Thomas Lamprecht [Fri, 19 Apr 2019 05:11:22 +0000 (05:11 +0000)]
bump version to 3.0-20
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 19 Apr 2019 04:51:38 +0000 (04:51 +0000)]
fix reading host.fw through IPCC interface
IPCC has no knowledge about FUSE based links, but we used
'local/host.fw' here, where local is always a link to
'nodes/<LOCAL-NODENAME>/', this works only when using the common file
system interface provided by FUSE, but not if we're talking directly
with our memdb file store through IPCC..
So use a nodename based path here, to avoid getting just empty
strings for host.fw.
fixes commit
0dbef53046fade02efec143d3b7a0f4f9021b618
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Wed, 17 Apr 2019 14:44:16 +0000 (16:44 +0200)]
fix #2178: endless loop on ipv6 extension headers
increment header and decrement payload size by the extensions size. the
length calculation is different for some extensions. in our case only
IPPROTO_FRAGMENT requires a different size calculation than the rest. in
addition 'proto' is now set in the loop when advancing from an
extension header. it moves on to the next extension or protocol now
instead of looping on the same 'proto' while advancing the payload.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Thomas Lamprecht [Wed, 17 Apr 2019 12:02:06 +0000 (12:02 +0000)]
remove useless unused Data::Dumper uses
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 12 Apr 2019 11:50:27 +0000 (13:50 +0200)]
firewall: split and order modules
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:36 +0000 (15:28 +0200)]
use IPCC to read FW files if the are backed by pmxcfs
This allows us to profit from the IPCC pmxcfs restart mechanisms,
which will block this call for the grace period (~10 seconds) and
transparently try to reconnect to the IPCC interface of pmxcfs, if a
restart is detected..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:35 +0000 (15:28 +0200)]
remove a level of indirection on FW config parsing
the removed methods where only used by those we merged their code
into.
Opening the FH in the generic parser safes a bit of repetition too..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:34 +0000 (15:28 +0200)]
make verbose a global state
This is part of the project 'stop the parameter rabbit hole madness'
and tries to make reading the firewall code a little bit easier.
Here we remove passing $verbose from 44 method signatures, while it
was used in 4 of those methods, a ration of 1/11 is simply not
acceptable for such a thing as a verbosity flag..
Remove it, and just make it a global variable with a setter for now.
Verbose is not modified in any API call, only in a Service
environment callablle by CLI, so we are save to do so.
If we decide to add some sort of firewall instance (i.e., a blessed
$self "object") with some state we could also move it there, but
making it global now doesn't hurt.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 2 Apr 2019 09:18:30 +0000 (11:18 +0200)]
bump version to 3.0-19
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 2 Apr 2019 09:18:21 +0000 (11:18 +0200)]
buildsys: no need to not pre-clean for source package
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 1 Apr 2019 11:57:41 +0000 (13:57 +0200)]
buildsys: correctly cleanup source tarball
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 21 Mar 2019 06:57:43 +0000 (07:57 +0100)]
allow to enable/disable and modify cluster wide log ratelimits
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Sun, 31 Mar 2019 13:43:40 +0000 (15:43 +0200)]
buildsys: add dsc target
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 31 Mar 2019 13:24:42 +0000 (15:24 +0200)]
cleanup makefiles, set target dirs per makefile
be more consistent with the buildsystems of our other packages.
compared old to new with diffoscope, no real changes (besides
different SOURCE file, as base check commits differ)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 30 Mar 2019 16:36:16 +0000 (17:36 +0100)]
fix Razor macro
'ACCEPT' was plain wrong here and broken and disables ALL firewalling
for a Container, at least when used in a Security Group.
fixes
857f62c833a604eb8399467a94d325c1994367eb
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reported-by: Tom Weber <pve@junkyard.4t2.com>
Mira Limbeck [Tue, 19 Mar 2019 13:27:31 +0000 (14:27 +0100)]
add 'log_nf_conntrack' option description
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Thomas Lamprecht [Tue, 19 Mar 2019 13:37:56 +0000 (14:37 +0100)]
followup: minor code style fix
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 19 Mar 2019 13:36:40 +0000 (14:36 +0100)]
followup: use default burst limit of 5
it does not hurt and can be be used to see high frequeny occurences
of certain rules which hit.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Mon, 18 Mar 2019 16:05:53 +0000 (17:05 +0100)]
fix: #2123 Logging of user defined firewall rules
This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.
