]>
git.proxmox.com Git - pve-firewall.git/log
Dominik Csapak [Mon, 29 Feb 2016 11:36:19 +0000 (12:36 +0100)]
fix 901: encode unicode characters in sha digest
if we do not do this, Digest::SHA->add croaks when it detects
wide symbols
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Sat, 27 Feb 2016 09:25:12 +0000 (10:25 +0100)]
bump version to 2.0-19
Wolfgang Bumiller [Thu, 25 Feb 2016 12:07:02 +0000 (13:07 +0100)]
Add radv option to VM options.
By default firewalled VMs should not be allowed to send
router advertisement packets.
Dietmar Maurer [Fri, 19 Feb 2016 09:01:40 +0000 (10:01 +0100)]
bump version to 2.0-18
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:33 +0000 (09:43 +0100)]
Add router-solicitation to NeighborDiscovery macro
to be more consistent with the host-wide NDP option.
This macro is now mostly useful to disable NDP on VMs.
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:32 +0000 (09:43 +0100)]
Add ndp option to host and VM firewall options
It's is enabled by default.
Dietmar Maurer [Mon, 8 Feb 2016 13:09:58 +0000 (14:09 +0100)]
bump version to 2.0-17
Fabian Grünbichler [Mon, 8 Feb 2016 08:14:03 +0000 (09:14 +0100)]
Don't leave empty FW config files behind
Unlink FW config files instead of setting their content
to nothing.
Dietmar Maurer [Tue, 26 Jan 2016 15:54:41 +0000 (16:54 +0100)]
pvefw-logger.c: remove unused var
Dietmar Maurer [Tue, 26 Jan 2016 15:52:44 +0000 (16:52 +0100)]
bump version to 2.0-16
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:04 +0000 (12:03 +0100)]
logger: basic ipv6 support
Support for:
* IPv6 main header
* ICMPv6:
- echo request/reply
- NDP
- redirects
* destination unreachable message
* packet too big message
* time exceeded message
* parameter problem messages:
- erroneous header
- bad next-header
- bad ipv6 option
* extension headers:
- routing
- fragmentation
- skipping over: hopopts, destopts and mobile home
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:03 +0000 (12:03 +0100)]
factor out IPPROTO switch for reuse
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:02 +0000 (12:03 +0100)]
add DHCPv6 macro
Wolfgang Bumiller [Tue, 26 Jan 2016 11:03:01 +0000 (12:03 +0100)]
add dhcpv6 support to the dhcp option
Wolfgang Bumiller [Tue, 26 Jan 2016 09:22:51 +0000 (10:22 +0100)]
make LEPRINT* macros safe to use with if/else pairs
Dietmar Maurer [Thu, 7 Jan 2016 15:36:18 +0000 (16:36 +0100)]
set RELEASE=4.1
Dietmar Maurer [Thu, 7 Jan 2016 15:34:09 +0000 (16:34 +0100)]
bump version to 2.0-15
Wolfgang Bumiller [Thu, 7 Jan 2016 13:11:35 +0000 (14:11 +0100)]
use $security_group_name_pattern in iptables_get_chains
Fixes #859
Wolfgang Bumiller [Thu, 7 Jan 2016 13:11:34 +0000 (14:11 +0100)]
fix some regular expressions mixups
Replacing some (:?...) with (?:...) which makes more sense
here.
Dietmar Maurer [Fri, 27 Nov 2015 09:53:21 +0000 (10:53 +0100)]
bump version to 2.0-14
Dietmar Maurer [Fri, 27 Nov 2015 09:50:42 +0000 (10:50 +0100)]
pve-firewall.service: WantedBy=multi-user.target
Instead of network-online.target, which is a very special systemd target
which is not always pulled.
