]>
git.proxmox.com Git - pve-firewall.git/log
Dietmar Maurer [Tue, 14 Oct 2014 14:30:01 +0000 (16:30 +0200)]
bump version to 1.0-9
Dietmar Maurer [Tue, 14 Oct 2014 14:28:44 +0000 (16:28 +0200)]
fix max ipset name lenght
Dietmar Maurer [Mon, 8 Sep 2014 11:06:39 +0000 (13:06 +0200)]
make dependency to cman/clvm optional
Dietmar Maurer [Mon, 8 Sep 2014 10:25:13 +0000 (12:25 +0200)]
do not start daemons during installation
Dietmar Maurer [Mon, 8 Sep 2014 10:17:02 +0000 (12:17 +0200)]
bump version to 1.0-8
Dietmar Maurer [Mon, 21 Jul 2014 08:48:00 +0000 (10:48 +0200)]
Firewall/IPSet: implement permission
Facor out common code into PVE/Firewall.
Dietmar Maurer [Mon, 21 Jul 2014 08:24:09 +0000 (10:24 +0200)]
Firewall/Rules: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:54:42 +0000 (09:54 +0200)]
Firewall/Groups: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:52:01 +0000 (09:52 +0200)]
Firewall/VM: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:40:34 +0000 (09:40 +0200)]
Firewall/Host: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:33:18 +0000 (09:33 +0200)]
Firewall/Cluster: add permissions
Dietmar Maurer [Thu, 26 Jun 2014 07:07:27 +0000 (09:07 +0200)]
generate MAC and IP filter rules if firewall is enabled on NIC
Only omit rules if firewall is disabled. Also remove ipfilter for
venet, because that is not required (kernel does that job for us).
Dietmar Maurer [Thu, 26 Jun 2014 05:13:16 +0000 (07:13 +0200)]
bump version to 1.0-7
Dietmar Maurer [Thu, 26 Jun 2014 05:12:06 +0000 (07:12 +0200)]
proxy host rule API calls to correct node
Dietmar Maurer [Thu, 12 Jun 2014 06:37:43 +0000 (08:37 +0200)]
bump version to 1.0-6
Dietmar Maurer [Thu, 12 Jun 2014 06:36:05 +0000 (08:36 +0200)]
add example for ipfilter ipset
Dietmar Maurer [Thu, 12 Jun 2014 06:32:11 +0000 (08:32 +0200)]
add regression tests for ipfilter
Dietmar Maurer [Thu, 12 Jun 2014 06:30:33 +0000 (08:30 +0200)]
fwtester: add more network (net1, net2) to vm100 to test ipfilter
Dietmar Maurer [Thu, 12 Jun 2014 06:29:32 +0000 (08:29 +0200)]
implement negative ipset match
To simulate ipfilter.
