pve-firewall.git
5 years agobypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips
Alexandre Derumier [Thu, 15 May 2014 11:46:11 +0000 (13:46 +0200)]
bypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips

we create an ipset PVEFW-venet0 for firewalled venet0 ips,
and only send this matching ips to PVEFW-VENET-IN|OUT

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agodo not abort if security groups does not exists
Dietmar Maurer [Fri, 16 May 2014 04:24:07 +0000 (06:24 +0200)]
do not abort if security groups does not exists

Simply create an empty chain instead.

5 years agoadd ipset regression tests
Dietmar Maurer [Thu, 15 May 2014 10:53:48 +0000 (12:53 +0200)]
add ipset regression tests

5 years agofwtester: implement ipset testing
Dietmar Maurer [Thu, 15 May 2014 10:45:08 +0000 (12:45 +0200)]
fwtester: implement ipset testing

5 years agofix blacklist example
Dietmar Maurer [Thu, 15 May 2014 10:17:53 +0000 (12:17 +0200)]
fix blacklist example

5 years agoadd tests for unconfigured firewall (empty files)
Dietmar Maurer [Thu, 15 May 2014 09:49:37 +0000 (11:49 +0200)]
add tests for unconfigured firewall (empty files)

5 years agoadd group tests for container
Dietmar Maurer [Thu, 15 May 2014 09:15:29 +0000 (11:15 +0200)]
add group tests for container

5 years agofix security groups for VMs
Dietmar Maurer [Thu, 15 May 2014 09:01:35 +0000 (11:01 +0200)]
fix security groups for VMs

And add resgression tests for those fixes.

5 years agoadd security group tests
Dietmar Maurer [Thu, 15 May 2014 08:27:35 +0000 (10:27 +0200)]
add security group tests

5 years agofwtester: add ability to run tests on several zones
Dietmar Maurer [Thu, 15 May 2014 08:22:20 +0000 (10:22 +0200)]
fwtester: add ability to run tests on several zones

5 years agocorrectly emit group rules for host
Dietmar Maurer [Thu, 15 May 2014 06:58:36 +0000 (08:58 +0200)]
correctly emit group rules for host

5 years agofwtester: improve rule_match
Dietmar Maurer [Thu, 15 May 2014 06:57:01 +0000 (08:57 +0200)]
fwtester: improve rule_match

Use Net::IP to test source/dest.

5 years agocorrectly use dest instead of source
Dietmar Maurer [Thu, 15 May 2014 05:18:20 +0000 (07:18 +0200)]
correctly use dest instead of source

5 years agoallow GROUP rule without iface
Dietmar Maurer [Thu, 15 May 2014 05:15:58 +0000 (07:15 +0200)]
allow GROUP rule without iface

5 years agofwtester: set firewall=1 for test VM interfaces
Dietmar Maurer [Thu, 15 May 2014 04:52:23 +0000 (06:52 +0200)]
fwtester: set firewall=1 for test VM interfaces

5 years agoonly add tap rules for interface with firewall=1
Alexandre Derumier [Thu, 15 May 2014 04:45:06 +0000 (06:45 +0200)]
only add tap rules for interface with firewall=1

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agofwtester: simplify code with ne bport zone
Dietmar Maurer [Thu, 15 May 2014 04:37:37 +0000 (06:37 +0200)]
fwtester: simplify code with ne bport zone

5 years agoimprove error messages
Dietmar Maurer [Thu, 15 May 2014 04:05:20 +0000 (06:05 +0200)]
improve error messages

5 years agofwtester: add new zone 'nfwm' to simulate a non-firewalled VM
Dietmar Maurer [Wed, 14 May 2014 15:31:11 +0000 (17:31 +0200)]
fwtester: add new zone 'nfwm' to simulate a non-firewalled VM

5 years agofwtester: do not count ENTER/LEAVE
Dietmar Maurer [Wed, 14 May 2014 15:02:55 +0000 (17:02 +0200)]
fwtester: do not count ENTER/LEAVE

5 years agoadd README for fwtester.pl
Dietmar Maurer [Wed, 14 May 2014 13:32:55 +0000 (15:32 +0200)]
add README for fwtester.pl

5 years agofix interface in rules for host-in and host-out
Alexandre Derumier [Tue, 13 May 2014 10:32:08 +0000 (12:32 +0200)]
fix interface in rules for host-in and host-out

