or 'ipv6-icmp' is specified\n"
- if ($proto ne 'icmp') && ($proto ne 'icmpv6') && ($proto ne 'ipv6-icmp');
+ if !$is_icmp;
my $type = $proto eq 'icmp' ? 'icmp-type' : 'icmpv6-type';
push @match, "-m $proto --$type $rule->{'icmp-type'}";
$targetstr = $rule->{target};
} else {
my $action = (defined $rule->{action}) ? $rule->{action} : "";
- my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
- $targetstr = ($goto) ? "-g $action" : "-j $action";
+ $targetstr = $action eq 'PVEFW-SET-ACCEPT-MARK' ? "-g $action" : "-j $action";
}
my @iptcmds;
my $tapchain = "$iface-$direction";
my $ipfilter_name = compute_ipfilter_ipset_name($netid);
- my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
+ my $ipfilter_ipset;
+ $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
if ($options->{enable}) {
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
- if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack|nf_conntrack_allow_invalid|protection_synflood):\s*(0|1)\s*$/i) {
+ if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack|nf_conntrack_allow_invalid|protection_synflood|nftables):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
}
sub resolve_alias {
- my ($clusterfw_conf, $fw_conf, $cidr) = @_;
+ my ($clusterfw_conf, $fw_conf, $cidr, $scope) = @_;
+
+ # When we're on the cluster level, the cluster config only gets
+ # saved into fw_conf, so we need some extra handling here (to
+ # stay consistent)
+ my ($cluster_config, $local_config);
+ if (!$clusterfw_conf) {
+ ($cluster_config, $local_config) = ($fw_conf, undef);
+ } else {
+ ($cluster_config, $local_config) = ($clusterfw_conf, $fw_conf);
+ }
my $alias = lc($cidr);
- my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
- $e = $clusterfw_conf->{aliases}->{$alias} if !$e && $clusterfw_conf;
+ my $e;
+ if ($scope ne 'dc/' && $local_config) {
+ $e = $local_config->{aliases}->{$alias};
+ }
+ if ($scope ne 'guest/' && !$e && $cluster_config) {
+ $e = $cluster_config->{aliases}->{$alias};
+ }
die "no such alias '$cidr'\n" if !$e;;
my ($line) = @_;
# we can add single line comments to the end of the line
- my $comment = decode('utf8', $1) if $line =~ s/\s*#\s*(.*?)\s*$//;
+ my $comment = $line =~ s/\s*#\s*(.*?)\s*$// ? decode('utf8', $1) : undef;
if ($line =~ m/^(\S+)\s(\S+)$/) {
my ($name, $cidr) = ($1, $2);
push @{$res->{$section}->{$group}}, $rule;
} elsif ($section eq 'ipset') {
# we can add single line comments to the end of the rule
- my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
+ my $comment = $line =~ s/#\s*(.*?)\s*$// ? decode('utf8', $1) : undef;
$line =~ m/^(\!)?\s*(\S+)\s*$/;
my $nomatch = $1;
}
eval {
- if ($cidr =~ m/^${ip_alias_pattern}$/) {
- resolve_alias($cluster_conf, $res, $cidr); # make sure alias exists
+ if ($cidr =~ m@^(dc/|guest/)?(${ip_alias_pattern}$)@) {
+ my $scope = $1 // "";
+ my $alias = $2;
+ resolve_alias($cluster_conf, $res, $alias, $scope); # make sure alias exists
} else {
$cidr = parse_ip_or_cidr($cidr);
}
my $raw = '';
$raw .= "[ALIASES]\n\n";
- foreach my $k (keys %$aliases) {
+ foreach my $k (sort keys %$aliases) {
my $e = $aliases->{$k};
$raw .= "$e->{name} $e->{cidr}";
$raw .= " # " . encode('utf8', $e->{comment})
next if $entry->{errors}; # skip entries with errors
eval {
my ($cidr, $ver);
- if ($entry->{cidr} =~ m/^${ip_alias_pattern}$/) {
- ($cidr, $ver) = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
+ if ($entry->{cidr} =~ m@^(dc/|guest/)?(${ip_alias_pattern})$@) {
+ my $scope = $1 // "";
+ my $alias = $2;