Dietmar Maurer [Thu, 12 Jun 2014 04:39:31 +0000 (06:39 +0200)]
use separate ipfilter ipset on each interface
Dietmar Maurer [Wed, 11 Jun 2014 07:59:21 +0000 (09:59 +0200)]
add support for ipfilter ipset
Dietmar Maurer [Wed, 4 Jun 2014 07:13:43 +0000 (09:13 +0200)]
generate /etc/pve/firewall directory automatically
Dietmar Maurer [Wed, 4 Jun 2014 07:03:53 +0000 (09:03 +0200)]
avoid errors about undefined values
Dietmar Maurer [Wed, 4 Jun 2014 06:50:57 +0000 (08:50 +0200)]
bump version to 1.0-5
Dietmar Maurer [Wed, 4 Jun 2014 06:40:15 +0000 (08:40 +0200)]
remove ipsets when firewall disabled
And improve status output
Dietmar Maurer [Wed, 4 Jun 2014 05:24:34 +0000 (07:24 +0200)]
return empty ruleset if firewall disabled in cluster.fw
Dietmar Maurer [Wed, 4 Jun 2014 04:49:30 +0000 (06:49 +0200)]
bump version to 1.0-4
Dietmar Maurer [Wed, 4 Jun 2014 04:44:57 +0000 (06:44 +0200)]
depend on iptables and ipset
Dietmar Maurer [Wed, 4 Jun 2014 04:36:55 +0000 (06:36 +0200)]
change dh_installinit order
Dietmar Maurer [Mon, 2 Jun 2014 11:17:53 +0000 (13:17 +0200)]
improve error message
Dietmar Maurer [Mon, 2 Jun 2014 11:14:42 +0000 (13:14 +0200)]
generate warnings when we read the configuration file
Dietmar Maurer [Fri, 30 May 2014 11:06:55 +0000 (13:06 +0200)]
pass ipset errors to GUI
Dietmar Maurer [Fri, 30 May 2014 10:40:25 +0000 (12:40 +0200)]
skip non-existent aliases inside ipset configuration
Dietmar Maurer [Fri, 30 May 2014 10:26:40 +0000 (12:26 +0200)]
remove dead code from previous commit
Dietmar Maurer [Fri, 30 May 2014 10:24:40 +0000 (12:24 +0200)]
code cleanup - introcduce new method resolve_alias
Dietmar Maurer [Fri, 30 May 2014 09:28:24 +0000 (11:28 +0200)]
another regression test
Dietmar Maurer [Fri, 30 May 2014 09:21:30 +0000 (11:21 +0200)]
cleanup: try to use more consistent method naming
Dietmar Maurer [Fri, 30 May 2014 07:37:49 +0000 (09:37 +0200)]
API: add ability to restrict ref list to specified type
Dietmar Maurer [Fri, 30 May 2014 07:31:25 +0000 (09:31 +0200)]
API fix: allow aliases in IPSets
Dietmar Maurer [Fri, 30 May 2014 06:24:03 +0000 (08:24 +0200)]
parser: verify group and ipset names
Dietmar Maurer [Wed, 28 May 2014 11:52:42 +0000 (13:52 +0200)]
implement API to get list of possible refs (aliases + ipsets)
Dietmar Maurer [Wed, 28 May 2014 10:59:17 +0000 (12:59 +0200)]
introduce ipset_name_pattern to avoid confusion
Dietmar Maurer [Wed, 28 May 2014 10:51:06 +0000 (12:51 +0200)]
limit alias/ipset name length to 64 characters
Dietmar Maurer [Wed, 28 May 2014 08:45:27 +0000 (10:45 +0200)]
add test for long ipset names
Dietmar Maurer [Wed, 28 May 2014 08:41:50 +0000 (10:41 +0200)]
fix ipset match - s/src/dst/
Dietmar Maurer [Wed, 28 May 2014 08:31:03 +0000 (10:31 +0200)]
implement VM ipsets, allow long ipset names
If names are to long, We simply use the FNV digest instead of the name.
Dietmar Maurer [Wed, 28 May 2014 04:47:05 +0000 (06:47 +0200)]
always pass cluster_conf to load_vmfw_conf
Dietmar Maurer [Tue, 27 May 2014 09:38:54 +0000 (11:38 +0200)]
implement ipsets for VM/CT
Dietmar Maurer [Tue, 27 May 2014 09:31:09 +0000 (11:31 +0200)]
do not print trace when debug is not set
Dietmar Maurer [Tue, 27 May 2014 06:03:09 +0000 (08:03 +0200)]
white space cleanup
Dietmar Maurer [Tue, 27 May 2014 05:58:32 +0000 (07:58 +0200)]
implement aliases at VM level
Dietmar Maurer [Tue, 27 May 2014 05:57:16 +0000 (07:57 +0200)]
add test for aliases inside vm firewall configuration
Dietmar Maurer [Tue, 27 May 2014 04:58:13 +0000 (06:58 +0200)]
fwtester.pl: add warnings to trace
Alexandre Derumier [Mon, 26 May 2014 08:44:55 +0000 (10:44 +0200)]
optimize blacklist : create a PVEFW-blacklist chain
currently we check the ipset blacklist twice (1 for log and 1 for drop)
It's better to check ipset once, and go to a PVEFW-blacklist chain
where we do the log, and then the drop
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Mon, 26 May 2014 10:58:58 +0000 (12:58 +0200)]
fix comment
Dietmar Maurer [Mon, 26 May 2014 10:55:46 +0000 (12:55 +0200)]
skip diabled rules and rules with errors early
Dietmar Maurer [Mon, 26 May 2014 10:46:27 +0000 (12:46 +0200)]
ruleset_generate_vm_rules: skip rules with errors
Dietmar Maurer [Mon, 26 May 2014 10:45:41 +0000 (12:45 +0200)]
improve rule verification
Also verify ipset/aliases.