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd tests for host interface match
Dietmar Maurer [Wed, 14 May 2014 12:48:21 +0000 (14:48 +0200)]
add tests for host interface match

5 years agofwtester: support dev regex with -i and -o
Dietmar Maurer [Wed, 14 May 2014 12:12:48 +0000 (14:12 +0200)]
fwtester: support dev regex with -i and -o

5 years agofwtester: fix emulation - correctly set phydev_in
Dietmar Maurer [Wed, 14 May 2014 11:55:59 +0000 (13:55 +0200)]
fwtester: fix emulation - correctly set phydev_in

5 years agofwtester: add counters for debugging
Dietmar Maurer [Wed, 14 May 2014 11:44:02 +0000 (13:44 +0200)]
fwtester: add counters for debugging

5 years agofwtester: do not set packet default values
Dietmar Maurer [Wed, 14 May 2014 11:20:53 +0000 (13:20 +0200)]
fwtester: do not set packet default values

5 years agomove blacklist inside ruleset_chain_add_input_filters
Alexandre Derumier [Wed, 14 May 2014 06:42:16 +0000 (08:42 +0200)]
move blacklist inside ruleset_chain_add_input_filters

make sense to only add it for IN direction and

like this, non-firewalled vms (tap|veth for now, not matching fwln+) will never check the blacklist rule

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoremove optimize option
Alexandre Derumier [Wed, 14 May 2014 06:05:26 +0000 (08:05 +0200)]
remove optimize option

new model is already optimized, no need to have tricks now

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agofwtester: implement some useful command line option
Dietmar Maurer [Wed, 14 May 2014 10:14:32 +0000 (12:14 +0200)]
fwtester: implement some useful command line option

5 years agofwtester: implement new 'outside' zone
Dietmar Maurer [Wed, 14 May 2014 09:38:49 +0000 (11:38 +0200)]
fwtester: implement new 'outside' zone

To simulate traffic from/to outside world (vmbr0/eth0)

5 years agofwtester: improve kernel simulation
Dietmar Maurer [Wed, 14 May 2014 08:58:50 +0000 (10:58 +0200)]
fwtester: improve kernel simulation

5 years agodelete trailing whitespace cleanup
Dietmar Maurer [Wed, 14 May 2014 05:21:19 +0000 (07:21 +0200)]
delete trailing whitespace cleanup

5 years agoallow multiple spaces in venet0 ip list
Alexandre Derumier [Wed, 14 May 2014 03:35:09 +0000 (05:35 +0200)]
allow multiple spaces in venet0 ip list

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agorename link+ to fwln+
Alexandre Derumier [Wed, 14 May 2014 03:26:55 +0000 (05:26 +0200)]
rename link+ to fwln+

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agobugfix : allow multiples venet0 ip in 1 container
Alexandre Derumier [Tue, 13 May 2014 08:19:04 +0000 (10:19 +0200)]
bugfix : allow multiples venet0 ip in 1 container

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoinsert PVEFW-IPS after vm rules generation v2
Alexandre Derumier [Mon, 12 May 2014 13:19:16 +0000 (15:19 +0200)]
insert PVEFW-IPS after vm rules generation v2

or it never match it

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd Makefile targets for regression tests
Dietmar Maurer [Tue, 13 May 2014 12:18:08 +0000 (14:18 +0200)]
add Makefile targets for regression tests

Always run tests before assembling a Debian package.

5 years agoadd regression test infrastructure
Dietmar Maurer [Tue, 13 May 2014 12:09:49 +0000 (14:09 +0200)]
add regression test infrastructure

5 years agoallow to read config from test directory
Dietmar Maurer [Tue, 13 May 2014 11:49:31 +0000 (13:49 +0200)]
allow to read config from test directory

I will use that for regression tests.

