pve-firewall.git
3 years agobump version to 1.0-24 stable-3
Dietmar Maurer [Wed, 9 Mar 2016 11:13:32 +0000 (12:13 +0100)]
bump version to 1.0-24

3 years agoipv6: fix ipv6 address normalization
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:16 +0000 (12:20 +0100)]
ipv6: fix ipv6 address normalization

inet_ntop only takes an addres, not a CIDR notation. Since
the normalized address should just be a compressed
lower-case address, Net::IP::ip_compress_address should be
sufficient.

inet_ntop didn't succeed before, the result of which was
that ipsets weren't generated at all for ipv6 address ranges.

3 years agocleanup after old change
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:18 +0000 (12:20 +0100)]
cleanup after old change

get_ipset_cmdlist() had a delete parameter in one commit,
removed in the one after that (dd7a13fddc) and this call
was not updated accordingly with the second patch.

3 years agondp: use PVEFW-SET-ACCEPT-MARK and move rules further down
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:17 +0000 (12:20 +0100)]
ndp: use PVEFW-SET-ACCEPT-MARK and move rules further down

On host level: moved NDP to after connection tracking and
switched to RETURN instead of ACCEPT.

On VM level:
The output direction now uses the accept-mark like the dhcp
option does, too.
Also moved NDP rules below the macfilter & ipset rules.

3 years agoAdd radv option to VM options.
Wolfgang Bumiller [Thu, 25 Feb 2016 12:07:02 +0000 (13:07 +0100)]
Add radv option to VM options.

By default firewalled VMs should not be allowed to send
router advertisement packets.

3 years agoonly allow icmp names in the destination port field
Wolfgang Bumiller [Tue, 1 Mar 2016 11:20:15 +0000 (12:20 +0100)]
only allow icmp names in the destination port field

We generate ICMP rules from the destination port field,
so allowing them in the source port field only confuses
people.

3 years agofix 901: encode unicode characters in sha digest
Dominik Csapak [Mon, 29 Feb 2016 11:36:19 +0000 (12:36 +0100)]
fix 901: encode unicode characters in sha digest

if we do not do this, Digest::SHA->add croaks when it detects
wide symbols

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 years agobump version to 1.0-23
Dietmar Maurer [Fri, 19 Feb 2016 09:24:35 +0000 (10:24 +0100)]
bump version to 1.0-23

3 years agoAdd router-solicitation to NeighborDiscovery macro
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:33 +0000 (09:43 +0100)]
Add router-solicitation to NeighborDiscovery macro

to be more consistent with the host-wide NDP option.
This macro is now mostly useful to disable NDP on VMs.

3 years agoAdd ndp option to host and VM firewall options
Wolfgang Bumiller [Fri, 19 Feb 2016 08:43:32 +0000 (09:43 +0100)]
Add ndp option to host and VM firewall options

It's is enabled by default.

3 years agofirewall ipversion comparison fix
Alen Grizonic [Tue, 16 Feb 2016 12:09:01 +0000 (13:09 +0100)]
firewall ipversion comparison fix

Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
3 years agoupdate changelog
Dietmar Maurer [Tue, 16 Feb 2016 11:25:06 +0000 (12:25 +0100)]
update changelog

3 years agoAdd ipv6 macros to the macro list
Wolfgang Bumiller [Tue, 16 Feb 2016 11:18:55 +0000 (12:18 +0100)]
Add ipv6 macros to the macro list

Additionally there's now a way to specify ipv6-only or
ipv4-only macros.

3 years agobump version to 1.0-22
Dietmar Maurer [Tue, 16 Feb 2016 10:30:18 +0000 (11:30 +0100)]
bump version to 1.0-22

3 years agoallow numeric icmp types
Wolfgang Bumiller [Tue, 16 Feb 2016 10:20:37 +0000 (11:20 +0100)]
allow numeric icmp types

3 years agoip6tables accepts both spellings of the word neighbor
Wolfgang Bumiller [Tue, 16 Feb 2016 10:20:36 +0000 (11:20 +0100)]
ip6tables accepts both spellings of the word neighbor

