Thomas Lamprecht [Thu, 11 Apr 2019 13:28:34 +0000 (15:28 +0200)]
make verbose a global state
This is part of the project 'stop the parameter rabbit hole madness'
and tries to make reading the firewall code a little bit easier.
Here we remove passing $verbose from 44 method signatures, while it
was used in 4 of those methods, a ration of 1/11 is simply not
acceptable for such a thing as a verbosity flag..
Remove it, and just make it a global variable with a setter for now.
Verbose is not modified in any API call, only in a Service
environment callablle by CLI, so we are save to do so.
If we decide to add some sort of firewall instance (i.e., a blessed
$self "object") with some state we could also move it there, but
making it global now doesn't hurt.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 31 Mar 2019 13:24:42 +0000 (15:24 +0200)]
cleanup makefiles, set target dirs per makefile
be more consistent with the buildsystems of our other packages.
compared old to new with diffoscope, no real changes (besides
different SOURCE file, as base check commits differ)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Mon, 18 Mar 2019 16:05:53 +0000 (17:05 +0100)]
fix: #2123 Logging of user defined firewall rules
This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.
The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.
For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Christian Ebner [Fri, 1 Feb 2019 09:46:11 +0000 (10:46 +0100)]
Fix #1606 Add nf_conntrack_allow_invalid option
This adds the nf_conntrack_allow_invalid host firewall option to allow to disable
the dropping of invalid packets from the connection tracker point of view.
This is needed for some rare setups with asymmetrical multi-path routing.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
David Limbeck [Wed, 9 Jan 2019 14:32:10 +0000 (15:32 +0100)]
log and ignore ENOBUFS in nfct_catch
nfct_catch sets ENOBUFS if not enough buffer space is available. log
and continue operation instead of stopping. in addition log possible
other errors set by nfct_catch
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
David Limbeck [Thu, 13 Dec 2018 12:08:52 +0000 (13:08 +0100)]
add log_nf_conntrack host firewall option
add log_nf_conntrack host firewall option to enable or disable logging
of connections. restarts pvefw-logger if the option changes in the
config. the pvefw-logger is always restarted in the beginning to make
sure the current config is applied.
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
David Limbeck [Thu, 13 Dec 2018 12:08:51 +0000 (13:08 +0100)]
add conntrack logging via libnetfilter_conntrack
add conntrack logging to pvefw-logger including timestamps (requires
/proc/sys/net/netfilter/nf_conntrack_timestamp to be 1).
this allows the tracking of sessions (start, end timestamps with
nf_conntrack_timestamp on [DESTROY] messages). commit includes
Build-Depends inclusion of libnetfilter-conntrack-dev and
libnetfilter_conntrack library in the Makefile.
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
debhelpers on stretch do not care about the wrong uinit name, and the
name used is always the one from --name.
But buster cares, so fix it to the right one.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Sat, 26 May 2018 20:50:30 +0000 (22:50 +0200)]
Don't change external ebtables rules
* Fixes #1764
* Introduces ebtables_enable option to cluster config
* All ebtables chains not created by PVE are left in place
* get_ruleset_status optionally takes an additional argument
(a regex indicating which chains should be left intact)
Since we don't have signatures in ebtables we need to also
see empty chains to not think we have to create them.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
ebtables doesn't have comment rules we could store the
digest in, so we need to match the ebtables-save output
instead.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
need ebtables-save && ebtables-restore, ebtables debian package don't include them.
ebtables-restore need to restore the full ruleset (atomicaly),
so we can't update only 1 chain
Signed-off-by: Alexandre Derumier <aderumier at odiso.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -p IPv4 -j ACCEPT #filter mac in iptables for ipv4, so we can speedup rules with conntrack established
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -i tap110i0 -j tap110i0-OUT
-A tap110i0-OUT -s ! 36:97:15:91:19:3c -j DROP
-A tap110i0-OUT -p ARP -j ACCEPT
-A tap110i0-OUT -j DROP
-A tap110i0-OUT -j ACCEPT
-A PVEFW-FWBR-OUT -i veth130.1 -j veth130.1-OUT
-A veth130.1-OUT -s ! 36:95:a9:ae:f5:ec -j DROP
-A veth130.1-OUT -j ACCEPT
Signed-off-by: Alexandre Derumier <aderumier at odiso.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
parse_protocol_file: support lines without end comments
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The multiport `--ports` parameter is an `OR` match on source
and destination ports, so we should not use it.
We also don't actually use the port count, so let the port
range parser simply return a boolean and use the counter
only for the internal check. This also fixes a regression
caused by the previous multiport check which caused a single
port range to be recognized as a multiport option while it
did not have to be one, causing entries such as the SMB
macro to be added with `--match multiport` mistakenly, which
refused to accept the source port option.
Additionally, we now allow the case with 1 multiport and 1
single port entry: In order for the iptables command to
accept this the single port entry must come first, otherwise
it'll be passed to the multiport matcher (because why
shouldn't it interpret a singular `--Xport` as an alias to
the plural version `--Xports`... *sigh*).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Fixes: 6a241ca745f7 ("check multiport limit in port ranges")
Tom Weber [Wed, 18 Oct 2017 20:24:05 +0000 (22:24 +0200)]
implement ipt_rule_to_cmds, ruleset_add_ipt_cmd
ipt_rule_to_cmds converts a %rule to an array of iptables commands
ruleset_add_ipt_cmd adds such an iptables command to a chain
ruleset_generate_rule uses these now
ruleset_generate_rule_old is an interim workaround
Tom Weber [Wed, 18 Oct 2017 20:24:02 +0000 (22:24 +0200)]
make $pve_std_chains a copy of $pve_std_chains_conf
create a new $pve_std_chains with $pve_std_chains_conf as template on
every compilation of the rules. This avoids persitant changes to the
$pve_std_chains and makes it easier to read the std_chains configuration
from external config files (later to implement).
Tom Weber [Wed, 18 Oct 2017 20:23:59 +0000 (22:23 +0200)]
prepare code for more generic firewall logging
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).