pve-firewall.git
6 years agoipset : use only netgroup
Alexandre Derumier [Mon, 31 Mar 2014 13:56:39 +0000 (15:56 +0200)]
ipset : use only netgroup

only use hash:net for both ips and network.

allow comments and nomatch

delete ipset chains after iptables restore

also optimize hashsize

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoremove unneccessary iptables code
Dietmar Maurer [Mon, 31 Mar 2014 10:43:19 +0000 (12:43 +0200)]
remove unneccessary iptables code

6 years agoavoid calls to iptables_rule_exist()
Dietmar Maurer [Mon, 31 Mar 2014 10:39:29 +0000 (12:39 +0200)]
avoid calls to iptables_rule_exist()

6 years agonew method iptables_chain_digest() to compute digest
Dietmar Maurer [Mon, 31 Mar 2014 09:52:57 +0000 (11:52 +0200)]
new method iptables_chain_digest() to compute digest

Note: My previous commit introcuded a bug, using ipset_chain_digest()
for the iptables ruleset - this is a fix for that.

6 years agos/rulset/ruleset/
Dietmar Maurer [Mon, 31 Mar 2014 09:39:41 +0000 (11:39 +0200)]
s/rulset/ruleset/

6 years agoavoid calls to iptables_rule_exist
Dietmar Maurer [Mon, 31 Mar 2014 09:35:12 +0000 (11:35 +0200)]
avoid calls to iptables_rule_exist

We can return that info with iptables_get_chains().

6 years agoallow options and rules section in cluster.fw
Dietmar Maurer [Mon, 31 Mar 2014 08:41:52 +0000 (10:41 +0200)]
allow options and rules section in cluster.fw

6 years agorename groups.fw to cluster.fw
Dietmar Maurer [Mon, 31 Mar 2014 07:59:03 +0000 (09:59 +0200)]
rename groups.fw to cluster.fw

Because we also want to have cluster wide rules/options.

6 years agocleanup ipset code
Dietmar Maurer [Fri, 28 Mar 2014 11:09:02 +0000 (12:09 +0100)]
cleanup ipset code

6 years agoimplement ipset ip/net groups
Alexandre Derumier [Thu, 27 Mar 2014 10:22:06 +0000 (11:22 +0100)]
implement ipset ip/net groups

This implement ipset groups of ips or network in groups.fw.

groups.fw
---------
[ipgroup ipgroup1]

192.168.0.1
192.168.0.2
192.168.0.3

[ipgroup ipgroup2]

192.168.0.3
192.168.0.4

[netgroup netgroup1]

192.168.0.0/24
10.0.0.0/8

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agocleanup ips detection
Alexandre Derumier [Wed, 26 Mar 2014 12:26:54 +0000 (13:26 +0100)]
cleanup ips detection

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoignor eadditional arguments when moveto is set
Dietmar Maurer [Tue, 25 Mar 2014 12:05:22 +0000 (13:05 +0100)]
ignor eadditional arguments when moveto is set

6 years agoimprove parameter verification
Dietmar Maurer [Tue, 25 Mar 2014 10:02:18 +0000 (11:02 +0100)]
improve parameter verification

6 years agocleanup_fw_rule: only copy defined rule properties
Dietmar Maurer [Tue, 25 Mar 2014 08:20:52 +0000 (09:20 +0100)]
cleanup_fw_rule: only copy defined rule properties

6 years agodo not expand macros on load
Dietmar Maurer [Tue, 25 Mar 2014 07:55:26 +0000 (08:55 +0100)]
do not expand macros on load

Else we save expanded macros!

6 years agoimprove API
Dietmar Maurer [Tue, 25 Mar 2014 06:20:44 +0000 (07:20 +0100)]
improve API

6 years agoadd ips optimizations
Alexandre Derumier [Tue, 25 Mar 2014 04:15:28 +0000 (05:15 +0100)]
add ips optimizations

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd optimize flag
Alexandre Derumier [Tue, 25 Mar 2014 04:15:27 +0000 (05:15 +0100)]
add optimize flag

this flag enble optimizations on rules processing

host.fw
-------
optimize:1

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd ips feature v7
Alexandre Derumier [Tue, 25 Mar 2014 04:15:26 +0000 (05:15 +0100)]
add ips feature v7

This add ips (like suricata) support through nfqueues.