Dietmar Maurer [Tue, 24 Nov 2015 06:45:55 +0000 (07:45 +0100)]
fix typo: s/stemd-modules-load.service/systemd-modules-load.service/
Dietmar Maurer [Fri, 23 Oct 2015 11:22:17 +0000 (13:22 +0200)]
bump version to 2.0-13
Wolfgang Bumiller [Fri, 23 Oct 2015 09:35:29 +0000 (11:35 +0200)]
allow numeric icmp types
Wolfgang Bumiller [Thu, 22 Oct 2015 13:43:38 +0000 (15:43 +0200)]
make clean fix
Dietmar Maurer [Thu, 24 Sep 2015 10:15:41 +0000 (12:15 +0200)]
bump version to 2.0-12
Dietmar Maurer [Thu, 24 Sep 2015 10:13:10 +0000 (12:13 +0200)]
use service class to generate pod and bash-completion files
Dietmar Maurer [Thu, 24 Sep 2015 08:40:24 +0000 (10:40 +0200)]
convert pve-firewall into a PVE::Service class
Dietmar Maurer [Wed, 16 Sep 2015 09:25:24 +0000 (11:25 +0200)]
add better inline documentation
Dietmar Maurer [Tue, 8 Sep 2015 05:54:52 +0000 (07:54 +0200)]
bump version to 2.0-11
Dietmar Maurer [Tue, 8 Sep 2015 05:49:10 +0000 (07:49 +0200)]
iptables_get_chains: fix veth device name
Dietmar Maurer [Tue, 25 Aug 2015 04:48:10 +0000 (06:48 +0200)]
bump version to 2.0-10
Alen Grizonic [Mon, 24 Aug 2015 09:32:37 +0000 (11:32 +0200)]
subroutine for cloning vm's firewall config file
Dietmar Maurer [Wed, 19 Aug 2015 13:43:15 +0000 (15:43 +0200)]
bump version to 2.0-9
Alen Grizonic [Wed, 19 Aug 2015 08:34:12 +0000 (10:34 +0200)]
firewall remove config file subroutine added
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Wed, 12 Aug 2015 10:02:53 +0000 (12:02 +0200)]
bump version to 2.0-8
Dietmar Maurer [Wed, 12 Aug 2015 09:59:18 +0000 (11:59 +0200)]
adopt regresion tests for lxc containers
Removed OpenVZ venet code.
Alen Grizonic [Tue, 11 Aug 2015 12:50:53 +0000 (14:50 +0200)]
removed firewall code for openVZ
[PATCH 2/2] changed to [PATCH] with the following fix:
Subroutine verify_rule (re)fixed to correctly check only for "net\d+" interface device names
Dietmar Maurer [Mon, 10 Aug 2015 07:21:35 +0000 (09:21 +0200)]
bump version to 2.0-7
Alen Grizonic [Fri, 7 Aug 2015 14:18:34 +0000 (16:18 +0200)]
added firewall code for lxc
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Tue, 4 Aug 2015 09:15:11 +0000 (11:15 +0200)]
bump version to 2.0-6
Alen Grizonic [Tue, 4 Aug 2015 08:55:24 +0000 (10:55 +0200)]
firewall ipversion comparison fix
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Wolfgang Bumiller [Tue, 28 Jul 2015 06:46:05 +0000 (08:46 +0200)]
local_network: ipv6 support + correctness
Net::IP->overlaps returns more than just true or false, as
it tests both directions, we need IP_B_IN_A_OVERLAP in our
test.
Removed return on mask eq '0.0.0.0' as this doesn't exist in
the $ipv4_mask_hash_localnet.
Wolfgang Bumiller [Tue, 28 Jul 2015 06:46:04 +0000 (08:46 +0200)]
fix ipv6 address normalization
inet_ntop only takes an addres, not a CIDR notation. Since
the normalized address should just be a compressed
lower-case address, Net::IP::ip_compress_address should be
sufficient.
inet_ntop didn't succeed before, the result of which was
that ipsets weren't generated at all for ipv6 address ranges.
Dietmar Maurer [Mon, 27 Jul 2015 11:21:24 +0000 (13:21 +0200)]
bump version to 2.0-5
Wolfgang Bumiller [Mon, 6 Jul 2015 08:10:45 +0000 (10:10 +0200)]
ipv6 neighbor discovery and solicitation macros
Wolfgang Bumiller [Mon, 6 Jul 2015 08:07:49 +0000 (10:07 +0200)]
Add ipv6 macros to the macro list
Additionally there's now a way to specify ipv6-only or
ipv4-only macros.