+ ($cidr, $ver) = resolve_alias($clusterfw_conf, $fw_conf, $alias, $scope);
} else {
($cidr, $ver) = parse_ip_or_cidr($entry->{cidr});
}
ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
}
-sub init {
- my $cluster_conf = load_clusterfw_conf();
- my $cluster_options = $cluster_conf->{options};
- my $enable = $cluster_options->{enable};
+sub is_nftables {
+ my ($cluster_conf, $host_conf) = @_;
- return if !$enable;
+ if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
+ return 0;
+ }
+
+ $cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
+ $host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
+
+ return $host_conf->{options}->{nftables};
+}
+
+my sub update_force_nftables_disable_flag {
+ my ($cluster_firewall_enabled, $is_nftables) = @_;
+
+ # This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
+ my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
+
+ if (!($cluster_firewall_enabled && $is_nftables)) {
+ if (! -e $FORCE_NFT_DISABLE_FLAG_FILE) {
+ open(my $_fh, '>', $FORCE_NFT_DISABLE_FLAG_FILE)
+ or warn "failed to create flag file '$FORCE_NFT_DISABLE_FLAG_FILE' – $!\n";
+ }
+ } else {
+ unlink($FORCE_NFT_DISABLE_FLAG_FILE)
+ or $!{ENOENT} or warn "failed to unlink flag file '$FORCE_NFT_DISABLE_FLAG_FILE' - $!\n";
+ }
+}
+
+sub is_enabled_and_not_nftables {
+ my ($cluster_conf, $host_conf) = @_;
+
+ $cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
+ $host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
+
+ my $is_nftables = is_nftables($cluster_conf, $host_conf);
+
+ update_force_nftables_disable_flag($cluster_conf->{options}->{enable}, $is_nftables);
+
+ return $cluster_conf->{options}->{enable} && !$is_nftables;
+}
+
+sub init {
+ return if !is_enabled_and_not_nftables();
# load required modules here
}
my $code = sub {
my $cluster_conf = load_clusterfw_conf();
- my $cluster_options = $cluster_conf->{options};
+ my $hostfw_conf = load_hostfw_conf($cluster_conf);
- if (!$cluster_options->{enable}) {
+ if (!is_enabled_and_not_nftables($cluster_conf, $hostfw_conf)) {
PVE::Firewall::remove_pvefw_chains();
return;
}
- my $hostfw_conf = load_hostfw_conf($cluster_conf);
-
my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf);
apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
lock_vmfw_conf
remove_vmfw_conf
clone_vmfw_conf
+collect_refs
);
my $pvefw_conf_dir = "/etc/pve/firewall";
return ($state{'count'}, $state{'lines'});
}
+sub collect_refs {
+ my ($conf, $type, $scope) = @_;
+
+
+ my $res = [];
+
+ if (!$type || $type eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ scope => $scope,
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ push @$res, $data;
+ }
+ }
+
+ if (!$type || $type eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ scope => $scope,
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ push @$res, $data;
+ }
+ }
+
+ return $res;
+}
+
1;
DESTDIR=
PREFIX=/usr
-PERLDIR=${DESTDIR}/${PREFIX}/share/perl5
+PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
SOURCES=Helpers.pm
.PHONY: install
-install: ${SOURCES}
- install -d -m 0755 ${PERLDIR}/PVE/Firewall
- for i in ${SOURCES}; do install -D -m 0644 $$i ${PERLDIR}/PVE/Firewall/$$i; done
+install: $(SOURCES)
+ install -d -m 0755 $(PERLDIR)/PVE/Firewall
+ for i in $(SOURCES); do install -D -m 0644 $$i $(PERLDIR)/PVE/Firewall/$$i; done
clean:
use File::Basename;
use Net::IP;
+use base 'Exporter';
+our @EXPORT_OK = qw(
+$bridge_name_pattern
+$bridge_interface_pattern
+);
+