5 years agouse PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains
Dietmar Maurer [Mon, 12 May 2014 11:33:19 +0000 (13:33 +0200)]
use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agomove nosmurfs, tcpflags and conntrack established outside tap chains
Dietmar Maurer [Mon, 12 May 2014 11:33:18 +0000 (13:33 +0200)]
move nosmurfs, tcpflags and conntrack established outside tap chains

These should be done fast,

conntrack established can be done in PVE-FORWARD now

smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)

-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
      -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
      -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
      -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0  -j veth0.0-OUT

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoremove dead code
Dietmar Maurer [Mon, 12 May 2014 11:33:17 +0000 (13:33 +0200)]
remove dead code

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd PVEFW-VENET-IN && PVEFW-VENET-OUT chains
Dietmar Maurer [Mon, 12 May 2014 11:33:16 +0000 (13:33 +0200)]
add PVEFW-VENET-IN && PVEFW-VENET-OUT chains

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoremove bridge chains
Dietmar Maurer [Mon, 12 May 2014 11:33:15 +0000 (13:33 +0200)]
remove bridge chains

-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0  -j veth0.0-OUT

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agouse hex digest to avoid url encoding problems
Dietmar Maurer [Mon, 12 May 2014 11:33:14 +0000 (13:33 +0200)]
use hex digest to avoid url encoding problems

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoavoid error about undefined array
Dietmar Maurer [Mon, 12 May 2014 11:33:13 +0000 (13:33 +0200)]
avoid error about undefined array

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoset RELEASE to 3.2
Dietmar Maurer [Tue, 6 May 2014 09:18:25 +0000 (11:18 +0200)]
set RELEASE to 3.2

5 years agoremove allow_bridge_route setting
Dietmar Maurer [Tue, 6 May 2014 09:12:21 +0000 (11:12 +0200)]
remove allow_bridge_route setting

Not needed for new network model with additional bridge.

5 years agofirewall group API: change 'name' to 'group'
Dietmar Maurer [Thu, 24 Apr 2014 12:31:13 +0000 (14:31 +0200)]
firewall group API: change 'name' to 'group'

5 years agoadd global ipset blacklist
Alexandre Derumier [Tue, 22 Apr 2014 08:44:59 +0000 (10:44 +0200)]
add global ipset blacklist

this is a predefined ipset == blacklist,

which block ips at the begin of PVE-FORWARD.

(usefull in case of ddos attack)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agogenerate_ipset: skip undefined ipsets
Dietmar Maurer [Tue, 22 Apr 2014 10:43:54 +0000 (12:43 +0200)]
generate_ipset: skip undefined ipsets

I introduced that bug when I changed die to warn.

5 years agorename save_rules to save_ipset
Dietmar Maurer [Tue, 22 Apr 2014 10:37:03 +0000 (12:37 +0200)]
rename save_rules to save_ipset

5 years agoalias API: implement rename
Dietmar Maurer [Tue, 22 Apr 2014 10:33:05 +0000 (12:33 +0200)]
alias API: implement rename

5 years agostart API for aliases
Dietmar Maurer [Tue, 22 Apr 2014 09:45:52 +0000 (11:45 +0200)]
start API for aliases

Allow comments for aliases.

5 years agocorrectly save aliases
Dietmar Maurer [Tue, 22 Apr 2014 07:37:53 +0000 (09:37 +0200)]
correctly save aliases

5 years agoruleset_generate_vm_rules: use 'warn' instead of 'die'
Dietmar Maurer [Tue, 22 Apr 2014 07:08:05 +0000 (09:08 +0200)]
ruleset_generate_vm_rules: use 'warn' instead of 'die'

We want to be able to update our rules, even if somebody defined
a wrong rule for his VM.

5 years agoruleset_generate_vm_rule: avoid multiple calls to generate_nfqueue()
Dietmar Maurer [Tue, 22 Apr 2014 07:02:04 +0000 (09:02 +0200)]
ruleset_generate_vm_rule: avoid multiple calls to generate_nfqueue()

5 years agogenerate_nfqueue: code cleanup
Dietmar Maurer [Tue, 22 Apr 2014 06:59:02 +0000 (08:59 +0200)]
generate_nfqueue: code cleanup

5 years agoruleset_generate_rule: update all or nothing
Dietmar Maurer [Tue, 22 Apr 2014 06:53:48 +0000 (08:53 +0200)]
ruleset_generate_rule: update all or nothing

And use 'warn' instead of 'die' if alias does not exists.

5 years agoupdate update_nf_conntrack_max && nf_conntrack_tcp_timeout_established after modules...
Alexandre Derumier [Tue, 22 Apr 2014 06:17:00 +0000 (08:17 +0200)]
update update_nf_conntrack_max && nf_conntrack_tcp_timeout_established after modules load

/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
and
/proc/sys/net/nf_conntrack_max

are empty by default, because conntrack module is not loaded, until we have apply iptables rules

So, we just need to update them after iptables commit (which load the conntrack modules)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agocode cleanup
Dietmar Maurer [Tue, 22 Apr 2014 06:32:44 +0000 (08:32 +0200)]
code cleanup

Define $ip_alias_name to make it easier to read the code.