The main idea is to replace -j ACCEPT with -J NFQUEUE , to pass packets to ips

it's using --queue-bypass (only available in 3.10 kernel), so it's suricata daemon is down,
packets are not dropped.

tap-out chain,
-------------
we goto PVEFW-SET-ACCEPT-MARK is always use when connection is already established
 -m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK

tap-in chain
---------------
I replace -j ACCEPT by -j NFQUEUE when ips is enabled
and
-m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE

group-in rules now use also mark
---------------------------------
-A tap110i0-IN -j GROUP-group1-IN
   -A GROUP-group1-IN -j MARK --set-xmark 0x0/0xffffffff
   -A GROUP-group1-IN -p icmp -g PVEFW-SET-ACCEPT-MARK
-A tap110i0-IN -m mark --mark 0x1 -j ACCEPT|NFQUEUE

vmid.fw
-------
ips: 1

ips_queues: 0:3

1 or more queues can be defined (if we want cpu loadbalancing, or dedicated queue for a specific vm).
If not defined, default queue 0 is used.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agocode cleanup: use ruleset_generate_rule to generate dhcp rules
Dietmar Maurer [Fri, 21 Mar 2014 06:34:38 +0000 (07:34 +0100)]
code cleanup: use ruleset_generate_rule to generate dhcp rules

6 years agoassume rule is enabled if {enable} is not defined
Dietmar Maurer [Fri, 21 Mar 2014 06:32:09 +0000 (07:32 +0100)]
assume rule is enabled if {enable} is not defined

6 years agodhcp out rule : use goto instead jump
Alexandre Derumier [Fri, 21 Mar 2014 05:03:00 +0000 (06:03 +0100)]
dhcp out rule : use goto instead jump

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agouse enable instead of disable
Dietmar Maurer [Thu, 20 Mar 2014 10:49:30 +0000 (11:49 +0100)]
use enable instead of disable

This make it easier to write the GUI.

6 years agoimplement nosmurfs option for hiost firewall
Dietmar Maurer [Thu, 20 Mar 2014 06:53:59 +0000 (07:53 +0100)]
implement nosmurfs option for hiost firewall

6 years agoadd tcpflags to host.fw example
Dietmar Maurer [Thu, 20 Mar 2014 06:48:58 +0000 (07:48 +0100)]
add tcpflags to host.fw example

6 years agoimplement option tcpflags for host firewall
Dietmar Maurer [Thu, 20 Mar 2014 06:42:56 +0000 (07:42 +0100)]
implement option tcpflags for host firewall

But we only add the check for incoming packets, assuming that the
host itself never generates invalid tcp flags.

6 years agogenerate_group_rules : fix check of security group
Alexandre Derumier [Wed, 19 Mar 2014 15:31:55 +0000 (16:31 +0100)]
generate_group_rules : fix check of security group

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agofix dhcp rule
Dietmar Maurer [Wed, 19 Mar 2014 11:30:28 +0000 (12:30 +0100)]
fix dhcp rule

As suggested by Alexandre.

6 years agoallow to use utf8 encoded comments
Dietmar Maurer [Wed, 19 Mar 2014 11:16:16 +0000 (12:16 +0100)]
allow to use utf8 encoded comments

6 years agoswitch back to gnu99 std
Dietmar Maurer [Wed, 19 Mar 2014 08:15:24 +0000 (09:15 +0100)]
switch back to gnu99 std

So that we can compile with gcc 4.4

6 years agoremove optimization which accepts unrelated traffic
Dietmar Maurer [Wed, 19 Mar 2014 08:11:17 +0000 (09:11 +0100)]
remove optimization which accepts unrelated traffic

Removing this alsmo make ips filter easier.

6 years agostart VM firewall API
Dietmar Maurer [Tue, 18 Mar 2014 11:06:53 +0000 (12:06 +0100)]
start VM firewall API

6 years agostart host API
Dietmar Maurer [Tue, 18 Mar 2014 10:30:53 +0000 (11:30 +0100)]
start host API

6 years agoimprove security group API
Dietmar Maurer [Tue, 18 Mar 2014 09:36:46 +0000 (10:36 +0100)]
improve security group API

6 years agostart API
Dietmar Maurer [Tue, 18 Mar 2014 07:03:26 +0000 (08:03 +0100)]
start API

6 years agonew method load_security_groups()
Dietmar Maurer [Tue, 18 Mar 2014 06:05:06 +0000 (07:05 +0100)]
new method load_security_groups()

6 years agoremove obsolete comment
Dietmar Maurer [Mon, 17 Mar 2014 09:56:17 +0000 (10:56 +0100)]
remove obsolete comment

6 years agoavoid dependency problems
Dietmar Maurer [Mon, 17 Mar 2014 09:55:22 +0000 (10:55 +0100)]
avoid dependency problems

6 years agouse signalfd instead of g_unix_signal_add
Dietmar Maurer [Mon, 17 Mar 2014 07:16:02 +0000 (08:16 +0100)]
use signalfd instead of g_unix_signal_add

Because g_unix_signal_add() creates an additional thread!

