pve-firewall.git
5 years agoclose inotify handle before restart
Dietmar Maurer [Thu, 22 May 2014 07:50:59 +0000 (09:50 +0200)]
close inotify handle before restart

5 years agoimprove rules API
Dietmar Maurer [Wed, 21 May 2014 11:03:57 +0000 (13:03 +0200)]
improve rules API

Do not use JSON schema 'requires' property, because that forbids to
use '' to delete properties.

It is now possible to update/delete individual rule properties like:

  pvesh set nodes/lola/openvz/104/firewall/rules/0 -proto udp
  pvesh set nodes/lola/openvz/104/firewall/rules/1 -delete dport

5 years agofix API: property sport/dport requires protocol
Dietmar Maurer [Wed, 21 May 2014 08:29:06 +0000 (10:29 +0200)]
fix API: property sport/dport requires protocol

5 years agofix test/test-errors3 - protect rule generation with eval
Dietmar Maurer [Wed, 21 May 2014 08:12:18 +0000 (10:12 +0200)]
fix test/test-errors3 - protect rule generation with eval

5 years agoadd new test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 07:35:23 +0000 (09:35 +0200)]
add new test case to show serious bug

5 years agoallow igmp traffic
Dietmar Maurer [Wed, 21 May 2014 07:17:14 +0000 (09:17 +0200)]
allow igmp traffic

5 years agoadd another test case
Dietmar Maurer [Wed, 21 May 2014 06:59:57 +0000 (08:59 +0200)]
add another test case

5 years agofix for test case test/test-errors1
Dietmar Maurer [Wed, 21 May 2014 06:56:52 +0000 (08:56 +0200)]
fix for test case test/test-errors1

5 years agoadd test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 06:39:33 +0000 (08:39 +0200)]
add test case to show serious bug

5 years agouse GET instead of POST for command that do not change state.
Dietmar Maurer [Wed, 21 May 2014 06:27:55 +0000 (08:27 +0200)]
use GET instead of POST for command that do not change state.

5 years agoadd new localnet command
Dietmar Maurer [Wed, 21 May 2014 06:24:07 +0000 (08:24 +0200)]
add new localnet command

Print information about local network (IP/NETWORK/NODENAME).

5 years agorename cluster_network to local_network, introduce local_network alias
Dietmar Maurer [Wed, 21 May 2014 05:43:50 +0000 (07:43 +0200)]
rename cluster_network to local_network, introduce local_network alias

So that the user can overwrite it.

5 years agoadd tests for management ipset
Dietmar Maurer [Wed, 21 May 2014 04:48:23 +0000 (06:48 +0200)]
add tests for management ipset

5 years agoIntroduce new management ipset
Dietmar Maurer [Wed, 21 May 2014 04:33:55 +0000 (06:33 +0200)]
Introduce new management ipset

The uses can setup a 'management' IPSet to make sure he has access to the GUI
from those IPs.

5 years agodo not use ctstate in corosync rule
Dietmar Maurer [Wed, 21 May 2014 04:00:11 +0000 (06:00 +0200)]
do not use ctstate in corosync rule

That is not necessary, because we only reach that rule if ctstate is NEW.

5 years agostart alias support for VMs
Dietmar Maurer [Tue, 20 May 2014 09:56:06 +0000 (11:56 +0200)]
start alias support for VMs

implement config parser/writer and API. iptables functionatity is missing.

5 years agoimprove documentation
Dietmar Maurer [Tue, 20 May 2014 08:54:51 +0000 (10:54 +0200)]
improve documentation

5 years agodo not log simulate warnings to syslog
Dietmar Maurer [Tue, 20 May 2014 08:50:25 +0000 (10:50 +0200)]
do not log simulate warnings to syslog

5 years agoadd simulate command for easy testing
Dietmar Maurer [Tue, 20 May 2014 08:36:58 +0000 (10:36 +0200)]
add simulate command for easy testing

5 years agomove test code to FirewallSimulator.pm
Dietmar Maurer [Tue, 20 May 2014 07:46:35 +0000 (09:46 +0200)]
move test code to FirewallSimulator.pm