The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.
For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Alexandre Derumier [Sun, 10 Mar 2019 07:25:07 +0000 (08:25 +0100)]
ebtables: test layer2_protocols in an external chain
We need the not matching DROP outside the main tapchain,
in a specific proto chain, and a ACCEPT in the main tap chain.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Sun, 10 Mar 2019 07:25:06 +0000 (08:25 +0100)]
ebtables: add arp filtering
This implemented arp filtering if ipfilter is enable
https://bugzilla.proxmox.com/show_bug.cgi?id=2125
They are another filters possible (ipv4,rarp),
i don't known if we need them.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Mon, 4 Mar 2019 09:27:42 +0000 (10:27 +0100)]
bump version to 3.0-18
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 22 Feb 2019 12:31:32 +0000 (13:31 +0100)]
d/control: bump version dependency to pve-doc-generator
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Thu, 21 Feb 2019 13:24:59 +0000 (14:24 +0100)]
1891 Add zsh command completion for pve-firewall
Adds the zsh command completion scripts for pve-firewall.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Alexandre Derumier [Wed, 20 Feb 2019 00:16:58 +0000 (01:16 +0100)]
daemon: cleanup '+' character at begin of line
this stray '+' was introduced by
commit
151c209e05a9e15d5d7a9402391ca936e562a173 while it had no
effect let's remove it nonetheless.
Alwin Antreich [Wed, 13 Feb 2019 11:27:58 +0000 (12:27 +0100)]
Fix unitialized value $mark in bitwise operation
Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
Alexandre Derumier [Tue, 5 Feb 2019 10:22:45 +0000 (11:22 +0100)]
log reject : add space after policy REJECT like drop
For log consistency and parsing, we already have a space after "policy DROP: "
but not REJECT
ex:
DROP
135 6 tap135i1-IN 05/Feb/2019:10:59:55 +0100 policy DROP: IN=.....
REJECT
232 6 tap232i1-IN 05/Feb/2019:10:59:28 +0100 policy REJECT:IN=....
Thomas Lamprecht [Mon, 4 Feb 2019 13:22:41 +0000 (14:22 +0100)]
followup: avoid long hash access, use own variable
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Fri, 1 Feb 2019 09:46:11 +0000 (10:46 +0100)]
Fix #1606 Add nf_conntrack_allow_invalid option
This adds the nf_conntrack_allow_invalid host firewall option to allow to disable
the dropping of invalid packets from the connection tracker point of view.
This is needed for some rare setups with asymmetrical multi-path routing.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Wolfgang Bumiller [Fri, 25 Jan 2019 09:56:16 +0000 (10:56 +0100)]
buildsys: build a dbgsym package
don't forcefully strip debug components out of the firewall
logger...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Wed, 9 Jan 2019 15:54:29 +0000 (16:54 +0100)]
bump version to 3.0-17
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
David Limbeck [Wed, 9 Jan 2019 14:32:10 +0000 (15:32 +0100)]
log and ignore ENOBUFS in nfct_catch
nfct_catch sets ENOBUFS if not enough buffer space is available. log
and continue operation instead of stopping. in addition log possible
other errors set by nfct_catch
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
Wolfgang Bumiller [Wed, 9 Jan 2019 13:26:00 +0000 (14:26 +0100)]
fixup va_arg usage
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
David Limbeck [Thu, 13 Dec 2018 12:08:52 +0000 (13:08 +0100)]
add log_nf_conntrack host firewall option
add log_nf_conntrack host firewall option to enable or disable logging
of connections. restarts pvefw-logger if the option changes in the
config. the pvefw-logger is always restarted in the beginning to make
sure the current config is applied.
