pve-firewall.git
6 years agoproxy host rule API calls to correct node
Dietmar Maurer [Thu, 26 Jun 2014 05:12:06 +0000 (07:12 +0200)]
proxy host rule API calls to correct node

6 years agobump version to 1.0-6
Dietmar Maurer [Thu, 12 Jun 2014 06:37:43 +0000 (08:37 +0200)]
bump version to 1.0-6

6 years agoadd example for ipfilter ipset
Dietmar Maurer [Thu, 12 Jun 2014 06:36:05 +0000 (08:36 +0200)]
add example for ipfilter ipset

6 years agoadd regression tests for ipfilter
Dietmar Maurer [Thu, 12 Jun 2014 06:32:11 +0000 (08:32 +0200)]
add regression tests for ipfilter

6 years agofwtester: add more network (net1, net2) to vm100 to test ipfilter
Dietmar Maurer [Thu, 12 Jun 2014 06:30:33 +0000 (08:30 +0200)]
fwtester: add more network (net1, net2) to vm100 to test ipfilter

6 years agoimplement negative ipset match
Dietmar Maurer [Thu, 12 Jun 2014 06:29:32 +0000 (08:29 +0200)]
implement negative ipset match

To simulate ipfilter.

6 years agouse separate ipfilter ipset on each interface
Dietmar Maurer [Thu, 12 Jun 2014 04:39:31 +0000 (06:39 +0200)]
use separate ipfilter ipset on each interface

6 years agoadd support for ipfilter ipset
Dietmar Maurer [Wed, 11 Jun 2014 07:59:21 +0000 (09:59 +0200)]
add support for ipfilter ipset

6 years agogenerate /etc/pve/firewall directory automatically
Dietmar Maurer [Wed, 4 Jun 2014 07:13:43 +0000 (09:13 +0200)]
generate /etc/pve/firewall directory automatically

6 years agoavoid errors about undefined values
Dietmar Maurer [Wed, 4 Jun 2014 07:03:53 +0000 (09:03 +0200)]
avoid errors about undefined values

6 years agobump version to 1.0-5
Dietmar Maurer [Wed, 4 Jun 2014 06:50:57 +0000 (08:50 +0200)]
bump version to 1.0-5

6 years agoremove ipsets when firewall disabled
Dietmar Maurer [Wed, 4 Jun 2014 06:40:15 +0000 (08:40 +0200)]
remove ipsets when firewall disabled

And improve status output

6 years agoreturn empty ruleset if firewall disabled in cluster.fw
Dietmar Maurer [Wed, 4 Jun 2014 05:24:34 +0000 (07:24 +0200)]
return empty ruleset if firewall disabled in cluster.fw

6 years agobump version to 1.0-4
Dietmar Maurer [Wed, 4 Jun 2014 04:49:30 +0000 (06:49 +0200)]
bump version to 1.0-4

6 years agodepend on iptables and ipset
Dietmar Maurer [Wed, 4 Jun 2014 04:44:57 +0000 (06:44 +0200)]
depend on iptables and ipset

6 years agochange dh_installinit order
Dietmar Maurer [Wed, 4 Jun 2014 04:36:55 +0000 (06:36 +0200)]
change dh_installinit order

6 years agoimprove error message
Dietmar Maurer [Mon, 2 Jun 2014 11:17:53 +0000 (13:17 +0200)]
improve error message

6 years agogenerate warnings when we read the configuration file
Dietmar Maurer [Mon, 2 Jun 2014 11:14:42 +0000 (13:14 +0200)]
generate warnings when we read the configuration file

6 years agopass ipset errors to GUI
Dietmar Maurer [Fri, 30 May 2014 11:06:55 +0000 (13:06 +0200)]
pass ipset errors to GUI

6 years agoskip non-existent aliases inside ipset configuration
Dietmar Maurer [Fri, 30 May 2014 10:40:25 +0000 (12:40 +0200)]
skip non-existent aliases inside ipset configuration

6 years agoremove dead code from previous commit
Dietmar Maurer [Fri, 30 May 2014 10:26:40 +0000 (12:26 +0200)]
remove dead code from previous commit