5 years agoadd tests for corosync multicast addrtype rules
Dietmar Maurer [Tue, 20 May 2014 06:24:31 +0000 (08:24 +0200)]
add tests for corosync multicast addrtype rules

5 years agodo not enable VM firewall by default
Dietmar Maurer [Tue, 20 May 2014 05:52:46 +0000 (07:52 +0200)]
do not enable VM firewall by default

Else we get different behavior with empty vs. non-existinf <VMID>.fw

5 years agoadd tests for default rules
Dietmar Maurer [Tue, 20 May 2014 05:38:25 +0000 (07:38 +0200)]
add tests for default rules

5 years agofwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2
Dietmar Maurer [Tue, 20 May 2014 05:36:44 +0000 (07:36 +0200)]
fwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2

So that we can add test for default rules

5 years agoallow tests without cluster.fw and host.fw configuration
Dietmar Maurer [Tue, 20 May 2014 05:35:54 +0000 (07:35 +0200)]
allow tests without cluster.fw and host.fw configuration

5 years agoalso allow VNC and SPICE traffic inside cluster_network
Dietmar Maurer [Tue, 20 May 2014 05:34:35 +0000 (07:34 +0200)]
also allow VNC and SPICE traffic inside cluster_network

5 years agodo not use -s for outgoing corosync rules
Dietmar Maurer [Tue, 20 May 2014 04:56:37 +0000 (06:56 +0200)]
do not use -s for outgoing corosync rules

5 years agoimplement setter for cluster_network
Dietmar Maurer [Tue, 20 May 2014 04:53:37 +0000 (06:53 +0200)]
implement setter for cluster_network

So that we can set values for testing.

5 years agofix regression test for previous commits
Dietmar Maurer [Tue, 20 May 2014 04:33:33 +0000 (06:33 +0200)]
fix regression test for previous commits

5 years agouse $accept_action for standard rules
Dietmar Maurer [Tue, 20 May 2014 04:15:41 +0000 (06:15 +0200)]
use $accept_action for standard rules

5 years agoadd standard rules after user rules
Dietmar Maurer [Tue, 20 May 2014 04:12:55 +0000 (06:12 +0200)]
add standard rules after user rules

Ao that the users can overwrite behavior.

5 years agofix corosync rules (restrict to cluster network)
Dietmar Maurer [Tue, 20 May 2014 04:07:50 +0000 (06:07 +0200)]
fix corosync rules (restrict to cluster network)

5 years agoremove wrong corosync rules using port 9000
Dietmar Maurer [Tue, 20 May 2014 03:55:58 +0000 (05:55 +0200)]
remove wrong corosync rules using port 9000

5 years agoallow API/SSH/SPICE/VNC traffic on local cluster network by default
Dietmar Maurer [Mon, 19 May 2014 12:18:40 +0000 (14:18 +0200)]
allow API/SSH/SPICE/VNC traffic on local cluster network by default

5 years agoremove unused options
Dietmar Maurer [Mon, 19 May 2014 09:33:11 +0000 (11:33 +0200)]
remove unused options

5 years agoadd init function
Dietmar Maurer [Mon, 19 May 2014 09:10:58 +0000 (11:10 +0200)]
add init function

5 years agodo not restart pvefw-logger with debian triggers
Dietmar Maurer [Mon, 19 May 2014 08:58:21 +0000 (10:58 +0200)]
do not restart pvefw-logger with debian triggers

That is not necessary.

5 years agoavoid logs by default
Dietmar Maurer [Mon, 19 May 2014 07:20:18 +0000 (09:20 +0200)]
avoid logs by default

Log files can grow really large, so we want to avoid them by default.