6 years agoadd option parser and print usage information
Dietmar Maurer [Mon, 17 Mar 2014 06:37:04 +0000 (07:37 +0100)]
add option parser and print usage information

We can now start in debug mode with 'pvefw-logger -d'. This runs
in foreground and print messages to stdout (additionally).

6 years agoadd compile time test for log struct size
Dietmar Maurer [Sat, 15 Mar 2014 09:24:02 +0000 (10:24 +0100)]
add compile time test for log struct size

The STATIC_ASSERT macro declares an external function (which is never used).
The declaratin fails if the expression evaluates to false, because that
would result in a negative array bound.

6 years agouse gnu11 instead of gnu99 (newer)
Dietmar Maurer [Fri, 14 Mar 2014 17:53:28 +0000 (18:53 +0100)]
use gnu11 instead of gnu99 (newer)

6 years agoimprove Makefile clean target
Dietmar Maurer [Fri, 14 Mar 2014 13:22:30 +0000 (14:22 +0100)]
improve Makefile clean target

6 years agoadd missing init.d file for pvefw-logger
Dietmar Maurer [Fri, 14 Mar 2014 13:19:08 +0000 (14:19 +0100)]
add missing init.d file for pvefw-logger

6 years agoreally stop daemon on write error
Dietmar Maurer [Fri, 14 Mar 2014 13:05:55 +0000 (14:05 +0100)]
really stop daemon on write error

And a bunch of white-space cleanups.

6 years agoadditionally log status messages to syslog
Dietmar Maurer [Fri, 14 Mar 2014 12:59:22 +0000 (13:59 +0100)]
additionally log status messages to syslog

6 years agouse phydev numbers if name lookup fails
Dietmar Maurer [Fri, 14 Mar 2014 12:33:01 +0000 (13:33 +0100)]
use phydev numbers if name lookup fails

6 years agoimprove log format
Dietmar Maurer [Fri, 14 Mar 2014 12:15:03 +0000 (13:15 +0100)]
improve log format

6 years agoadd simple nflog daemon
Dietmar Maurer [Thu, 13 Mar 2014 12:08:47 +0000 (13:08 +0100)]
add simple nflog daemon

6 years agofix 110.fw example
Alexandre Derumier [Tue, 11 Mar 2014 08:58:46 +0000 (09:58 +0100)]
fix 110.fw example

we can't parse [OPTIONS] if a comment is on the same line

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd ifupdown helper to setup MASQUERADE on veth device
Dietmar Maurer [Mon, 10 Mar 2014 11:49:02 +0000 (12:49 +0100)]
add ifupdown helper to setup MASQUERADE on veth device

6 years agoavoid use of --physdev-is-bridged whenever possible
Dietmar Maurer [Mon, 10 Mar 2014 09:29:25 +0000 (10:29 +0100)]
avoid use of --physdev-is-bridged whenever possible

Option physdev-is-bridged only match when both ports are bridged.
But we also want to check IN/OUT rules if only one port is bridged.

6 years agouse correct mac for veth containers
Dietmar Maurer [Mon, 10 Mar 2014 09:15:09 +0000 (10:15 +0100)]
use correct mac for veth containers

6 years agoadd reminder that we should use ULOG
Dietmar Maurer [Mon, 10 Mar 2014 09:13:10 +0000 (10:13 +0100)]
add reminder that we should use ULOG

6 years agoadd documentation for masqueraded setup
Dietmar Maurer [Mon, 10 Mar 2014 09:12:03 +0000 (10:12 +0100)]
add documentation for masqueraded setup

6 years agodo not use multiport for single port range
Dietmar Maurer [Fri, 7 Mar 2014 06:38:44 +0000 (07:38 +0100)]
do not use multiport for single port range

6 years agoifupdown.sh: correctly use ifup instead of ifconfig
Dietmar Maurer [Thu, 6 Mar 2014 17:00:53 +0000 (18:00 +0100)]
ifupdown.sh: correctly use ifup instead of ifconfig