6 years agocode cleanup - introcduce new method resolve_alias
Dietmar Maurer [Fri, 30 May 2014 10:24:40 +0000 (12:24 +0200)]
code cleanup - introcduce new method resolve_alias

6 years agoanother regression test
Dietmar Maurer [Fri, 30 May 2014 09:28:24 +0000 (11:28 +0200)]
another regression test

6 years agocleanup: try to use more consistent method naming
Dietmar Maurer [Fri, 30 May 2014 09:21:30 +0000 (11:21 +0200)]
cleanup: try to use more consistent method naming

6 years agoAPI: add ability to restrict ref list to specified type
Dietmar Maurer [Fri, 30 May 2014 07:37:49 +0000 (09:37 +0200)]
API: add ability to restrict ref list to specified type

6 years agoAPI fix: allow aliases in IPSets
Dietmar Maurer [Fri, 30 May 2014 07:31:25 +0000 (09:31 +0200)]
API fix: allow aliases in IPSets

6 years agoparser: verify group and ipset names
Dietmar Maurer [Fri, 30 May 2014 06:24:03 +0000 (08:24 +0200)]
parser: verify group and ipset names

6 years agoimplement API to get list of possible refs (aliases + ipsets)
Dietmar Maurer [Wed, 28 May 2014 11:52:42 +0000 (13:52 +0200)]
implement API to get list of possible refs (aliases + ipsets)

6 years agointroduce ipset_name_pattern to avoid confusion
Dietmar Maurer [Wed, 28 May 2014 10:59:17 +0000 (12:59 +0200)]
introduce ipset_name_pattern to avoid confusion

6 years agolimit alias/ipset name length to 64 characters
Dietmar Maurer [Wed, 28 May 2014 10:51:06 +0000 (12:51 +0200)]
limit alias/ipset name length to 64 characters

6 years agoadd test for long ipset names
Dietmar Maurer [Wed, 28 May 2014 08:45:27 +0000 (10:45 +0200)]
add test for long ipset names

6 years agofix ipset match - s/src/dst/
Dietmar Maurer [Wed, 28 May 2014 08:41:50 +0000 (10:41 +0200)]
fix ipset match - s/src/dst/

6 years agoimplement VM ipsets, allow long ipset names
Dietmar Maurer [Wed, 28 May 2014 08:31:03 +0000 (10:31 +0200)]
implement VM ipsets, allow long ipset names

If names are to long, We simply use the FNV digest instead of the name.

6 years agoalways pass cluster_conf to load_vmfw_conf
Dietmar Maurer [Wed, 28 May 2014 04:47:05 +0000 (06:47 +0200)]
always pass cluster_conf to load_vmfw_conf

6 years agoimplement ipsets for VM/CT
Dietmar Maurer [Tue, 27 May 2014 09:38:54 +0000 (11:38 +0200)]
implement ipsets for VM/CT

6 years agodo not print trace when debug is not set
Dietmar Maurer [Tue, 27 May 2014 09:31:09 +0000 (11:31 +0200)]
do not print trace when debug is not set

6 years agowhite space cleanup
Dietmar Maurer [Tue, 27 May 2014 06:03:09 +0000 (08:03 +0200)]
white space cleanup

6 years agoimplement aliases at VM level
Dietmar Maurer [Tue, 27 May 2014 05:58:32 +0000 (07:58 +0200)]
implement aliases at VM level

6 years agoadd test for aliases inside vm firewall configuration
Dietmar Maurer [Tue, 27 May 2014 05:57:16 +0000 (07:57 +0200)]
add test for aliases inside vm firewall configuration

6 years agofwtester.pl: add warnings to trace
Dietmar Maurer [Tue, 27 May 2014 04:58:13 +0000 (06:58 +0200)]
fwtester.pl: add warnings to trace

6 years agooptimize blacklist : create a PVEFW-blacklist chain
Alexandre Derumier [Mon, 26 May 2014 08:44:55 +0000 (10:44 +0200)]
optimize blacklist : create a PVEFW-blacklist chain

currently we check the ipset blacklist twice (1 for log and 1 for drop)

It's better to check ipset once, and go to a PVEFW-blacklist chain
where we do the log, and then the drop