5 years agoremove unused parameters
Dietmar Maurer [Mon, 19 May 2014 07:14:36 +0000 (09:14 +0200)]
remove unused parameters

5 years agobirectionnal macros cleanups
Alexandre Derumier [Mon, 19 May 2014 05:40:08 +0000 (07:40 +0200)]
birectionnal macros cleanups

remove reverse direction rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agochange rule format: use named parameters
Dietmar Maurer [Mon, 19 May 2014 05:53:00 +0000 (07:53 +0200)]
change rule format: use named parameters

5 years agoinclude manual page
Dietmar Maurer [Fri, 16 May 2014 08:32:01 +0000 (10:32 +0200)]
include manual page

5 years agocleanup firewall service implementation
Dietmar Maurer [Fri, 16 May 2014 08:14:33 +0000 (10:14 +0200)]
cleanup firewall service implementation

We now run a separate server called 'pve-firewall' (renamed 'pvefw').
So service and management tool use the same name:

 # service pve-firewall start

is the same as

 # pve-firewall start

Also removed the read_pvefw_status/save_pvefw_status code.

5 years agobypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips
Alexandre Derumier [Thu, 15 May 2014 11:46:11 +0000 (13:46 +0200)]
bypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips

we create an ipset PVEFW-venet0 for firewalled venet0 ips,
and only send this matching ips to PVEFW-VENET-IN|OUT

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agodo not abort if security groups does not exists
Dietmar Maurer [Fri, 16 May 2014 04:24:07 +0000 (06:24 +0200)]
do not abort if security groups does not exists

Simply create an empty chain instead.

5 years agoadd ipset regression tests
Dietmar Maurer [Thu, 15 May 2014 10:53:48 +0000 (12:53 +0200)]
add ipset regression tests

5 years agofwtester: implement ipset testing
Dietmar Maurer [Thu, 15 May 2014 10:45:08 +0000 (12:45 +0200)]
fwtester: implement ipset testing

5 years agofix blacklist example
Dietmar Maurer [Thu, 15 May 2014 10:17:53 +0000 (12:17 +0200)]
fix blacklist example

5 years agoadd tests for unconfigured firewall (empty files)
Dietmar Maurer [Thu, 15 May 2014 09:49:37 +0000 (11:49 +0200)]
add tests for unconfigured firewall (empty files)

5 years agoadd group tests for container
Dietmar Maurer [Thu, 15 May 2014 09:15:29 +0000 (11:15 +0200)]
add group tests for container

5 years agofix security groups for VMs
Dietmar Maurer [Thu, 15 May 2014 09:01:35 +0000 (11:01 +0200)]
fix security groups for VMs

And add resgression tests for those fixes.

5 years agoadd security group tests
Dietmar Maurer [Thu, 15 May 2014 08:27:35 +0000 (10:27 +0200)]
add security group tests

5 years agofwtester: add ability to run tests on several zones
Dietmar Maurer [Thu, 15 May 2014 08:22:20 +0000 (10:22 +0200)]
fwtester: add ability to run tests on several zones

5 years agocorrectly emit group rules for host
Dietmar Maurer [Thu, 15 May 2014 06:58:36 +0000 (08:58 +0200)]
correctly emit group rules for host

5 years agofwtester: improve rule_match
Dietmar Maurer [Thu, 15 May 2014 06:57:01 +0000 (08:57 +0200)]
fwtester: improve rule_match

Use Net::IP to test source/dest.

5 years agocorrectly use dest instead of source
Dietmar Maurer [Thu, 15 May 2014 05:18:20 +0000 (07:18 +0200)]
correctly use dest instead of source

5 years agoallow GROUP rule without iface
Dietmar Maurer [Thu, 15 May 2014 05:15:58 +0000 (07:15 +0200)]
allow GROUP rule without iface

5 years agofwtester: set firewall=1 for test VM interfaces
Dietmar Maurer [Thu, 15 May 2014 04:52:23 +0000 (06:52 +0200)]
fwtester: set firewall=1 for test VM interfaces

5 years agoonly add tap rules for interface with firewall=1
Alexandre Derumier [Thu, 15 May 2014 04:45:06 +0000 (06:45 +0200)]
only add tap rules for interface with firewall=1

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agofwtester: simplify code with ne bport zone
Dietmar Maurer [Thu, 15 May 2014 04:37:37 +0000 (06:37 +0200)]
fwtester: simplify code with ne bport zone

5 years agoimprove error messages
Dietmar Maurer [Thu, 15 May 2014 04:05:20 +0000 (06:05 +0200)]
improve error messages