5 years agoiptables_get_chains : allow bridgevlan vmbrXvY
Alexandre Derumier [Tue, 22 Apr 2014 05:38:07 +0000 (07:38 +0200)]
iptables_get_chains : allow bridgevlan vmbrXvY

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agooptimize : accept from physical interfaces on bridges
Alexandre Derumier [Tue, 22 Apr 2014 03:57:15 +0000 (05:57 +0200)]
optimize : accept from physical interfaces on bridges

They are a lot of chance that a packet is coming/going  from/to external network.

Currently, we need to check all tap chains before accept the packet from eth|bond interface.

This can have a big performance impact (mainly for drop|reject, as we don't have an established connection).
So It could be a problem in case of a ddos attack for example.

without optimize
----------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT

   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT

-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN

   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN

-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT

with optimize
------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT

   -A vmbr1-OUT -m physdev --physdev-in ethX --physdev-is-bridged -g PVEFW-SET-ACCEPT-MARK
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT

-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
   -A vmbr1-IN -m physdev --physdev-out ethX --physdev-is-bridged -j ACCEPT
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN

-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd aliases feature
Alexandre Derumier [Sat, 19 Apr 2014 07:00:03 +0000 (09:00 +0200)]
add aliases feature

this allow to defined ip et network aliases,

which can be used in vm/group rules and also ipset

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd README and example to debian package
Dietmar Maurer [Fri, 18 Apr 2014 08:50:15 +0000 (10:50 +0200)]
add README and example to debian package

5 years agofix README
Dietmar Maurer [Fri, 18 Apr 2014 08:43:30 +0000 (10:43 +0200)]
fix README

5 years agoonly allow tcpflafgs and nosmurfs in host.fw
Dietmar Maurer [Fri, 18 Apr 2014 08:28:13 +0000 (10:28 +0200)]
only allow tcpflafgs and nosmurfs in host.fw

5 years agoenable cluster wide rules
Dietmar Maurer [Fri, 18 Apr 2014 06:11:49 +0000 (08:11 +0200)]
enable cluster wide rules

5 years agoadd remaining options to VM API
Dietmar Maurer [Fri, 18 Apr 2014 05:44:32 +0000 (07:44 +0200)]
add remaining options to VM API

5 years agoadd options and log API for VMs
Dietmar Maurer [Fri, 18 Apr 2014 05:23:20 +0000 (07:23 +0200)]
add options and log API for VMs

5 years agobugfix : ruleset_generate_cmdstr : use -d for destination
Alexandre Derumier [Thu, 17 Apr 2014 04:42:50 +0000 (06:42 +0200)]
bugfix : ruleset_generate_cmdstr : use -d for destination

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agocomplete options API for host.fw
Dietmar Maurer [Tue, 15 Apr 2014 10:28:05 +0000 (12:28 +0200)]
complete options API for host.fw

5 years agoadd API for firewall log
Dietmar Maurer [Tue, 15 Apr 2014 09:03:17 +0000 (11:03 +0200)]
add API for firewall log

5 years agocorrectly initialize std chains
Dietmar Maurer [Tue, 15 Apr 2014 08:38:40 +0000 (10:38 +0200)]
correctly initialize std chains

Else those chains grow if called from a daemon.

5 years agodo not set persistent state if firewall is disabled
Dietmar Maurer [Tue, 15 Apr 2014 07:04:42 +0000 (09:04 +0200)]
do not set persistent state if firewall is disabled

Else we have to manually restart the service after enable is set.

5 years agodisable firewall by default
Dietmar Maurer [Tue, 15 Apr 2014 06:15:53 +0000 (08:15 +0200)]
disable firewall by default

5 years agoadd init script to start firewall
Dietmar Maurer [Tue, 15 Apr 2014 06:12:27 +0000 (08:12 +0200)]
add init script to start firewall

5 years agoips : allow --queue-bypass only for kernel 3.10
Alexandre Derumier [Tue, 15 Apr 2014 05:25:21 +0000 (07:25 +0200)]
ips : allow --queue-bypass only for kernel 3.10

This don't exist in 2.6.32 kernel

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agostop firewall inside update if firewall is disabled in cluster.fw
Dietmar Maurer [Tue, 15 Apr 2014 05:29:50 +0000 (07:29 +0200)]
stop firewall inside update if firewall is disabled in cluster.fw

And some code cleanups.

