pve-firewall.git
6 years agoAPI fix: allow aliases in IPSets
Dietmar Maurer [Fri, 30 May 2014 07:31:25 +0000 (09:31 +0200)]
API fix: allow aliases in IPSets

6 years agoparser: verify group and ipset names
Dietmar Maurer [Fri, 30 May 2014 06:24:03 +0000 (08:24 +0200)]
parser: verify group and ipset names

6 years agoimplement API to get list of possible refs (aliases + ipsets)
Dietmar Maurer [Wed, 28 May 2014 11:52:42 +0000 (13:52 +0200)]
implement API to get list of possible refs (aliases + ipsets)

6 years agointroduce ipset_name_pattern to avoid confusion
Dietmar Maurer [Wed, 28 May 2014 10:59:17 +0000 (12:59 +0200)]
introduce ipset_name_pattern to avoid confusion

6 years agolimit alias/ipset name length to 64 characters
Dietmar Maurer [Wed, 28 May 2014 10:51:06 +0000 (12:51 +0200)]
limit alias/ipset name length to 64 characters

6 years agoadd test for long ipset names
Dietmar Maurer [Wed, 28 May 2014 08:45:27 +0000 (10:45 +0200)]
add test for long ipset names

6 years agofix ipset match - s/src/dst/
Dietmar Maurer [Wed, 28 May 2014 08:41:50 +0000 (10:41 +0200)]
fix ipset match - s/src/dst/

6 years agoimplement VM ipsets, allow long ipset names
Dietmar Maurer [Wed, 28 May 2014 08:31:03 +0000 (10:31 +0200)]
implement VM ipsets, allow long ipset names

If names are to long, We simply use the FNV digest instead of the name.

6 years agoalways pass cluster_conf to load_vmfw_conf
Dietmar Maurer [Wed, 28 May 2014 04:47:05 +0000 (06:47 +0200)]
always pass cluster_conf to load_vmfw_conf

6 years agoimplement ipsets for VM/CT
Dietmar Maurer [Tue, 27 May 2014 09:38:54 +0000 (11:38 +0200)]
implement ipsets for VM/CT

6 years agodo not print trace when debug is not set
Dietmar Maurer [Tue, 27 May 2014 09:31:09 +0000 (11:31 +0200)]
do not print trace when debug is not set

6 years agowhite space cleanup
Dietmar Maurer [Tue, 27 May 2014 06:03:09 +0000 (08:03 +0200)]
white space cleanup

6 years agoimplement aliases at VM level
Dietmar Maurer [Tue, 27 May 2014 05:58:32 +0000 (07:58 +0200)]
implement aliases at VM level

6 years agoadd test for aliases inside vm firewall configuration
Dietmar Maurer [Tue, 27 May 2014 05:57:16 +0000 (07:57 +0200)]
add test for aliases inside vm firewall configuration

6 years agofwtester.pl: add warnings to trace
Dietmar Maurer [Tue, 27 May 2014 04:58:13 +0000 (06:58 +0200)]
fwtester.pl: add warnings to trace

6 years agooptimize blacklist : create a PVEFW-blacklist chain
Alexandre Derumier [Mon, 26 May 2014 08:44:55 +0000 (10:44 +0200)]
optimize blacklist : create a PVEFW-blacklist chain

currently we check the ipset blacklist twice (1 for log and 1 for drop)

It's better to check ipset once, and go to a PVEFW-blacklist chain
where we do the log, and then the drop

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agofix comment
Dietmar Maurer [Mon, 26 May 2014 10:58:58 +0000 (12:58 +0200)]
fix comment

6 years agoskip diabled rules and rules with errors early
Dietmar Maurer [Mon, 26 May 2014 10:55:46 +0000 (12:55 +0200)]
skip diabled rules and rules with errors early

6 years agoruleset_generate_vm_rules: skip rules with errors
Dietmar Maurer [Mon, 26 May 2014 10:46:27 +0000 (12:46 +0200)]
ruleset_generate_vm_rules: skip rules with errors

6 years agoimprove rule verification
Dietmar Maurer [Mon, 26 May 2014 10:45:41 +0000 (12:45 +0200)]
improve rule verification

Also verify ipset/aliases.