5 years agofwtester: add new zone 'nfwm' to simulate a non-firewalled VM
Dietmar Maurer [Wed, 14 May 2014 15:31:11 +0000 (17:31 +0200)]
fwtester: add new zone 'nfwm' to simulate a non-firewalled VM

5 years agofwtester: do not count ENTER/LEAVE
Dietmar Maurer [Wed, 14 May 2014 15:02:55 +0000 (17:02 +0200)]
fwtester: do not count ENTER/LEAVE

5 years agoadd README for fwtester.pl
Dietmar Maurer [Wed, 14 May 2014 13:32:55 +0000 (15:32 +0200)]
add README for fwtester.pl

5 years agofix interface in rules for host-in and host-out
Alexandre Derumier [Tue, 13 May 2014 10:32:08 +0000 (12:32 +0200)]
fix interface in rules for host-in and host-out

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd tests for host interface match
Dietmar Maurer [Wed, 14 May 2014 12:48:21 +0000 (14:48 +0200)]
add tests for host interface match

5 years agofwtester: support dev regex with -i and -o
Dietmar Maurer [Wed, 14 May 2014 12:12:48 +0000 (14:12 +0200)]
fwtester: support dev regex with -i and -o

5 years agofwtester: fix emulation - correctly set phydev_in
Dietmar Maurer [Wed, 14 May 2014 11:55:59 +0000 (13:55 +0200)]
fwtester: fix emulation - correctly set phydev_in

5 years agofwtester: add counters for debugging
Dietmar Maurer [Wed, 14 May 2014 11:44:02 +0000 (13:44 +0200)]
fwtester: add counters for debugging

5 years agofwtester: do not set packet default values
Dietmar Maurer [Wed, 14 May 2014 11:20:53 +0000 (13:20 +0200)]
fwtester: do not set packet default values

5 years agomove blacklist inside ruleset_chain_add_input_filters
Alexandre Derumier [Wed, 14 May 2014 06:42:16 +0000 (08:42 +0200)]
move blacklist inside ruleset_chain_add_input_filters

make sense to only add it for IN direction and

like this, non-firewalled vms (tap|veth for now, not matching fwln+) will never check the blacklist rule

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoremove optimize option
Alexandre Derumier [Wed, 14 May 2014 06:05:26 +0000 (08:05 +0200)]
remove optimize option

new model is already optimized, no need to have tricks now

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agofwtester: implement some useful command line option
Dietmar Maurer [Wed, 14 May 2014 10:14:32 +0000 (12:14 +0200)]
fwtester: implement some useful command line option

5 years agofwtester: implement new 'outside' zone
Dietmar Maurer [Wed, 14 May 2014 09:38:49 +0000 (11:38 +0200)]
fwtester: implement new 'outside' zone

To simulate traffic from/to outside world (vmbr0/eth0)

5 years agofwtester: improve kernel simulation
Dietmar Maurer [Wed, 14 May 2014 08:58:50 +0000 (10:58 +0200)]
fwtester: improve kernel simulation

5 years agodelete trailing whitespace cleanup
Dietmar Maurer [Wed, 14 May 2014 05:21:19 +0000 (07:21 +0200)]
delete trailing whitespace cleanup

5 years agoallow multiple spaces in venet0 ip list
Alexandre Derumier [Wed, 14 May 2014 03:35:09 +0000 (05:35 +0200)]
allow multiple spaces in venet0 ip list

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agorename link+ to fwln+
Alexandre Derumier [Wed, 14 May 2014 03:26:55 +0000 (05:26 +0200)]
rename link+ to fwln+

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agobugfix : allow multiples venet0 ip in 1 container
Alexandre Derumier [Tue, 13 May 2014 08:19:04 +0000 (10:19 +0200)]
bugfix : allow multiples venet0 ip in 1 container

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoinsert PVEFW-IPS after vm rules generation v2
Alexandre Derumier [Mon, 12 May 2014 13:19:16 +0000 (15:19 +0200)]
insert PVEFW-IPS after vm rules generation v2

or it never match it

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd Makefile targets for regression tests
Dietmar Maurer [Tue, 13 May 2014 12:18:08 +0000 (14:18 +0200)]
add Makefile targets for regression tests

Always run tests before assembling a Debian package.

