Dietmar Maurer [Tue, 6 May 2014 09:18:25 +0000 (11:18 +0200)]
set RELEASE to 3.2
Dietmar Maurer [Tue, 6 May 2014 09:12:21 +0000 (11:12 +0200)]
remove allow_bridge_route setting
Not needed for new network model with additional bridge.
Dietmar Maurer [Thu, 24 Apr 2014 12:31:13 +0000 (14:31 +0200)]
firewall group API: change 'name' to 'group'
Alexandre Derumier [Tue, 22 Apr 2014 08:44:59 +0000 (10:44 +0200)]
add global ipset blacklist
this is a predefined ipset == blacklist,
which block ips at the begin of PVE-FORWARD.
(usefull in case of ddos attack)
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 22 Apr 2014 10:43:54 +0000 (12:43 +0200)]
generate_ipset: skip undefined ipsets
I introduced that bug when I changed die to warn.
Dietmar Maurer [Tue, 22 Apr 2014 10:37:03 +0000 (12:37 +0200)]
rename save_rules to save_ipset
Dietmar Maurer [Tue, 22 Apr 2014 10:33:05 +0000 (12:33 +0200)]
alias API: implement rename
Dietmar Maurer [Tue, 22 Apr 2014 09:45:52 +0000 (11:45 +0200)]
start API for aliases
Allow comments for aliases.
Dietmar Maurer [Tue, 22 Apr 2014 07:37:53 +0000 (09:37 +0200)]
correctly save aliases
Dietmar Maurer [Tue, 22 Apr 2014 07:08:05 +0000 (09:08 +0200)]
ruleset_generate_vm_rules: use 'warn' instead of 'die'
We want to be able to update our rules, even if somebody defined
a wrong rule for his VM.
Dietmar Maurer [Tue, 22 Apr 2014 07:02:04 +0000 (09:02 +0200)]
ruleset_generate_vm_rule: avoid multiple calls to generate_nfqueue()
Dietmar Maurer [Tue, 22 Apr 2014 06:59:02 +0000 (08:59 +0200)]
generate_nfqueue: code cleanup
Dietmar Maurer [Tue, 22 Apr 2014 06:53:48 +0000 (08:53 +0200)]
ruleset_generate_rule: update all or nothing
And use 'warn' instead of 'die' if alias does not exists.
Alexandre Derumier [Tue, 22 Apr 2014 06:17:00 +0000 (08:17 +0200)]
update update_nf_conntrack_max && nf_conntrack_tcp_timeout_established after modules load
/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
and
/proc/sys/net/nf_conntrack_max
are empty by default, because conntrack module is not loaded, until we have apply iptables rules
So, we just need to update them after iptables commit (which load the conntrack modules)
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 22 Apr 2014 06:32:44 +0000 (08:32 +0200)]
code cleanup
Define $ip_alias_name to make it easier to read the code.
Alexandre Derumier [Tue, 22 Apr 2014 05:38:07 +0000 (07:38 +0200)]
iptables_get_chains : allow bridgevlan vmbrXvY
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 22 Apr 2014 03:57:15 +0000 (05:57 +0200)]
optimize : accept from physical interfaces on bridges
They are a lot of chance that a packet is coming/going from/to external network.
Currently, we need to check all tap chains before accept the packet from eth|bond interface.
This can have a big performance impact (mainly for drop|reject, as we don't have an established connection).
So It could be a problem in case of a ddos attack for example.
without optimize
----------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT
with optimize
------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
-A vmbr1-OUT -m physdev --physdev-in ethX --physdev-is-bridged -g PVEFW-SET-ACCEPT-MARK
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
-A vmbr1-IN -m physdev --physdev-out ethX --physdev-is-bridged -j ACCEPT
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Sat, 19 Apr 2014 07:00:03 +0000 (09:00 +0200)]
add aliases feature
this allow to defined ip et network aliases,
which can be used in vm/group rules and also ipset
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 18 Apr 2014 08:50:15 +0000 (10:50 +0200)]
add README and example to debian package
Dietmar Maurer [Fri, 18 Apr 2014 08:43:30 +0000 (10:43 +0200)]
fix README
Dietmar Maurer [Fri, 18 Apr 2014 08:28:13 +0000 (10:28 +0200)]
only allow tcpflafgs and nosmurfs in host.fw
Dietmar Maurer [Fri, 18 Apr 2014 06:11:49 +0000 (08:11 +0200)]
enable cluster wide rules
Dietmar Maurer [Fri, 18 Apr 2014 05:44:32 +0000 (07:44 +0200)]
add remaining options to VM API
Dietmar Maurer [Fri, 18 Apr 2014 05:23:20 +0000 (07:23 +0200)]
add options and log API for VMs
Alexandre Derumier [Thu, 17 Apr 2014 04:42:50 +0000 (06:42 +0200)]
bugfix : ruleset_generate_cmdstr : use -d for destination
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 15 Apr 2014 10:28:05 +0000 (12:28 +0200)]
complete options API for host.fw
Dietmar Maurer [Tue, 15 Apr 2014 09:03:17 +0000 (11:03 +0200)]
add API for firewall log
Dietmar Maurer [Tue, 15 Apr 2014 08:38:40 +0000 (10:38 +0200)]
correctly initialize std chains
Else those chains grow if called from a daemon.