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
David Limbeck [Thu, 13 Dec 2018 12:08:51 +0000 (13:08 +0100)]
add conntrack logging via libnetfilter_conntrack
add conntrack logging to pvefw-logger including timestamps (requires
/proc/sys/net/netfilter/nf_conntrack_timestamp to be 1).
this allows the tracking of sessions (start, end timestamps with
nf_conntrack_timestamp on [DESTROY] messages). commit includes
Build-Depends inclusion of libnetfilter-conntrack-dev and
libnetfilter_conntrack library in the Makefile.
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
Dominik Csapak [Fri, 30 Nov 2018 15:31:41 +0000 (16:31 +0100)]
fix #2004: do not allow backwards ranges
ranges like 10:5 are allowed by us, but iptables throws an error
that is only visible in the syslog and the firewall rules do not
get updated
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 30 Nov 2018 08:53:49 +0000 (09:53 +0100)]
fix #2005: only allow ascii port digits
perl accepts non-ascii digits for \d like U+09EA
which do not work with iptables
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Fri, 30 Nov 2018 15:03:11 +0000 (16:03 +0100)]
bump version to 3.0-16
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Thu, 29 Nov 2018 13:29:03 +0000 (14:29 +0100)]
macro: fix return verification failure
macros are strings not integers
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Fri, 23 Nov 2018 13:05:23 +0000 (14:05 +0100)]
bump version to 3.0-15
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:46 +0000 (15:14 +0100)]
d/control: add missing Build-Depends
Found while building in a clean chroot.
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:45 +0000 (15:14 +0100)]
Fix #1971: display firewall rule properties
This is the list of the properties that should get returned in the
pretty print format, too, not just in yaml/json output.
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
Thomas Lamprecht [Tue, 4 Sep 2018 07:50:37 +0000 (09:50 +0200)]
d/rules: fix pvefw-logger service unit-name
debhelpers on stretch do not care about the wrong uinit name, and the
name used is always the one from --name.
But buster cares, so fix it to the right one.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Fri, 24 Aug 2018 08:51:19 +0000 (10:51 +0200)]
bump version to 3.0-14
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stoiko Ivanov [Thu, 23 Aug 2018 14:04:50 +0000 (16:04 +0200)]
Fix #1841: ebtables: sort interfaces per guest
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wolfgang Bumiller [Thu, 28 Jun 2018 12:47:25 +0000 (14:47 +0200)]
bump version to 3.0-13
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stoiko Ivanov [Thu, 28 Jun 2018 12:41:56 +0000 (14:41 +0200)]
ebtables: sort guest chains during rulecreation
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Thomas Lamprecht [Thu, 14 Jun 2018 10:08:52 +0000 (12:08 +0200)]
api: host, vm: explicit import raise_param_exc
we inherited the import from PVE::RESTHandler but may want to get rid
of it there. So explicitly import it here.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 13 Jun 2018 11:26:28 +0000 (13:26 +0200)]
whitespace fixup
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 12 Jun 2018 10:02:32 +0000 (12:02 +0200)]
bump version to 3.0-12
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 12 Jun 2018 10:00:10 +0000 (12:00 +0200)]
fixup active_chains distinction when deleting chains
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Wed, 6 Jun 2018 14:18:48 +0000 (16:18 +0200)]
fixup changelog UNRELEASED
Thomas Lamprecht [Wed, 6 Jun 2018 14:15:01 +0000 (16:15 +0200)]
bump version to 3.0-11
Stoiko Ivanov [Wed, 6 Jun 2018 09:56:05 +0000 (11:56 +0200)]
rename ebtables_enable to ebtables
and register ebtables option with the API
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wolfgang Bumiller [Tue, 29 May 2018 13:14:43 +0000 (15:14 +0200)]
bump version to 3.0-10
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 29 May 2018 13:08:25 +0000 (15:08 +0200)]
typo fixup
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stoiko Ivanov [Sat, 26 May 2018 20:50:30 +0000 (22:50 +0200)]
Don't change external ebtables rules
* Fixes #1764
* Introduces ebtables_enable option to cluster config
* All ebtables chains not created by PVE are left in place
* get_ruleset_status optionally takes an additional argument
(a regex indicating which chains should be left intact)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wolfgang Bumiller [Thu, 17 May 2018 12:41:40 +0000 (14:41 +0200)]