Dietmar Maurer [Mon, 26 May 2014 06:09:02 +0000 (08:09 +0200)]
pass $rule_env (cluster/host/vm/ct) to rule parser.
So that we can correctly verify 'iface' parameter.
Also add new API classes for CTs (because we need to pass $rule_env).
Dietmar Maurer [Fri, 23 May 2014 09:32:33 +0000 (11:32 +0200)]
improve error handling
We now show syntax errors from firewall files with:
# pve-firewall status
But we do not log such errors to syslog, because that would result
in same warning on each update (10 seconds).
Dietmar Maurer [Fri, 23 May 2014 08:43:22 +0000 (10:43 +0200)]
allow to read rule with errors
And return error messages inside $rule->{errors}. The GUI can display
those errors so that the user can correct them.
Dietmar Maurer [Thu, 22 May 2014 07:50:59 +0000 (09:50 +0200)]
close inotify handle before restart
Dietmar Maurer [Wed, 21 May 2014 11:03:57 +0000 (13:03 +0200)]
improve rules API
Do not use JSON schema 'requires' property, because that forbids to
use '' to delete properties.
It is now possible to update/delete individual rule properties like:
pvesh set nodes/lola/openvz/104/firewall/rules/0 -proto udp
pvesh set nodes/lola/openvz/104/firewall/rules/1 -delete dport
Dietmar Maurer [Wed, 21 May 2014 08:29:06 +0000 (10:29 +0200)]
fix API: property sport/dport requires protocol
Dietmar Maurer [Wed, 21 May 2014 08:12:18 +0000 (10:12 +0200)]
fix test/test-errors3 - protect rule generation with eval
Dietmar Maurer [Wed, 21 May 2014 07:35:23 +0000 (09:35 +0200)]
add new test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 07:17:14 +0000 (09:17 +0200)]
allow igmp traffic
Dietmar Maurer [Wed, 21 May 2014 06:59:57 +0000 (08:59 +0200)]
add another test case
Dietmar Maurer [Wed, 21 May 2014 06:56:52 +0000 (08:56 +0200)]
fix for test case test/test-errors1
Dietmar Maurer [Wed, 21 May 2014 06:39:33 +0000 (08:39 +0200)]
add test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 06:27:55 +0000 (08:27 +0200)]
use GET instead of POST for command that do not change state.
Dietmar Maurer [Wed, 21 May 2014 06:24:07 +0000 (08:24 +0200)]
add new localnet command
Print information about local network (IP/NETWORK/NODENAME).
Dietmar Maurer [Wed, 21 May 2014 05:43:50 +0000 (07:43 +0200)]
rename cluster_network to local_network, introduce local_network alias
So that the user can overwrite it.
Dietmar Maurer [Wed, 21 May 2014 04:48:23 +0000 (06:48 +0200)]
add tests for management ipset
Dietmar Maurer [Wed, 21 May 2014 04:33:55 +0000 (06:33 +0200)]
Introduce new management ipset
The uses can setup a 'management' IPSet to make sure he has access to the GUI
from those IPs.