6 years agoifupdown.sh: improve error handling
Dietmar Maurer [Thu, 6 Mar 2014 15:54:27 +0000 (16:54 +0100)]
ifupdown.sh: improve error handling

6 years agoadd ifupdown helper to create veth devices plugged into bridges
Dietmar Maurer [Thu, 6 Mar 2014 12:15:07 +0000 (13:15 +0100)]
add ifupdown helper to create veth devices plugged into bridges

6 years agoupdate documentation
Dietmar Maurer [Thu, 6 Mar 2014 10:31:12 +0000 (11:31 +0100)]
update documentation

6 years agoimplement allow_bridge_route feature
Dietmar Maurer [Thu, 6 Mar 2014 08:46:12 +0000 (09:46 +0100)]
implement allow_bridge_route feature

6 years agouse perl taint mode
Dietmar Maurer [Thu, 6 Mar 2014 07:22:00 +0000 (08:22 +0100)]
use perl taint mode

6 years agodo not use perl -w
Dietmar Maurer [Thu, 6 Mar 2014 07:21:05 +0000 (08:21 +0100)]
do not use perl -w

6 years agouse RETURN instead of ACCEPT to allow further processing
Dietmar Maurer [Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)]
use RETURN instead of ACCEPT to allow further processing

6 years agoonly update nf_conntrack_max if firewall is started
Dietmar Maurer [Thu, 6 Mar 2014 07:02:45 +0000 (08:02 +0100)]
only update nf_conntrack_max if firewall is started

6 years agoplug venet0 chains into PVEFW-INPUT and PVEFW-OUTPUT
Dietmar Maurer [Wed, 5 Mar 2014 12:28:34 +0000 (13:28 +0100)]
plug venet0 chains into PVEFW-INPUT and PVEFW-OUTPUT

Container firewall should be fully functional now.

6 years agoplug venet0 chains into PVEFW-FORWARD
Dietmar Maurer [Wed, 5 Mar 2014 11:49:57 +0000 (12:49 +0100)]
plug venet0 chains into PVEFW-FORWARD

We can now partly filter container traffic. Still need to add checks
in PVEFW-INPUT and PVEFW-OUTPUT chains.

6 years agoadd optimization as last step
Dietmar Maurer [Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)]
add optimization as last step

6 years agouse parse_address_list to validate IP list
Dietmar Maurer [Wed, 5 Mar 2014 10:43:35 +0000 (11:43 +0100)]
use parse_address_list to validate IP list

6 years agogenerate chains for openvz venet
Dietmar Maurer [Wed, 5 Mar 2014 10:33:23 +0000 (11:33 +0100)]
generate chains for openvz venet

This is not fully functional, because we need to connect with uper level chains.

6 years agoadd veth chain to is_pvefw_chain()
Dietmar Maurer [Wed, 5 Mar 2014 09:49:16 +0000 (10:49 +0100)]
add veth chain to is_pvefw_chain()

6 years agostart openvz support
Dietmar Maurer [Wed, 5 Mar 2014 09:43:32 +0000 (10:43 +0100)]
start openvz support

Seems we can reuse generate_tap_rules_direction for bridged devices.

6 years agouse underscore instead of hyphen for fw options
Dietmar Maurer [Wed, 5 Mar 2014 08:01:44 +0000 (09:01 +0100)]
use underscore instead of hyphen for fw options

6 years agoadd nf_conntrack_max to example config
Dietmar Maurer [Wed, 5 Mar 2014 07:50:04 +0000 (08:50 +0100)]
add nf_conntrack_max to example config

6 years agoimplement nf_conntrack_max option
Dietmar Maurer [Wed, 5 Mar 2014 07:08:51 +0000 (08:08 +0100)]
implement nf_conntrack_max option

6 years agocleanup - avoid warning about undefined value
Dietmar Maurer [Wed, 5 Mar 2014 06:36:25 +0000 (07:36 +0100)]
cleanup - avoid warning about undefined value

6 years agocleanups - use better names
Dietmar Maurer [Wed, 5 Mar 2014 06:30:11 +0000 (07:30 +0100)]
cleanups - use better names

6 years agoimprove logging
Dietmar Maurer [Tue, 4 Mar 2014 11:54:52 +0000 (12:54 +0100)]
improve logging

Also log dropped inter-bridge traffic.