6 years agopass $rule_env (cluster/host/vm/ct) to rule parser.
Dietmar Maurer [Mon, 26 May 2014 06:09:02 +0000 (08:09 +0200)]
pass $rule_env (cluster/host/vm/ct) to rule parser.

So that we can correctly verify 'iface' parameter.

Also add new API classes for CTs (because we need to pass $rule_env).

6 years agoimprove error handling
Dietmar Maurer [Fri, 23 May 2014 09:32:33 +0000 (11:32 +0200)]
improve error handling

We now show syntax errors from firewall files with:

 # pve-firewall status

But we do not log such errors to syslog, because that would result
in same warning on each update (10 seconds).

6 years agoallow to read rule with errors
Dietmar Maurer [Fri, 23 May 2014 08:43:22 +0000 (10:43 +0200)]
allow to read rule with errors

And return error messages inside $rule->{errors}. The GUI can display
those errors so that the user can correct them.

6 years agoclose inotify handle before restart
Dietmar Maurer [Thu, 22 May 2014 07:50:59 +0000 (09:50 +0200)]
close inotify handle before restart

6 years agoimprove rules API
Dietmar Maurer [Wed, 21 May 2014 11:03:57 +0000 (13:03 +0200)]
improve rules API

Do not use JSON schema 'requires' property, because that forbids to
use '' to delete properties.

It is now possible to update/delete individual rule properties like:

  pvesh set nodes/lola/openvz/104/firewall/rules/0 -proto udp
  pvesh set nodes/lola/openvz/104/firewall/rules/1 -delete dport

6 years agofix API: property sport/dport requires protocol
Dietmar Maurer [Wed, 21 May 2014 08:29:06 +0000 (10:29 +0200)]
fix API: property sport/dport requires protocol

6 years agofix test/test-errors3 - protect rule generation with eval
Dietmar Maurer [Wed, 21 May 2014 08:12:18 +0000 (10:12 +0200)]
fix test/test-errors3 - protect rule generation with eval

6 years agoadd new test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 07:35:23 +0000 (09:35 +0200)]
add new test case to show serious bug

6 years agoallow igmp traffic
Dietmar Maurer [Wed, 21 May 2014 07:17:14 +0000 (09:17 +0200)]
allow igmp traffic

6 years agoadd another test case
Dietmar Maurer [Wed, 21 May 2014 06:59:57 +0000 (08:59 +0200)]
add another test case

6 years agofix for test case test/test-errors1
Dietmar Maurer [Wed, 21 May 2014 06:56:52 +0000 (08:56 +0200)]
fix for test case test/test-errors1

6 years agoadd test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 06:39:33 +0000 (08:39 +0200)]
add test case to show serious bug

6 years agouse GET instead of POST for command that do not change state.
Dietmar Maurer [Wed, 21 May 2014 06:27:55 +0000 (08:27 +0200)]
use GET instead of POST for command that do not change state.

6 years agoadd new localnet command
Dietmar Maurer [Wed, 21 May 2014 06:24:07 +0000 (08:24 +0200)]
add new localnet command

Print information about local network (IP/NETWORK/NODENAME).

6 years agorename cluster_network to local_network, introduce local_network alias
Dietmar Maurer [Wed, 21 May 2014 05:43:50 +0000 (07:43 +0200)]
rename cluster_network to local_network, introduce local_network alias

So that the user can overwrite it.

6 years agoadd tests for management ipset
Dietmar Maurer [Wed, 21 May 2014 04:48:23 +0000 (06:48 +0200)]
add tests for management ipset

6 years agoIntroduce new management ipset
Dietmar Maurer [Wed, 21 May 2014 04:33:55 +0000 (06:33 +0200)]
Introduce new management ipset

The uses can setup a 'management' IPSet to make sure he has access to the GUI
from those IPs.

6 years agodo not use ctstate in corosync rule
Dietmar Maurer [Wed, 21 May 2014 04:00:11 +0000 (06:00 +0200)]
do not use ctstate in corosync rule

That is not necessary, because we only reach that rule if ctstate is NEW.