5 years agoimplement API for cluster.fw policy_in and policy_out options
Dietmar Maurer [Mon, 14 Apr 2014 10:51:16 +0000 (12:51 +0200)]
implement API for cluster.fw policy_in and policy_out options

5 years agomove host policy setting to cluster.fw
Dietmar Maurer [Mon, 14 Apr 2014 10:21:38 +0000 (12:21 +0200)]
move host policy setting to cluster.fw

Because we also have cluster wide rules

5 years agoremove option dhcp for host.fw
Dietmar Maurer [Mon, 14 Apr 2014 10:06:45 +0000 (12:06 +0200)]
remove option dhcp for host.fw

5 years agoadd tunnable nf_conntrack_tcp_timeout_established value
Alexandre Derumier [Mon, 14 Apr 2014 07:59:47 +0000 (09:59 +0200)]
add tunnable nf_conntrack_tcp_timeout_established value

default nf_conntrack_tcp_timeout_established value is 5 days.

This is really huge, in case of a ddos attack for example

from:
https://dev.openwrt.org/ticket/12976

minimum value should be

"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agocopy_xxx_with_digest: do not copy undefined values
Dietmar Maurer [Fri, 11 Apr 2014 10:52:48 +0000 (12:52 +0200)]
copy_xxx_with_digest: do not copy undefined values

5 years agoimprove concurrent update handling
Dietmar Maurer [Fri, 11 Apr 2014 09:32:32 +0000 (11:32 +0200)]
improve concurrent update handling

compute digest per section.

5 years agocorrectly encode section comments as utf8
Dietmar Maurer [Thu, 10 Apr 2014 10:28:50 +0000 (12:28 +0200)]
correctly encode section comments as utf8

5 years agosupport comments on ipset sections
Dietmar Maurer [Thu, 10 Apr 2014 10:08:48 +0000 (12:08 +0200)]
support comments on ipset sections

Also implement concurrenty change prevention for ipset API.

5 years agorules API: protect against concurrent updates
Dietmar Maurer [Thu, 10 Apr 2014 08:44:56 +0000 (10:44 +0200)]
rules API: protect against concurrent updates

5 years agosecurity group API: protect against concurrent updates
Dietmar Maurer [Thu, 10 Apr 2014 08:38:48 +0000 (10:38 +0200)]
security group API: protect against concurrent updates

5 years agodefine standard option pve-config-digest
Dietmar Maurer [Thu, 10 Apr 2014 07:01:28 +0000 (09:01 +0200)]
define standard option pve-config-digest

5 years agosupport comments on group sections
Dietmar Maurer [Wed, 9 Apr 2014 10:53:12 +0000 (12:53 +0200)]
support comments on group sections

5 years agocorrectly save security group rules
Dietmar Maurer [Wed, 9 Apr 2014 07:48:42 +0000 (09:48 +0200)]
correctly save security group rules

5 years agocomplete security group API
Dietmar Maurer [Wed, 9 Apr 2014 06:53:58 +0000 (08:53 +0200)]
complete security group API

5 years agodefine standard option for security group names
Dietmar Maurer [Wed, 9 Apr 2014 06:05:51 +0000 (08:05 +0200)]
define standard option for security group names

5 years agocorrectly verify ipset name
Dietmar Maurer [Wed, 9 Apr 2014 05:34:06 +0000 (07:34 +0200)]
correctly verify ipset name

5 years agoIPSet: implement rename API
Dietmar Maurer [Wed, 9 Apr 2014 05:15:14 +0000 (07:15 +0200)]
IPSet: implement rename API

5 years agoadd newline to error message
Dietmar Maurer [Wed, 9 Apr 2014 05:02:01 +0000 (07:02 +0200)]
add newline to error message

5 years agoipset: implement create/delete API
Dietmar Maurer [Tue, 8 Apr 2014 10:50:47 +0000 (12:50 +0200)]
ipset: implement create/delete API

5 years agoipset API: add get/update methods
Dietmar Maurer [Tue, 8 Apr 2014 09:18:03 +0000 (11:18 +0200)]
ipset API: add get/update methods