6 years agocorrectly init PVEFW-FORWARD chain
Dietmar Maurer [Tue, 4 Mar 2014 11:23:19 +0000 (12:23 +0100)]
correctly init PVEFW-FORWARD chain

We generate that chain by default, so the old code never triggered.

6 years agoadd $bridge-OUT chain to PVEFW-INPUT
Dietmar Maurer [Tue, 4 Mar 2014 10:48:22 +0000 (11:48 +0100)]
add $bridge-OUT chain to PVEFW-INPUT

6 years agoclear mark when entering tapXZY-OUT chain
Dietmar Maurer [Tue, 4 Mar 2014 10:46:24 +0000 (11:46 +0100)]
clear mark when entering tapXZY-OUT chain

6 years agocorrectly implement policy for host firewall
Dietmar Maurer [Tue, 4 Mar 2014 10:00:35 +0000 (11:00 +0100)]
correctly implement policy for host firewall

6 years agofactor out code to produce policy rules
Dietmar Maurer [Tue, 4 Mar 2014 09:45:27 +0000 (10:45 +0100)]
factor out code to produce policy rules

6 years agofix comment
Dietmar Maurer [Tue, 4 Mar 2014 09:23:07 +0000 (10:23 +0100)]
fix comment

6 years agoremove unnecessary rule
Dietmar Maurer [Tue, 4 Mar 2014 09:19:02 +0000 (10:19 +0100)]
remove unnecessary rule

6 years agos/enablehostfw/enable_host_firewall/
Dietmar Maurer [Tue, 4 Mar 2014 09:09:59 +0000 (10:09 +0100)]
s/enablehostfw/enable_host_firewall/

6 years agomake sure syncookies are enabled
Dietmar Maurer [Tue, 4 Mar 2014 08:56:34 +0000 (09:56 +0100)]
make sure syncookies are enabled

6 years agouse PVE::ProcFSTools::write_proc_entry instead of system("echo ...")
Dietmar Maurer [Tue, 4 Mar 2014 08:27:26 +0000 (09:27 +0100)]
use PVE::ProcFSTools::write_proc_entry instead of system("echo ...")

6 years agocleanup ruleset_generate_rule()
Dietmar Maurer [Tue, 4 Mar 2014 08:19:08 +0000 (09:19 +0100)]
cleanup ruleset_generate_rule()

6 years agoimprove clean target
Dietmar Maurer [Tue, 4 Mar 2014 08:07:23 +0000 (09:07 +0100)]
improve clean target

delete emacs tmp files in all subdirs

6 years agoremove stale file
Dietmar Maurer [Tue, 4 Mar 2014 08:04:37 +0000 (09:04 +0100)]
remove stale file

6 years agomerge IN/OUT section into RULES section
Dietmar Maurer [Mon, 3 Mar 2014 14:19:38 +0000 (15:19 +0100)]
merge IN/OUT section into RULES section

6 years agoassemble debian package
Dietmar Maurer [Mon, 3 Mar 2014 08:40:04 +0000 (09:40 +0100)]
assemble debian package

6 years agoimplement log_level_in and log_level_out options
Dietmar Maurer [Fri, 28 Feb 2014 11:47:34 +0000 (12:47 +0100)]
implement log_level_in and log_level_out options

6 years agoimplement log level options
Dietmar Maurer [Fri, 28 Feb 2014 11:25:18 +0000 (12:25 +0100)]
implement log level options

6 years agouse a file to store firewall status persistently.
Dietmar Maurer [Fri, 28 Feb 2014 09:50:44 +0000 (10:50 +0100)]
use a file to store firewall status persistently.

Start/stop saves state into a file. So the firewall remembers that status
even if the host is rebooted.

Also added helpers to update firewall rules and get current status.

6 years agoignoreZ source/destination port if no protocol specified
Dietmar Maurer [Fri, 28 Feb 2014 09:36:28 +0000 (10:36 +0100)]
ignoreZ source/destination port if no protocol specified

6 years agouse defined() to check fot undefined value
Dietmar Maurer [Thu, 27 Feb 2014 11:54:11 +0000 (12:54 +0100)]
use defined() to check fot undefined value

6 years agoimprove multiport rule generator
Dietmar Maurer [Thu, 27 Feb 2014 11:52:05 +0000 (12:52 +0100)]
improve multiport rule generator

It is not allowed to use --sports and --dports together!

6 years agofix Ping macro
Dietmar Maurer [Thu, 27 Feb 2014 11:40:37 +0000 (12:40 +0100)]
fix Ping macro