Dietmar Maurer [Tue, 15 Apr 2014 07:04:42 +0000 (09:04 +0200)]
do not set persistent state if firewall is disabled
Else we have to manually restart the service after enable is set.
Dietmar Maurer [Tue, 15 Apr 2014 06:15:53 +0000 (08:15 +0200)]
disable firewall by default
Dietmar Maurer [Tue, 15 Apr 2014 06:12:27 +0000 (08:12 +0200)]
add init script to start firewall
Alexandre Derumier [Tue, 15 Apr 2014 05:25:21 +0000 (07:25 +0200)]
ips : allow --queue-bypass only for kernel 3.10
This don't exist in 2.6.32 kernel
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 15 Apr 2014 05:29:50 +0000 (07:29 +0200)]
stop firewall inside update if firewall is disabled in cluster.fw
And some code cleanups.
Dietmar Maurer [Mon, 14 Apr 2014 10:51:16 +0000 (12:51 +0200)]
implement API for cluster.fw policy_in and policy_out options
Dietmar Maurer [Mon, 14 Apr 2014 10:21:38 +0000 (12:21 +0200)]
move host policy setting to cluster.fw
Because we also have cluster wide rules
Dietmar Maurer [Mon, 14 Apr 2014 10:06:45 +0000 (12:06 +0200)]
remove option dhcp for host.fw
Alexandre Derumier [Mon, 14 Apr 2014 07:59:47 +0000 (09:59 +0200)]
add tunnable nf_conntrack_tcp_timeout_established value
default nf_conntrack_tcp_timeout_established value is 5 days.
This is really huge, in case of a ddos attack for example
from:
https://dev.openwrt.org/ticket/12976
minimum value should be
"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 11 Apr 2014 10:52:48 +0000 (12:52 +0200)]
copy_xxx_with_digest: do not copy undefined values
Dietmar Maurer [Fri, 11 Apr 2014 09:32:32 +0000 (11:32 +0200)]
improve concurrent update handling
compute digest per section.
Dietmar Maurer [Thu, 10 Apr 2014 10:28:50 +0000 (12:28 +0200)]
correctly encode section comments as utf8
Dietmar Maurer [Thu, 10 Apr 2014 10:08:48 +0000 (12:08 +0200)]
support comments on ipset sections
Also implement concurrenty change prevention for ipset API.
Dietmar Maurer [Thu, 10 Apr 2014 08:44:56 +0000 (10:44 +0200)]
rules API: protect against concurrent updates
Dietmar Maurer [Thu, 10 Apr 2014 08:38:48 +0000 (10:38 +0200)]
security group API: protect against concurrent updates
Dietmar Maurer [Thu, 10 Apr 2014 07:01:28 +0000 (09:01 +0200)]
define standard option pve-config-digest
Dietmar Maurer [Wed, 9 Apr 2014 10:53:12 +0000 (12:53 +0200)]
support comments on group sections
Dietmar Maurer [Wed, 9 Apr 2014 07:48:42 +0000 (09:48 +0200)]
correctly save security group rules
Dietmar Maurer [Wed, 9 Apr 2014 06:53:58 +0000 (08:53 +0200)]
complete security group API
Dietmar Maurer [Wed, 9 Apr 2014 06:05:51 +0000 (08:05 +0200)]
define standard option for security group names
Dietmar Maurer [Wed, 9 Apr 2014 05:34:06 +0000 (07:34 +0200)]
correctly verify ipset name
Dietmar Maurer [Wed, 9 Apr 2014 05:15:14 +0000 (07:15 +0200)]
IPSet: implement rename API
Dietmar Maurer [Wed, 9 Apr 2014 05:02:01 +0000 (07:02 +0200)]
add newline to error message
Dietmar Maurer [Tue, 8 Apr 2014 10:50:47 +0000 (12:50 +0200)]
ipset: implement create/delete API
Dietmar Maurer [Tue, 8 Apr 2014 09:18:03 +0000 (11:18 +0200)]
ipset API: add get/update methods
Dietmar Maurer [Tue, 8 Apr 2014 05:21:58 +0000 (07:21 +0200)]
fix ipset ref test in parse_address_list
Dietmar Maurer [Mon, 7 Apr 2014 11:27:42 +0000 (13:27 +0200)]
improve ipset updates
Remove duplicates, remove stale _swap chains, better cidr parser
Dietmar Maurer [Mon, 7 Apr 2014 10:44:22 +0000 (12:44 +0200)]
ipset: implement delete API, improve parameter verification
Dietmar Maurer [Mon, 7 Apr 2014 10:31:45 +0000 (12:31 +0200)]
start API for IPSet
Dietmar Maurer [Mon, 7 Apr 2014 09:02:14 +0000 (11:02 +0200)]
ipset: only save ip/network once
We do not allow duplicate entries.