Wolfgang Bumiller [Fri, 3 Jul 2015 08:17:21 +0000 (10:17 +0200)]
ip6tables accepts both spellings of the word neighbor
Alen Grizonic [Tue, 14 Jul 2015 12:04:57 +0000 (14:04 +0200)]
firewall - Ceph macro added
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Sat, 27 Jun 2015 14:34:40 +0000 (16:34 +0200)]
fix path for DOCDIR
Dietmar Maurer [Sat, 27 Jun 2015 14:26:48 +0000 (16:26 +0200)]
bump version to 2.0-4
Dietmar Maurer [Sat, 27 Jun 2015 14:25:44 +0000 (16:25 +0200)]
correctly install manual pages
Dietmar Maurer [Sat, 27 Jun 2015 14:24:58 +0000 (16:24 +0200)]
fix lintian warning command-with-path-in-maintainer-script
Alen Grizonic [Thu, 25 Jun 2015 09:36:42 +0000 (11:36 +0200)]
firewall instant API call apply
Alen Grizonic [Wed, 24 Jun 2015 11:46:09 +0000 (13:46 +0200)]
firewall_module_duplicate
removed duplicated line of Data::Dumper use
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Alen Grizonic [Thu, 25 Jun 2015 08:06:27 +0000 (10:06 +0200)]
firewall autodisable
firewall enable parameter type changed from boolean to integer so it can store
the timestamp of the firewall enable call to avoid an admin remote lockout
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Mon, 1 Jun 2015 10:33:27 +0000 (12:33 +0200)]
bump version to 2.0-3
Dietmar Maurer [Mon, 1 Jun 2015 10:32:17 +0000 (12:32 +0200)]
use noawait trigers for pve-api-updates
Dietmar Maurer [Tue, 5 May 2015 13:10:42 +0000 (15:10 +0200)]
bump version to 2.0-2
Dietmar Maurer [Tue, 5 May 2015 13:09:48 +0000 (15:09 +0200)]
trigger pve-api-updates event
Dietmar Maurer [Wed, 18 Mar 2015 05:08:53 +0000 (06:08 +0100)]
allow admins to delete security groups
Dietmar Maurer [Mon, 16 Mar 2015 05:30:43 +0000 (06:30 +0100)]
always use local_network alias if specified by user
Dietmar Maurer [Sun, 15 Mar 2015 09:11:00 +0000 (10:11 +0100)]
correctly emit ipv6 rules for host firewall
Dietmar Maurer [Wed, 4 Mar 2015 05:51:08 +0000 (06:51 +0100)]
add PIDFile option for systemd services
Dietmar Maurer [Tue, 3 Mar 2015 12:37:40 +0000 (13:37 +0100)]
install systemd service files
Dietmar Maurer [Mon, 2 Mar 2015 05:27:19 +0000 (06:27 +0100)]
implement permission for Alias class.
Dietmar Maurer [Mon, 2 Mar 2015 09:14:29 +0000 (10:14 +0100)]
do not use triggers
This make problem on jessie, complaining about cyclic dependency loop.
Dietmar Maurer [Fri, 27 Feb 2015 12:07:39 +0000 (13:07 +0100)]
fix path to ipset binary
Dietmar Maurer [Fri, 27 Feb 2015 12:05:07 +0000 (13:05 +0100)]
remove cman dependency
depending on pve-cluster should be enough.
Dietmar Maurer [Fri, 27 Feb 2015 11:27:52 +0000 (12:27 +0100)]
recompile for debian jessie, bump version to 2.0-1
Dietmar Maurer [Mon, 9 Feb 2015 08:32:53 +0000 (09:32 +0100)]
bump version to 1.0-18
Dietmar Maurer [Mon, 9 Feb 2015 08:31:18 +0000 (09:31 +0100)]
fix alias lookup
Dietmar Maurer [Thu, 15 Jan 2015 05:55:38 +0000 (06:55 +0100)]
bump version to 1.0-17
Dietmar Maurer [Thu, 15 Jan 2015 05:53:45 +0000 (06:53 +0100)]
add preinst script
Older versions of the pve-firewall daemon do not restart
with HUP, so we need to do a stop/start.