5 years agoadd regression test infrastructure
Dietmar Maurer [Tue, 13 May 2014 12:09:49 +0000 (14:09 +0200)]
add regression test infrastructure

5 years agoallow to read config from test directory
Dietmar Maurer [Tue, 13 May 2014 11:49:31 +0000 (13:49 +0200)]
allow to read config from test directory

I will use that for regression tests.

5 years agouse PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains
Dietmar Maurer [Mon, 12 May 2014 11:33:19 +0000 (13:33 +0200)]
use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agomove nosmurfs, tcpflags and conntrack established outside tap chains
Dietmar Maurer [Mon, 12 May 2014 11:33:18 +0000 (13:33 +0200)]
move nosmurfs, tcpflags and conntrack established outside tap chains

These should be done fast,

conntrack established can be done in PVE-FORWARD now

smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)

-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
      -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
      -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
      -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0  -j veth0.0-OUT

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoremove dead code
Dietmar Maurer [Mon, 12 May 2014 11:33:17 +0000 (13:33 +0200)]
remove dead code

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoadd PVEFW-VENET-IN && PVEFW-VENET-OUT chains
Dietmar Maurer [Mon, 12 May 2014 11:33:16 +0000 (13:33 +0200)]
add PVEFW-VENET-IN && PVEFW-VENET-OUT chains

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoremove bridge chains
Dietmar Maurer [Mon, 12 May 2014 11:33:15 +0000 (13:33 +0200)]
remove bridge chains

-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
      -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
      -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0  -j veth0.0-OUT

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agouse hex digest to avoid url encoding problems
Dietmar Maurer [Mon, 12 May 2014 11:33:14 +0000 (13:33 +0200)]
use hex digest to avoid url encoding problems

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoavoid error about undefined array
Dietmar Maurer [Mon, 12 May 2014 11:33:13 +0000 (13:33 +0200)]
avoid error about undefined array

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agoset RELEASE to 3.2
Dietmar Maurer [Tue, 6 May 2014 09:18:25 +0000 (11:18 +0200)]
set RELEASE to 3.2

5 years agoremove allow_bridge_route setting
Dietmar Maurer [Tue, 6 May 2014 09:12:21 +0000 (11:12 +0200)]
remove allow_bridge_route setting

Not needed for new network model with additional bridge.

5 years agofirewall group API: change 'name' to 'group'
Dietmar Maurer [Thu, 24 Apr 2014 12:31:13 +0000 (14:31 +0200)]
firewall group API: change 'name' to 'group'

5 years agoadd global ipset blacklist
Alexandre Derumier [Tue, 22 Apr 2014 08:44:59 +0000 (10:44 +0200)]
add global ipset blacklist

this is a predefined ipset == blacklist,

which block ips at the begin of PVE-FORWARD.

(usefull in case of ddos attack)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
5 years agogenerate_ipset: skip undefined ipsets
Dietmar Maurer [Tue, 22 Apr 2014 10:43:54 +0000 (12:43 +0200)]
generate_ipset: skip undefined ipsets

I introduced that bug when I changed die to warn.

5 years agorename save_rules to save_ipset
Dietmar Maurer [Tue, 22 Apr 2014 10:37:03 +0000 (12:37 +0200)]
rename save_rules to save_ipset

5 years agoalias API: implement rename
Dietmar Maurer [Tue, 22 Apr 2014 10:33:05 +0000 (12:33 +0200)]
alias API: implement rename

5 years agostart API for aliases
Dietmar Maurer [Tue, 22 Apr 2014 09:45:52 +0000 (11:45 +0200)]
start API for aliases

Allow comments for aliases.

5 years agocorrectly save aliases
Dietmar Maurer [Tue, 22 Apr 2014 07:37:53 +0000 (09:37 +0200)]
correctly save aliases

5 years agoruleset_generate_vm_rules: use 'warn' instead of 'die'
Dietmar Maurer [Tue, 22 Apr 2014 07:08:05 +0000 (09:08 +0200)]
ruleset_generate_vm_rules: use 'warn' instead of 'die'

We want to be able to update our rules, even if somebody defined
a wrong rule for his VM.