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agofix comment
Dietmar Maurer [Mon, 26 May 2014 10:58:58 +0000 (12:58 +0200)]
fix comment

6 years agoskip diabled rules and rules with errors early
Dietmar Maurer [Mon, 26 May 2014 10:55:46 +0000 (12:55 +0200)]
skip diabled rules and rules with errors early

6 years agoruleset_generate_vm_rules: skip rules with errors
Dietmar Maurer [Mon, 26 May 2014 10:46:27 +0000 (12:46 +0200)]
ruleset_generate_vm_rules: skip rules with errors

6 years agoimprove rule verification
Dietmar Maurer [Mon, 26 May 2014 10:45:41 +0000 (12:45 +0200)]
improve rule verification

Also verify ipset/aliases.

6 years agopass $rule_env (cluster/host/vm/ct) to rule parser.
Dietmar Maurer [Mon, 26 May 2014 06:09:02 +0000 (08:09 +0200)]
pass $rule_env (cluster/host/vm/ct) to rule parser.

So that we can correctly verify 'iface' parameter.

Also add new API classes for CTs (because we need to pass $rule_env).

6 years agoimprove error handling
Dietmar Maurer [Fri, 23 May 2014 09:32:33 +0000 (11:32 +0200)]
improve error handling

We now show syntax errors from firewall files with:

 # pve-firewall status

But we do not log such errors to syslog, because that would result
in same warning on each update (10 seconds).

6 years agoallow to read rule with errors
Dietmar Maurer [Fri, 23 May 2014 08:43:22 +0000 (10:43 +0200)]
allow to read rule with errors

And return error messages inside $rule->{errors}. The GUI can display
those errors so that the user can correct them.

6 years agoclose inotify handle before restart
Dietmar Maurer [Thu, 22 May 2014 07:50:59 +0000 (09:50 +0200)]
close inotify handle before restart

6 years agoimprove rules API
Dietmar Maurer [Wed, 21 May 2014 11:03:57 +0000 (13:03 +0200)]
improve rules API

Do not use JSON schema 'requires' property, because that forbids to
use '' to delete properties.

It is now possible to update/delete individual rule properties like:

  pvesh set nodes/lola/openvz/104/firewall/rules/0 -proto udp
  pvesh set nodes/lola/openvz/104/firewall/rules/1 -delete dport

6 years agofix API: property sport/dport requires protocol
Dietmar Maurer [Wed, 21 May 2014 08:29:06 +0000 (10:29 +0200)]
fix API: property sport/dport requires protocol

6 years agofix test/test-errors3 - protect rule generation with eval
Dietmar Maurer [Wed, 21 May 2014 08:12:18 +0000 (10:12 +0200)]
fix test/test-errors3 - protect rule generation with eval

6 years agoadd new test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 07:35:23 +0000 (09:35 +0200)]
add new test case to show serious bug

6 years agoallow igmp traffic
Dietmar Maurer [Wed, 21 May 2014 07:17:14 +0000 (09:17 +0200)]
allow igmp traffic

6 years agoadd another test case
Dietmar Maurer [Wed, 21 May 2014 06:59:57 +0000 (08:59 +0200)]
add another test case

6 years agofix for test case test/test-errors1
Dietmar Maurer [Wed, 21 May 2014 06:56:52 +0000 (08:56 +0200)]
fix for test case test/test-errors1

6 years agoadd test case to show serious bug
Dietmar Maurer [Wed, 21 May 2014 06:39:33 +0000 (08:39 +0200)]
add test case to show serious bug

6 years agouse GET instead of POST for command that do not change state.
Dietmar Maurer [Wed, 21 May 2014 06:27:55 +0000 (08:27 +0200)]
use GET instead of POST for command that do not change state.

6 years agoadd new localnet command
Dietmar Maurer [Wed, 21 May 2014 06:24:07 +0000 (08:24 +0200)]
add new localnet command

Print information about local network (IP/NETWORK/NODENAME).

6 years agorename cluster_network to local_network, introduce local_network alias
Dietmar Maurer [Wed, 21 May 2014 05:43:50 +0000 (07:43 +0200)]
rename cluster_network to local_network, introduce local_network alias

So that the user can overwrite it.