Dietmar Maurer [Thu, 15 Jan 2015 05:44:58 +0000 (06:44 +0100)]
fix call to register_restart_command (set $use_hup to true)
Dietmar Maurer [Wed, 31 Dec 2014 16:40:51 +0000 (17:40 +0100)]
remove class paramenter from register_XXX_command
Dietmar Maurer [Wed, 31 Dec 2014 16:18:53 +0000 (17:18 +0100)]
simplify code (error log is done inside Daemon.pm)
Dietmar Maurer [Wed, 31 Dec 2014 11:34:17 +0000 (12:34 +0100)]
improve logging
Dietmar Maurer [Thu, 18 Dec 2014 12:48:24 +0000 (13:48 +0100)]
fix arguments for register_restart_command
Dietmar Maurer [Thu, 18 Dec 2014 08:45:18 +0000 (09:45 +0100)]
bump version to 1.0-16
Dietmar Maurer [Tue, 16 Dec 2014 11:15:43 +0000 (12:15 +0100)]
use Daemon class from pve-common
Dietmar Maurer [Fri, 12 Dec 2014 05:33:58 +0000 (06:33 +0100)]
bump version to 1.0-15
Alexandre Derumier [Thu, 11 Dec 2014 13:25:42 +0000 (14:25 +0100)]
firewall update : load cluster conf for host rules
Currently we can't use ipsets defined in cluster in host rules
host.fw
----------
[OPTIONS]
log_level_in: debug
enable: 1
tcp_flags_log_level: debug
log_level_out: debug
tcpflags: 1
smurf_log_level: debug
[RULES]
IN ACCEPT -source +whitelist
in sub update {
my $hostfw_conf = load_hostfw_conf();
}
$VAR1 = {
'options' => {
'enable' => 1,
'log_level_in' => 'debug',
'tcp_flags_log_level' => 'debug',
'log_level_out' => 'debug',
'tcpflags' => 1,
'smurf_log_level' => 'debug'
},
'ipset' => {},
'rules' => [
{
'source' => '+whitelist',
'enable' => 1,
'errors' => {
'source' => 'no such ipset \'whitelist\''
},
'action' => 'ACCEPT',
'type' => 'in'
}
]
};
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Dietmar Maurer [Fri, 5 Dec 2014 12:42:07 +0000 (13:42 +0100)]
bump version to 1.0-14
Dietmar Maurer [Sat, 29 Nov 2014 07:40:46 +0000 (08:40 +0100)]
do not use ipset list chains
Instead, we directly use -v4 and -v6 names inside iptables rules.
So we can safely remove the preinst script.
Dietmar Maurer [Fri, 28 Nov 2014 11:46:25 +0000 (12:46 +0100)]
bump version to 1.0-13
Dietmar Maurer [Fri, 28 Nov 2014 11:43:31 +0000 (12:43 +0100)]
fix ipset remove order
Dietmar Maurer [Fri, 28 Nov 2014 10:39:47 +0000 (11:39 +0100)]
add debian/dirs file to install /var/lib/pve-firewall
Dietmar Maurer [Fri, 28 Nov 2014 08:00:13 +0000 (09:00 +0100)]
bump version to 1.0-12
Dietmar Maurer [Fri, 28 Nov 2014 07:56:21 +0000 (08:56 +0100)]
add preinst script
We need to clear ipset from older installation, because sets cannot be
swapped if there type does not match.
Dietmar Maurer [Fri, 28 Nov 2014 07:04:26 +0000 (08:04 +0100)]
bump version to 1.0-11
Dietmar Maurer [Fri, 28 Nov 2014 07:01:52 +0000 (08:01 +0100)]
verify_rule: correctly set ipversion for aliases
Dietmar Maurer [Fri, 28 Nov 2014 06:09:37 +0000 (07:09 +0100)]
save restore commands into files (debug help)
To make it easier to debug restore errors.
Dietmar Maurer [Wed, 26 Nov 2014 06:04:21 +0000 (07:04 +0100)]
bump version to 1.0-10
Dietmar Maurer [Wed, 26 Nov 2014 06:03:14 +0000 (07:03 +0100)]
pve-firewall compile: improve output format
Dietmar Maurer [Mon, 17 Nov 2014 11:41:03 +0000 (12:41 +0100)]
API2::Firewall::IPSet: fix alias check for ipv6 addresses
Dietmar Maurer [Mon, 10 Nov 2014 11:50:29 +0000 (12:50 +0100)]
get_ipset_cmdlist: avoid restore problems due to wrong order
Dietmar Maurer [Mon, 10 Nov 2014 11:49:00 +0000 (12:49 +0100)]
improve error messages
Dietmar Maurer [Mon, 10 Nov 2014 11:47:31 +0000 (12:47 +0100)]
do not emit smurfs chain for ipv6
Dietmar Maurer [Mon, 10 Nov 2014 11:45:02 +0000 (12:45 +0100)]
ipv6 addrtype does not work with kernel 2.6.32, use -d ff00::/8 instead