6 years agostart alias support for VMs
Dietmar Maurer [Tue, 20 May 2014 09:56:06 +0000 (11:56 +0200)]
start alias support for VMs

implement config parser/writer and API. iptables functionatity is missing.

6 years agoimprove documentation
Dietmar Maurer [Tue, 20 May 2014 08:54:51 +0000 (10:54 +0200)]
improve documentation

6 years agodo not log simulate warnings to syslog
Dietmar Maurer [Tue, 20 May 2014 08:50:25 +0000 (10:50 +0200)]
do not log simulate warnings to syslog

6 years agoadd simulate command for easy testing
Dietmar Maurer [Tue, 20 May 2014 08:36:58 +0000 (10:36 +0200)]
add simulate command for easy testing

6 years agomove test code to FirewallSimulator.pm
Dietmar Maurer [Tue, 20 May 2014 07:46:35 +0000 (09:46 +0200)]
move test code to FirewallSimulator.pm

6 years agoadd tests for corosync multicast addrtype rules
Dietmar Maurer [Tue, 20 May 2014 06:24:31 +0000 (08:24 +0200)]
add tests for corosync multicast addrtype rules

6 years agodo not enable VM firewall by default
Dietmar Maurer [Tue, 20 May 2014 05:52:46 +0000 (07:52 +0200)]
do not enable VM firewall by default

Else we get different behavior with empty vs. non-existinf <VMID>.fw

6 years agoadd tests for default rules
Dietmar Maurer [Tue, 20 May 2014 05:38:25 +0000 (07:38 +0200)]
add tests for default rules

6 years agofwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2
Dietmar Maurer [Tue, 20 May 2014 05:36:44 +0000 (07:36 +0200)]
fwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2

So that we can add test for default rules

6 years agoallow tests without cluster.fw and host.fw configuration
Dietmar Maurer [Tue, 20 May 2014 05:35:54 +0000 (07:35 +0200)]
allow tests without cluster.fw and host.fw configuration

6 years agoalso allow VNC and SPICE traffic inside cluster_network
Dietmar Maurer [Tue, 20 May 2014 05:34:35 +0000 (07:34 +0200)]
also allow VNC and SPICE traffic inside cluster_network

6 years agodo not use -s for outgoing corosync rules
Dietmar Maurer [Tue, 20 May 2014 04:56:37 +0000 (06:56 +0200)]
do not use -s for outgoing corosync rules

6 years agoimplement setter for cluster_network
Dietmar Maurer [Tue, 20 May 2014 04:53:37 +0000 (06:53 +0200)]
implement setter for cluster_network

So that we can set values for testing.

6 years agofix regression test for previous commits
Dietmar Maurer [Tue, 20 May 2014 04:33:33 +0000 (06:33 +0200)]
fix regression test for previous commits

6 years agouse $accept_action for standard rules
Dietmar Maurer [Tue, 20 May 2014 04:15:41 +0000 (06:15 +0200)]
use $accept_action for standard rules

6 years agoadd standard rules after user rules
Dietmar Maurer [Tue, 20 May 2014 04:12:55 +0000 (06:12 +0200)]
add standard rules after user rules

Ao that the users can overwrite behavior.

6 years agofix corosync rules (restrict to cluster network)
Dietmar Maurer [Tue, 20 May 2014 04:07:50 +0000 (06:07 +0200)]
fix corosync rules (restrict to cluster network)

6 years agoremove wrong corosync rules using port 9000
Dietmar Maurer [Tue, 20 May 2014 03:55:58 +0000 (05:55 +0200)]
remove wrong corosync rules using port 9000

6 years agoallow API/SSH/SPICE/VNC traffic on local cluster network by default
Dietmar Maurer [Mon, 19 May 2014 12:18:40 +0000 (14:18 +0200)]
allow API/SSH/SPICE/VNC traffic on local cluster network by default

6 years agoremove unused options
Dietmar Maurer [Mon, 19 May 2014 09:33:11 +0000 (11:33 +0200)]
remove unused options

6 years agoadd init function
Dietmar Maurer [Mon, 19 May 2014 09:10:58 +0000 (11:10 +0200)]
add init function

6 years agodo not restart pvefw-logger with debian triggers
Dietmar Maurer [Mon, 19 May 2014 08:58:21 +0000 (10:58 +0200)]
do not restart pvefw-logger with debian triggers

That is not necessary.