Dietmar Maurer [Mon, 7 Apr 2014 08:41:35 +0000 (10:41 +0200)]
correctly save ipset data
Dietmar Maurer [Mon, 7 Apr 2014 06:32:29 +0000 (08:32 +0200)]
allow icmp port names
Dietmar Maurer [Mon, 7 Apr 2014 05:12:57 +0000 (07:12 +0200)]
verify macro parameters when updating a rule using API
Dietmar Maurer [Fri, 4 Apr 2014 11:22:12 +0000 (13:22 +0200)]
fix port parser
And correctly verify rules on updates on API.
Dietmar Maurer [Fri, 4 Apr 2014 07:33:26 +0000 (09:33 +0200)]
add macro descriptions (and API to read them)
Dietmar Maurer [Thu, 3 Apr 2014 11:28:50 +0000 (13:28 +0200)]
implement delete parameter for rule update API
Dietmar Maurer [Thu, 3 Apr 2014 09:48:48 +0000 (11:48 +0200)]
rule type and action are required parameters
Dietmar Maurer [Thu, 3 Apr 2014 07:33:20 +0000 (09:33 +0200)]
simplify check for iprange
We already parsed the address, so we can do a simpler check.
Dietmar Maurer [Thu, 3 Apr 2014 07:29:56 +0000 (09:29 +0200)]
parse_address_list: add check for ipset references.
Dietmar Maurer [Thu, 3 Apr 2014 07:25:28 +0000 (09:25 +0200)]
parse_address_list: only allow one ip range
The previous check did not work if the range is the first entry in the list,
for example:
IN ACCEPT net0 10.0.0.1-10.0.0.10,10.0.0.12
Dietmar Maurer [Thu, 3 Apr 2014 07:11:33 +0000 (09:11 +0200)]
ipset: check kernel version
And white space cleanups.
Alexandre Derumier [Tue, 1 Apr 2014 14:06:14 +0000 (16:06 +0200)]
rename netgroup to ipset
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 1 Apr 2014 14:06:13 +0000 (16:06 +0200)]
prefix ipset chains with PVEFW-
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 1 Apr 2014 14:06:12 +0000 (16:06 +0200)]
implemented ipset rules in iptables
I'm reusing shorewall syntax, +mynetgroup
also fixing iprange and iplist
vmid.fw
-------
IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
cluster.fw
----------
IN ACCEPT 10.0.0.1
IN ACCEPT 10.0.0.1-10.0.0.10
IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
IN ACCEPT +mynetgroup
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Wed, 2 Apr 2014 10:51:30 +0000 (12:51 +0200)]
really save options
Dietmar Maurer [Wed, 2 Apr 2014 08:24:05 +0000 (10:24 +0200)]
implement rules API for <vmid>.fw
Dietmar Maurer [Wed, 2 Apr 2014 08:11:33 +0000 (10:11 +0200)]
implement rules API for host.fw
Dietmar Maurer [Wed, 2 Apr 2014 05:56:11 +0000 (07:56 +0200)]
implement generic rule API class
So that we can reuse the code.
Dietmar Maurer [Tue, 1 Apr 2014 09:20:47 +0000 (11:20 +0200)]
implement option API for cluster.fw
Dietmar Maurer [Tue, 1 Apr 2014 08:25:25 +0000 (10:25 +0200)]
start cluster wide firewall API
Dietmar Maurer [Tue, 1 Apr 2014 06:28:46 +0000 (08:28 +0200)]
delete trailing white space from 'ipset save' output.
Also improve verbose output.
Dietmar Maurer [Tue, 1 Apr 2014 05:39:13 +0000 (07:39 +0200)]
avoid multiple calls to ipset_get_chains()
and some white space cleanups.