bump version to 3.0-9
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 17 May 2018 11:09:23 +0000 (13:09 +0200)]
fix PVEFW-FORWARD chain not being used
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Wed, 11 Apr 2018 12:26:15 +0000 (14:26 +0200)]
bump version to 3.0-8
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 29 Mar 2018 07:48:28 +0000 (09:48 +0200)]
ebtables_get_chains: deal with empty chains
Since we don't have signatures in ebtables we need to also
see empty chains to not think we have to create them.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:31 +0000 (10:53 +0200)]
add ebtables dependency
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:30 +0000 (10:53 +0200)]
avoid double spaces in ruleset_addrule
ebtables doesn't have comment rules we could store the
digest in, so we need to match the ebtables-save output
instead.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Wed, 28 Mar 2018 08:53:29 +0000 (10:53 +0200)]
apply ebtables_ruleset
need ebtables-save && ebtables-restore, ebtables debian package don't include them.
ebtables-restore need to restore the full ruleset (atomicaly),
so we can't update only 1 chain
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Wed, 28 Mar 2018 08:53:28 +0000 (10:53 +0200)]
compile ebtables rules
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -p IPv4 -j ACCEPT #filter mac in iptables for ipv4, so we can speedup rules with conntrack established
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -i tap110i0 -j tap110i0-OUT
-A tap110i0-OUT -s ! 36:97:15:91:19:3c -j DROP
-A tap110i0-OUT -p ARP -j ACCEPT
-A tap110i0-OUT -j DROP
-A tap110i0-OUT -j ACCEPT
-A PVEFW-FWBR-OUT -i veth130.1 -j veth130.1-OUT
-A veth130.1-OUT -s ! 36:95:a9:ae:f5:ec -j DROP
-A veth130.1-OUT -j ACCEPT
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:27 +0000 (10:53 +0200)]
/etc/services can also define 'sctp' services
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:26 +0000 (10:53 +0200)]
add get_etc_ethertypes
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:25 +0000 (10:53 +0200)]
parse_protocol_file: support lines without end comments
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:24 +0000 (10:53 +0200)]
split parser out of get_etc_protocols
Into a reusable parse_protocol_file.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Mon, 12 Mar 2018 13:58:19 +0000 (14:58 +0100)]
bump version to 3.0-7
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fabian Grünbichler [Mon, 12 Mar 2018 11:38:51 +0000 (12:38 +0100)]
multiport: add explaining comment
about ordering single port matches before multiport matches,
and improve readability by adding some blank lines after returns.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Wolfgang Bumiller [Mon, 12 Mar 2018 10:55:18 +0000 (11:55 +0100)]
fix and improve multiport handling
The multiport `--ports` parameter is an `OR` match on source
and destination ports, so we should not use it.
We also don't actually use the port count, so let the port
range parser simply return a boolean and use the counter
only for the internal check. This also fixes a regression
caused by the previous multiport check which caused a single
port range to be recognized as a multiport option while it
did not have to be one, causing entries such as the SMB
macro to be added with `--match multiport` mistakenly, which
refused to accept the source port option.
Additionally, we now allow the case with 1 multiport and 1
single port entry: In order for the iptables command to
accept this the single port entry must come first, otherwise
it'll be passed to the multiport matcher (because why
shouldn't it interpret a singular `--Xport` as an alias to
the plural version `--Xports`... *sigh*).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: 6a241ca745f7 ("check multiport limit in port ranges")
Dietmar Maurer [Thu, 8 Mar 2018 12:53:54 +0000 (13:53 +0100)]
bump version to 3.0-6
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:56 +0000 (13:33 +0100)]
build: use git rev-parse for GITVERSION
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:55 +0000 (13:33 +0100)]
debian: remove duplicate dh_systemd_enable code
dh_systemd_enable already includes this snippet via the #DEBHELPER#
stanza, no need to duplicate it manually.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:54 +0000 (13:33 +0100)]
debian: drop preinst
the only actual code was for upgrading from PVE 3 to PVE 4..