6 years agoavoid logs by default
Dietmar Maurer [Mon, 19 May 2014 07:20:18 +0000 (09:20 +0200)]
avoid logs by default

Log files can grow really large, so we want to avoid them by default.

6 years agoremove unused parameters
Dietmar Maurer [Mon, 19 May 2014 07:14:36 +0000 (09:14 +0200)]
remove unused parameters

6 years agobirectionnal macros cleanups
Alexandre Derumier [Mon, 19 May 2014 05:40:08 +0000 (07:40 +0200)]
birectionnal macros cleanups

remove reverse direction rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agochange rule format: use named parameters
Dietmar Maurer [Mon, 19 May 2014 05:53:00 +0000 (07:53 +0200)]
change rule format: use named parameters

6 years agoinclude manual page
Dietmar Maurer [Fri, 16 May 2014 08:32:01 +0000 (10:32 +0200)]
include manual page

6 years agocleanup firewall service implementation
Dietmar Maurer [Fri, 16 May 2014 08:14:33 +0000 (10:14 +0200)]
cleanup firewall service implementation

We now run a separate server called 'pve-firewall' (renamed 'pvefw').
So service and management tool use the same name:

 # service pve-firewall start

is the same as

 # pve-firewall start

Also removed the read_pvefw_status/save_pvefw_status code.

6 years agobypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips
Alexandre Derumier [Thu, 15 May 2014 11:46:11 +0000 (13:46 +0200)]
bypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips

we create an ipset PVEFW-venet0 for firewalled venet0 ips,
and only send this matching ips to PVEFW-VENET-IN|OUT

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agodo not abort if security groups does not exists
Dietmar Maurer [Fri, 16 May 2014 04:24:07 +0000 (06:24 +0200)]
do not abort if security groups does not exists

Simply create an empty chain instead.

6 years agoadd ipset regression tests
Dietmar Maurer [Thu, 15 May 2014 10:53:48 +0000 (12:53 +0200)]
add ipset regression tests

6 years agofwtester: implement ipset testing
Dietmar Maurer [Thu, 15 May 2014 10:45:08 +0000 (12:45 +0200)]
fwtester: implement ipset testing

6 years agofix blacklist example
Dietmar Maurer [Thu, 15 May 2014 10:17:53 +0000 (12:17 +0200)]
fix blacklist example

6 years agoadd tests for unconfigured firewall (empty files)
Dietmar Maurer [Thu, 15 May 2014 09:49:37 +0000 (11:49 +0200)]
add tests for unconfigured firewall (empty files)

6 years agoadd group tests for container
Dietmar Maurer [Thu, 15 May 2014 09:15:29 +0000 (11:15 +0200)]
add group tests for container

6 years agofix security groups for VMs
Dietmar Maurer [Thu, 15 May 2014 09:01:35 +0000 (11:01 +0200)]
fix security groups for VMs

And add resgression tests for those fixes.

6 years agoadd security group tests
Dietmar Maurer [Thu, 15 May 2014 08:27:35 +0000 (10:27 +0200)]
add security group tests

6 years agofwtester: add ability to run tests on several zones
Dietmar Maurer [Thu, 15 May 2014 08:22:20 +0000 (10:22 +0200)]
fwtester: add ability to run tests on several zones

6 years agocorrectly emit group rules for host
Dietmar Maurer [Thu, 15 May 2014 06:58:36 +0000 (08:58 +0200)]
correctly emit group rules for host

6 years agofwtester: improve rule_match
Dietmar Maurer [Thu, 15 May 2014 06:57:01 +0000 (08:57 +0200)]
fwtester: improve rule_match

Use Net::IP to test source/dest.