Alexandre Derumier [Mon, 31 Mar 2014 13:56:39 +0000 (15:56 +0200)]
ipset : use only netgroup
only use hash:net for both ips and network.
allow comments and nomatch
delete ipset chains after iptables restore
also optimize hashsize
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Mon, 31 Mar 2014 10:43:19 +0000 (12:43 +0200)]
remove unneccessary iptables code
Dietmar Maurer [Mon, 31 Mar 2014 10:39:29 +0000 (12:39 +0200)]
avoid calls to iptables_rule_exist()
Dietmar Maurer [Mon, 31 Mar 2014 09:52:57 +0000 (11:52 +0200)]
new method iptables_chain_digest() to compute digest
Note: My previous commit introcuded a bug, using ipset_chain_digest()
for the iptables ruleset - this is a fix for that.
Dietmar Maurer [Mon, 31 Mar 2014 09:39:41 +0000 (11:39 +0200)]
s/rulset/ruleset/
Dietmar Maurer [Mon, 31 Mar 2014 09:35:12 +0000 (11:35 +0200)]
avoid calls to iptables_rule_exist
We can return that info with iptables_get_chains().
Dietmar Maurer [Mon, 31 Mar 2014 08:41:52 +0000 (10:41 +0200)]
allow options and rules section in cluster.fw
Dietmar Maurer [Mon, 31 Mar 2014 07:59:03 +0000 (09:59 +0200)]
rename groups.fw to cluster.fw
Because we also want to have cluster wide rules/options.
Dietmar Maurer [Fri, 28 Mar 2014 11:09:02 +0000 (12:09 +0100)]
cleanup ipset code
Alexandre Derumier [Thu, 27 Mar 2014 10:22:06 +0000 (11:22 +0100)]
implement ipset ip/net groups
This implement ipset groups of ips or network in groups.fw.
groups.fw
---------
[ipgroup ipgroup1]
192.168.0.1
192.168.0.2
192.168.0.3
[ipgroup ipgroup2]
192.168.0.3
192.168.0.4
[netgroup netgroup1]
192.168.0.0/24
10.0.0.0/8
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Wed, 26 Mar 2014 12:26:54 +0000 (13:26 +0100)]
cleanup ips detection
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Tue, 25 Mar 2014 12:05:22 +0000 (13:05 +0100)]
ignor eadditional arguments when moveto is set
Dietmar Maurer [Tue, 25 Mar 2014 10:02:18 +0000 (11:02 +0100)]
improve parameter verification
Dietmar Maurer [Tue, 25 Mar 2014 08:20:52 +0000 (09:20 +0100)]
cleanup_fw_rule: only copy defined rule properties
Dietmar Maurer [Tue, 25 Mar 2014 07:55:26 +0000 (08:55 +0100)]
do not expand macros on load
Else we save expanded macros!
Dietmar Maurer [Tue, 25 Mar 2014 06:20:44 +0000 (07:20 +0100)]
improve API
Alexandre Derumier [Tue, 25 Mar 2014 04:15:28 +0000 (05:15 +0100)]
add ips optimizations
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 25 Mar 2014 04:15:27 +0000 (05:15 +0100)]
add optimize flag
this flag enble optimizations on rules processing
host.fw
-------
optimize:1
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Tue, 25 Mar 2014 04:15:26 +0000 (05:15 +0100)]
add ips feature v7
This add ips (like suricata) support through nfqueues.
The main idea is to replace -j ACCEPT with -J NFQUEUE , to pass packets to ips
it's using --queue-bypass (only available in 3.10 kernel), so it's suricata daemon is down,
packets are not dropped.
tap-out chain,
-------------
we goto PVEFW-SET-ACCEPT-MARK is always use when connection is already established
-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK
tap-in chain
---------------
I replace -j ACCEPT by -j NFQUEUE when ips is enabled
and
-m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE
group-in rules now use also mark
---------------------------------
-A tap110i0-IN -j GROUP-group1-IN
-A GROUP-group1-IN -j MARK --set-xmark 0x0/0xffffffff
-A GROUP-group1-IN -p icmp -g PVEFW-SET-ACCEPT-MARK
-A tap110i0-IN -m mark --mark 0x1 -j ACCEPT|NFQUEUE
vmid.fw
-------
ips: 1
ips_queues: 0:3
1 or more queues can be defined (if we want cpu loadbalancing, or dedicated queue for a specific vm).
If not defined, default queue 0 is used.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 21 Mar 2014 06:34:38 +0000 (07:34 +0100)]
code cleanup: use ruleset_generate_rule to generate dhcp rules