6 years agoadd tests for management ipset
Dietmar Maurer [Wed, 21 May 2014 04:48:23 +0000 (06:48 +0200)]
add tests for management ipset

6 years agoIntroduce new management ipset
Dietmar Maurer [Wed, 21 May 2014 04:33:55 +0000 (06:33 +0200)]
Introduce new management ipset

The uses can setup a 'management' IPSet to make sure he has access to the GUI
from those IPs.

6 years agodo not use ctstate in corosync rule
Dietmar Maurer [Wed, 21 May 2014 04:00:11 +0000 (06:00 +0200)]
do not use ctstate in corosync rule

That is not necessary, because we only reach that rule if ctstate is NEW.

6 years agostart alias support for VMs
Dietmar Maurer [Tue, 20 May 2014 09:56:06 +0000 (11:56 +0200)]
start alias support for VMs

implement config parser/writer and API. iptables functionatity is missing.

6 years agoimprove documentation
Dietmar Maurer [Tue, 20 May 2014 08:54:51 +0000 (10:54 +0200)]
improve documentation

6 years agodo not log simulate warnings to syslog
Dietmar Maurer [Tue, 20 May 2014 08:50:25 +0000 (10:50 +0200)]
do not log simulate warnings to syslog

6 years agoadd simulate command for easy testing
Dietmar Maurer [Tue, 20 May 2014 08:36:58 +0000 (10:36 +0200)]
add simulate command for easy testing

6 years agomove test code to FirewallSimulator.pm
Dietmar Maurer [Tue, 20 May 2014 07:46:35 +0000 (09:46 +0200)]
move test code to FirewallSimulator.pm

6 years agoadd tests for corosync multicast addrtype rules
Dietmar Maurer [Tue, 20 May 2014 06:24:31 +0000 (08:24 +0200)]
add tests for corosync multicast addrtype rules

6 years agodo not enable VM firewall by default
Dietmar Maurer [Tue, 20 May 2014 05:52:46 +0000 (07:52 +0200)]
do not enable VM firewall by default

Else we get different behavior with empty vs. non-existinf <VMID>.fw

6 years agoadd tests for default rules
Dietmar Maurer [Tue, 20 May 2014 05:38:25 +0000 (07:38 +0200)]
add tests for default rules

6 years agofwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2
Dietmar Maurer [Tue, 20 May 2014 05:36:44 +0000 (07:36 +0200)]
fwtester: set cluster network to 172.16.1.0/24, host_ip to 172.16.1.2

So that we can add test for default rules

6 years agoallow tests without cluster.fw and host.fw configuration
Dietmar Maurer [Tue, 20 May 2014 05:35:54 +0000 (07:35 +0200)]
allow tests without cluster.fw and host.fw configuration

6 years agoalso allow VNC and SPICE traffic inside cluster_network
Dietmar Maurer [Tue, 20 May 2014 05:34:35 +0000 (07:34 +0200)]
also allow VNC and SPICE traffic inside cluster_network

6 years agodo not use -s for outgoing corosync rules
Dietmar Maurer [Tue, 20 May 2014 04:56:37 +0000 (06:56 +0200)]
do not use -s for outgoing corosync rules

6 years agoimplement setter for cluster_network
Dietmar Maurer [Tue, 20 May 2014 04:53:37 +0000 (06:53 +0200)]
implement setter for cluster_network

So that we can set values for testing.

6 years agofix regression test for previous commits
Dietmar Maurer [Tue, 20 May 2014 04:33:33 +0000 (06:33 +0200)]
fix regression test for previous commits

6 years agouse $accept_action for standard rules
Dietmar Maurer [Tue, 20 May 2014 04:15:41 +0000 (06:15 +0200)]
use $accept_action for standard rules

6 years agoadd standard rules after user rules
Dietmar Maurer [Tue, 20 May 2014 04:12:55 +0000 (06:12 +0200)]
add standard rules after user rules

Ao that the users can overwrite behavior.