6 years agocorrectly use dest instead of source
Dietmar Maurer [Thu, 15 May 2014 05:18:20 +0000 (07:18 +0200)]
correctly use dest instead of source

6 years agoallow GROUP rule without iface
Dietmar Maurer [Thu, 15 May 2014 05:15:58 +0000 (07:15 +0200)]
allow GROUP rule without iface

6 years agofwtester: set firewall=1 for test VM interfaces
Dietmar Maurer [Thu, 15 May 2014 04:52:23 +0000 (06:52 +0200)]
fwtester: set firewall=1 for test VM interfaces

6 years agoonly add tap rules for interface with firewall=1
Alexandre Derumier [Thu, 15 May 2014 04:45:06 +0000 (06:45 +0200)]
only add tap rules for interface with firewall=1

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agofwtester: simplify code with ne bport zone
Dietmar Maurer [Thu, 15 May 2014 04:37:37 +0000 (06:37 +0200)]
fwtester: simplify code with ne bport zone

6 years agoimprove error messages
Dietmar Maurer [Thu, 15 May 2014 04:05:20 +0000 (06:05 +0200)]
improve error messages

6 years agofwtester: add new zone 'nfwm' to simulate a non-firewalled VM
Dietmar Maurer [Wed, 14 May 2014 15:31:11 +0000 (17:31 +0200)]
fwtester: add new zone 'nfwm' to simulate a non-firewalled VM

6 years agofwtester: do not count ENTER/LEAVE
Dietmar Maurer [Wed, 14 May 2014 15:02:55 +0000 (17:02 +0200)]
fwtester: do not count ENTER/LEAVE

6 years agoadd README for fwtester.pl
Dietmar Maurer [Wed, 14 May 2014 13:32:55 +0000 (15:32 +0200)]
add README for fwtester.pl

6 years agofix interface in rules for host-in and host-out
Alexandre Derumier [Tue, 13 May 2014 10:32:08 +0000 (12:32 +0200)]
fix interface in rules for host-in and host-out

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd tests for host interface match
Dietmar Maurer [Wed, 14 May 2014 12:48:21 +0000 (14:48 +0200)]
add tests for host interface match

6 years agofwtester: support dev regex with -i and -o
Dietmar Maurer [Wed, 14 May 2014 12:12:48 +0000 (14:12 +0200)]
fwtester: support dev regex with -i and -o

6 years agofwtester: fix emulation - correctly set phydev_in
Dietmar Maurer [Wed, 14 May 2014 11:55:59 +0000 (13:55 +0200)]
fwtester: fix emulation - correctly set phydev_in

6 years agofwtester: add counters for debugging
Dietmar Maurer [Wed, 14 May 2014 11:44:02 +0000 (13:44 +0200)]
fwtester: add counters for debugging

6 years agofwtester: do not set packet default values
Dietmar Maurer [Wed, 14 May 2014 11:20:53 +0000 (13:20 +0200)]
fwtester: do not set packet default values

6 years agomove blacklist inside ruleset_chain_add_input_filters
Alexandre Derumier [Wed, 14 May 2014 06:42:16 +0000 (08:42 +0200)]
move blacklist inside ruleset_chain_add_input_filters

make sense to only add it for IN direction and

like this, non-firewalled vms (tap|veth for now, not matching fwln+) will never check the blacklist rule

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoremove optimize option
Alexandre Derumier [Wed, 14 May 2014 06:05:26 +0000 (08:05 +0200)]
remove optimize option

new model is already optimized, no need to have tricks now

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agofwtester: implement some useful command line option
Dietmar Maurer [Wed, 14 May 2014 10:14:32 +0000 (12:14 +0200)]
fwtester: implement some useful command line option

6 years agofwtester: implement new 'outside' zone
Dietmar Maurer [Wed, 14 May 2014 09:38:49 +0000 (11:38 +0200)]
fwtester: implement new 'outside' zone

To simulate traffic from/to outside world (vmbr0/eth0)

6 years agofwtester: improve kernel simulation
Dietmar Maurer [Wed, 14 May 2014 08:58:50 +0000 (10:58 +0200)]
fwtester: improve kernel simulation

6 years agodelete trailing whitespace cleanup
Dietmar Maurer [Wed, 14 May 2014 05:21:19 +0000 (07:21 +0200)]
delete trailing whitespace cleanup

6 years agoallow multiple spaces in venet0 ip list
Alexandre Derumier [Wed, 14 May 2014 03:35:09 +0000 (05:35 +0200)]
allow multiple spaces in venet0 ip list

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>