# dynamically include PVE::QemuServer and PVE::LXC
# to avoid dependency problems
my $have_qemu_server;
my $NUMBER_RE = qr/0x[0-9a-fA-F]+|\d+/;
+our $bridge_name_pattern = '[a-zA-Z][a-zA-Z0-9]{0,9}';
+our $bridge_interface_pattern = "($bridge_name_pattern)/(\\S+)";
+
sub debug {
my $new_value = shift;
$debug = $new_value if defined($new_value);
$pkg->{physdev_in} = $target->{fwln} || die 'internal error';
$pkg->{physdev_out} = $target->{tapdev} || die 'internal error';
- } elsif ($route_state =~ m/^vmbr\d+$/) {
+ } elsif ($route_state =~ m/^$bridge_name_pattern$/) {
die "missing physdev_in - internal error?" if !$physdev_in;
$pkg->{physdev_in} = $physdev_in;
$from_info->{type} = 'host';
$start_state = 'host';
$pkg->{source} = $host_ip if !defined($pkg->{source});
- } elsif ($from =~ m|^(vmbr\d+)/(\S+)$|) {
- $from_info->{type} = 'bport';
- $from_info->{bridge} = $1;
- $from_info->{iface} = $2;
- $start_state = 'from-bport';
} elsif ($from eq 'outside') {
$from_info->{type} = 'bport';
$from_info->{bridge} = 'vmbr0';
$from_info = extract_vm_info($vmdata, $vmid, $netnum);
$start_state = 'fwbr-out';
$pkg->{mac_source} = $from_info->{macaddr};
+ } elsif ($from =~ m|^$bridge_interface_pattern$|) {
+ $from_info->{type} = 'bport';
+ $from_info->{bridge} = $1;
+ $from_info->{iface} = $2;
+ $start_state = 'from-bport';
} else {
die "unable to parse \"from => '$from'\"\n";
}
$target->{type} = 'host';
$target->{iface} = 'host';
$pkg->{dest} = $host_ip if !defined($pkg->{dest});
- } elsif ($to =~ m|^(vmbr\d+)/(\S+)$|) {
- $target->{type} = 'bport';
- $target->{bridge} = $1;
- $target->{iface} = $2;
} elsif ($to eq 'outside') {
$target->{type} = 'bport';
$target->{bridge} = 'vmbr0';
my $vmid = $1;
$target = extract_vm_info($vmdata, $vmid, 0);
$target->{iface} = $target->{tapdev};
+ } elsif ($to =~ m|^$bridge_interface_pattern$|) {
+ $target->{type} = 'bport';
+ $target->{bridge} = $1;
+ $target->{iface} = $2;
} else {
die "unable to parse \"to => '$to'\"\n";
}
DESTDIR=
PREFIX= /usr
-PERLDIR=${DESTDIR}/${PREFIX}/share/perl5
+PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
LIB_SOURCES= \
FirewallSimulator.pm \
.PHONY: install
install:
- install -d -m 0755 ${PERLDIR}/PVE
- for i in ${LIB_SOURCES}; do install -D -m 0644 $$i ${PERLDIR}/PVE/$$i; done
+ install -d -m 0755 $(PERLDIR)/PVE
+ for i in $(LIB_SOURCES); do install -D -m 0644 $$i $(PERLDIR)/PVE/$$i; done
make -C API2 install
make -C Service install
make -C Firewall install
DESTDIR=
PREFIX=/usr
-PERLDIR=${DESTDIR}/${PREFIX}/share/perl5
+PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
SOURCES=pve_firewall.pm
.PHONY: install
-install: ${SOURCES}
- install -d -m 0755 ${PERLDIR}/PVE/Service
- for i in ${SOURCES}; do install -D -m 0644 $$i ${PERLDIR}/PVE/Service/$$i; done
+install: $(SOURCES)
+ install -d -m 0755 $(PERLDIR)/PVE/Service
+ for i in $(SOURCES); do install -D -m 0644 $$i $(PERLDIR)/PVE/Service/$$i; done
clean:
use PVE::Firewall;
use PVE::FirewallSimulator;
+use PVE::FirewallSimulator qw($bridge_interface_pattern);
use base qw(PVE::Daemon);
from => {
description => "Source zone.",
type => 'string',
- pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
+ pattern => "(host|outside|vm\\d+|ct\\d+|$bridge_interface_pattern)",
optional => 1,
default => 'outside',
},
to => {
description => "Destination zone.",
type => 'string',
- pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
+ pattern => "(host|outside|vm\\d+|ct\\d+|$bridge_interface_pattern)",
optional => 1,
default => 'host',
},