Dietmar Maurer [Wed, 21 May 2014 04:00:11 +0000 (06:00 +0200)]
do not use ctstate in corosync rule
That is not necessary, because we only reach that rule if ctstate is NEW.
Dietmar Maurer [Tue, 20 May 2014 09:56:06 +0000 (11:56 +0200)]
start alias support for VMs
implement config parser/writer and API. iptables functionatity is missing.
Dietmar Maurer [Tue, 20 May 2014 08:54:51 +0000 (10:54 +0200)]
improve documentation
Dietmar Maurer [Tue, 20 May 2014 08:50:25 +0000 (10:50 +0200)]
do not log simulate warnings to syslog
Dietmar Maurer [Tue, 20 May 2014 08:36:58 +0000 (10:36 +0200)]
add simulate command for easy testing
Dietmar Maurer [Tue, 20 May 2014 07:46:35 +0000 (09:46 +0200)]
move test code to FirewallSimulator.pm
Dietmar Maurer [Tue, 20 May 2014 06:24:31 +0000 (08:24 +0200)]
add tests for corosync multicast addrtype rules
Dietmar Maurer [Tue, 20 May 2014 05:52:46 +0000 (07:52 +0200)]
do not enable VM firewall by default
Else we get different behavior with empty vs. non-existinf <VMID>.fw
Dietmar Maurer [Tue, 20 May 2014 05:38:25 +0000 (07:38 +0200)]
add tests for default rules
Dietmar Maurer [Tue, 20 May 2014 05:36:44 +0000 (07:36 +0200)]
fwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2
So that we can add test for default rules
Dietmar Maurer [Tue, 20 May 2014 05:35:54 +0000 (07:35 +0200)]
allow tests without cluster.fw and host.fw configuration
Dietmar Maurer [Tue, 20 May 2014 05:34:35 +0000 (07:34 +0200)]
also allow VNC and SPICE traffic inside cluster_network
Dietmar Maurer [Tue, 20 May 2014 04:56:37 +0000 (06:56 +0200)]
do not use -s for outgoing corosync rules
Dietmar Maurer [Tue, 20 May 2014 04:53:37 +0000 (06:53 +0200)]
implement setter for cluster_network
So that we can set values for testing.
Dietmar Maurer [Tue, 20 May 2014 04:33:33 +0000 (06:33 +0200)]
fix regression test for previous commits
Dietmar Maurer [Tue, 20 May 2014 04:15:41 +0000 (06:15 +0200)]
use $accept_action for standard rules
Dietmar Maurer [Tue, 20 May 2014 04:12:55 +0000 (06:12 +0200)]
add standard rules after user rules
Ao that the users can overwrite behavior.
Dietmar Maurer [Tue, 20 May 2014 04:07:50 +0000 (06:07 +0200)]
fix corosync rules (restrict to cluster network)
Dietmar Maurer [Tue, 20 May 2014 03:55:58 +0000 (05:55 +0200)]
remove wrong corosync rules using port 9000
Dietmar Maurer [Mon, 19 May 2014 12:18:40 +0000 (14:18 +0200)]
allow API/SSH/SPICE/VNC traffic on local cluster network by default
Dietmar Maurer [Mon, 19 May 2014 09:33:11 +0000 (11:33 +0200)]
remove unused options
Dietmar Maurer [Mon, 19 May 2014 09:10:58 +0000 (11:10 +0200)]
add init function
Dietmar Maurer [Mon, 19 May 2014 08:58:21 +0000 (10:58 +0200)]
do not restart pvefw-logger with debian triggers
That is not necessary.
Dietmar Maurer [Mon, 19 May 2014 07:20:18 +0000 (09:20 +0200)]
avoid logs by default
Log files can grow really large, so we want to avoid them by default.
Dietmar Maurer [Mon, 19 May 2014 07:14:36 +0000 (09:14 +0200)]
remove unused parameters