6 years agofix corosync rules (restrict to cluster network)
Dietmar Maurer [Tue, 20 May 2014 04:07:50 +0000 (06:07 +0200)]
fix corosync rules (restrict to cluster network)

6 years agoremove wrong corosync rules using port 9000
Dietmar Maurer [Tue, 20 May 2014 03:55:58 +0000 (05:55 +0200)]
remove wrong corosync rules using port 9000

6 years agoallow API/SSH/SPICE/VNC traffic on local cluster network by default
Dietmar Maurer [Mon, 19 May 2014 12:18:40 +0000 (14:18 +0200)]
allow API/SSH/SPICE/VNC traffic on local cluster network by default

6 years agoremove unused options
Dietmar Maurer [Mon, 19 May 2014 09:33:11 +0000 (11:33 +0200)]
remove unused options

6 years agoadd init function
Dietmar Maurer [Mon, 19 May 2014 09:10:58 +0000 (11:10 +0200)]
add init function

6 years agodo not restart pvefw-logger with debian triggers
Dietmar Maurer [Mon, 19 May 2014 08:58:21 +0000 (10:58 +0200)]
do not restart pvefw-logger with debian triggers

That is not necessary.

6 years agoavoid logs by default
Dietmar Maurer [Mon, 19 May 2014 07:20:18 +0000 (09:20 +0200)]
avoid logs by default

Log files can grow really large, so we want to avoid them by default.

6 years agoremove unused parameters
Dietmar Maurer [Mon, 19 May 2014 07:14:36 +0000 (09:14 +0200)]
remove unused parameters

6 years agobirectionnal macros cleanups
Alexandre Derumier [Mon, 19 May 2014 05:40:08 +0000 (07:40 +0200)]
birectionnal macros cleanups

remove reverse direction rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agochange rule format: use named parameters
Dietmar Maurer [Mon, 19 May 2014 05:53:00 +0000 (07:53 +0200)]
change rule format: use named parameters

6 years agoinclude manual page
Dietmar Maurer [Fri, 16 May 2014 08:32:01 +0000 (10:32 +0200)]
include manual page

6 years agocleanup firewall service implementation
Dietmar Maurer [Fri, 16 May 2014 08:14:33 +0000 (10:14 +0200)]
cleanup firewall service implementation

We now run a separate server called 'pve-firewall' (renamed 'pvefw').
So service and management tool use the same name:

 # service pve-firewall start

is the same as

 # pve-firewall start

Also removed the read_pvefw_status/save_pvefw_status code.

6 years agobypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips
Alexandre Derumier [Thu, 15 May 2014 11:46:11 +0000 (13:46 +0200)]
bypass PVEFW-VENET-IN|OUT for unfirewalled venet0 ips

we create an ipset PVEFW-venet0 for firewalled venet0 ips,
and only send this matching ips to PVEFW-VENET-IN|OUT

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agodo not abort if security groups does not exists
Dietmar Maurer [Fri, 16 May 2014 04:24:07 +0000 (06:24 +0200)]
do not abort if security groups does not exists

Simply create an empty chain instead.

6 years agoadd ipset regression tests
Dietmar Maurer [Thu, 15 May 2014 10:53:48 +0000 (12:53 +0200)]
add ipset regression tests

6 years agofwtester: implement ipset testing
Dietmar Maurer [Thu, 15 May 2014 10:45:08 +0000 (12:45 +0200)]
fwtester: implement ipset testing

6 years agofix blacklist example
Dietmar Maurer [Thu, 15 May 2014 10:17:53 +0000 (12:17 +0200)]
fix blacklist example

6 years agoadd tests for unconfigured firewall (empty files)
Dietmar Maurer [Thu, 15 May 2014 09:49:37 +0000 (11:49 +0200)]
add tests for unconfigured firewall (empty files)

6 years agoadd group tests for container
Dietmar Maurer [Thu, 15 May 2014 09:15:29 +0000 (11:15 +0200)]
add group tests for container

6 years agofix security groups for VMs
Dietmar Maurer [Thu, 15 May 2014 09:01:35 +0000 (11:01 +0200)]
fix security groups for VMs

And add resgression tests for those fixes.

6 years agoadd security group tests
Dietmar Maurer [Thu, 15 May 2014 08:27:35 +0000 (10:27 +0200)]
add security group tests