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:53 +0000 (13:33 +0100)]
debian: switch to compat 9
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:52 +0000 (13:33 +0100)]
debian: drop init scripts
and switch to plain dh_systemd_*
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:51 +0000 (13:33 +0100)]
fix #1319: don't fail postinst with masked service
by using "try-reload-or-restart" instead of "reload-or-restart"
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Wolfgang Bumiller [Thu, 8 Mar 2018 11:06:21 +0000 (12:06 +0100)]
check multiport limit in port ranges
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 7 Dec 2017 07:31:53 +0000 (08:31 +0100)]
bump version to 3.0-5
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 7 Dec 2017 07:30:01 +0000 (08:30 +0100)]
honor disabled flag on group rules again
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 16 Nov 2017 10:42:37 +0000 (11:42 +0100)]
bump version to 3.0-4
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Dominik Csapak [Wed, 15 Nov 2017 10:41:34 +0000 (11:41 +0100)]
sort ipsets so that the digest is consistent
otherwise, editing an ipset randomly works (or not) due to
a wrong digest
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Tom Weber [Wed, 18 Oct 2017 20:24:10 +0000 (22:24 +0200)]
remove ruleset_generate_match, ruleset_generate_action
ruleset_generate_match and ruleset_generate_action not used anymore
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:09 +0000 (22:24 +0200)]
remove unused ruleset_generate_rule_insert
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:08 +0000 (22:24 +0200)]
cleanup parameters to ruleset_generate_rule
remove $actions and $goto - not used anymore
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:07 +0000 (22:24 +0200)]
rule_substitude_action, remove ruleset_generate_rule_old
implement rule_substitude_action
eliminate use of ruleset_genereate_rule_old and remove it
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:06 +0000 (22:24 +0200)]
remove unused ruleset_generate_cmdstr
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:05 +0000 (22:24 +0200)]
implement ipt_rule_to_cmds, ruleset_add_ipt_cmd
ipt_rule_to_cmds converts a %rule to an array of iptables commands
ruleset_add_ipt_cmd adds such an iptables command to a chain
ruleset_generate_rule uses these now
ruleset_generate_rule_old is an interim workaround
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:04 +0000 (22:24 +0200)]
iptables address matching in own subroutine
put generation of iptables source/destination address matching
in own subroutine and use this in ruleset_generate_match
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:03 +0000 (22:24 +0200)]
eliminate unused nbdport in pve_std_chains_conf
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:02 +0000 (22:24 +0200)]
make $pve_std_chains a copy of $pve_std_chains_conf
create a new $pve_std_chains with $pve_std_chains_conf as template on
every compilation of the rules. This avoids persitant changes to the
$pve_std_chains and makes it easier to read the std_chains configuration
from external config files (later to implement).
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:01 +0000 (22:24 +0200)]
convert string based rule definitions to hashes
also extending %rule with log,logmsg,match,target
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:24:00 +0000 (22:24 +0200)]
integrate logging into ruleset_addrule
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:23:59 +0000 (22:23 +0200)]
prepare code for more generic firewall logging
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Tom Weber [Wed, 18 Oct 2017 20:23:58 +0000 (22:23 +0200)]
remove unused $rule_format
Signed-off-by: Tom Weber <pve@junkyard.4t2.com>
Philip Abernethy [Mon, 16 Oct 2017 08:59:23 +0000 (10:59 +0200)]
Use run_cli_handler instead of deprecated run_cli
Fabian Grünbichler [Tue, 17 Oct 2017 12:24:01 +0000 (14:24 +0200)]
pvefw-logger: fix typo
Fabian Grünbichler [Wed, 4 Oct 2017 09:05:33 +0000 (11:05 +0200)]
build: reformat debian/control
using wrap-and-sort -abt