3 years agoadd DHCPv6 macro
Wolfgang Bumiller [Tue, 16 Feb 2016 10:20:35 +0000 (11:20 +0100)]
add DHCPv6 macro

3 years agoipv6 neighbor discovery and solicitation macros
Wolfgang Bumiller [Tue, 16 Feb 2016 10:20:34 +0000 (11:20 +0100)]
ipv6 neighbor discovery and solicitation macros

4 years agobump version to 1.0-21
Dietmar Maurer [Wed, 18 Mar 2015 05:11:45 +0000 (06:11 +0100)]
bump version to 1.0-21

4 years agoallow admins to delete security groups
Dietmar Maurer [Wed, 18 Mar 2015 05:08:53 +0000 (06:08 +0100)]
allow admins to delete security groups

4 years agoalways use local_network alias if specified by user
Dietmar Maurer [Mon, 16 Mar 2015 05:30:43 +0000 (06:30 +0100)]
always use local_network alias if specified by user

4 years agobump version to 1.0-20
Dietmar Maurer [Sun, 15 Mar 2015 09:21:31 +0000 (10:21 +0100)]
bump version to 1.0-20

4 years agocorrectly emit ipv6 rules for host firewall
Dietmar Maurer [Sun, 15 Mar 2015 09:11:00 +0000 (10:11 +0100)]
correctly emit ipv6 rules for host firewall

4 years agobump version to 1.0-19
Dietmar Maurer [Mon, 2 Mar 2015 05:29:30 +0000 (06:29 +0100)]
bump version to 1.0-19

4 years agoimplement permission for Alias class.
Dietmar Maurer [Mon, 2 Mar 2015 05:27:19 +0000 (06:27 +0100)]
implement permission for Alias class.

4 years agobump version to 1.0-18
Dietmar Maurer [Mon, 9 Feb 2015 08:32:53 +0000 (09:32 +0100)]
bump version to 1.0-18

4 years agofix alias lookup
Dietmar Maurer [Mon, 9 Feb 2015 08:31:18 +0000 (09:31 +0100)]
fix alias lookup

4 years agobump version to 1.0-17
Dietmar Maurer [Thu, 15 Jan 2015 05:55:38 +0000 (06:55 +0100)]
bump version to 1.0-17

4 years agoadd preinst script
Dietmar Maurer [Thu, 15 Jan 2015 05:53:45 +0000 (06:53 +0100)]
add preinst script

Older versions of the pve-firewall daemon do not restart
with HUP, so we need to do a stop/start.

4 years agofix call to register_restart_command (set $use_hup to true)
Dietmar Maurer [Thu, 15 Jan 2015 05:44:58 +0000 (06:44 +0100)]
fix call to register_restart_command (set $use_hup to true)

4 years agoremove class paramenter from register_XXX_command
Dietmar Maurer [Wed, 31 Dec 2014 16:40:51 +0000 (17:40 +0100)]
remove class paramenter from register_XXX_command

4 years agosimplify code (error log is done inside Daemon.pm)
Dietmar Maurer [Wed, 31 Dec 2014 16:18:53 +0000 (17:18 +0100)]
simplify code (error log is done inside Daemon.pm)

4 years agoimprove logging
Dietmar Maurer [Wed, 31 Dec 2014 11:34:17 +0000 (12:34 +0100)]
improve logging

4 years agofix arguments for register_restart_command
Dietmar Maurer [Thu, 18 Dec 2014 12:48:24 +0000 (13:48 +0100)]
fix arguments for register_restart_command

4 years agobump version to 1.0-16
Dietmar Maurer [Thu, 18 Dec 2014 08:45:18 +0000 (09:45 +0100)]
bump version to 1.0-16

4 years agouse Daemon class from pve-common
Dietmar Maurer [Tue, 16 Dec 2014 11:15:43 +0000 (12:15 +0100)]
use Daemon class from pve-common

4 years agobump version to 1.0-15
Dietmar Maurer [Fri, 12 Dec 2014 05:33:58 +0000 (06:33 +0100)]
bump version to 1.0-15

4 years agofirewall update : load cluster conf for host rules
Alexandre Derumier [Thu, 11 Dec 2014 13:25:42 +0000 (14:25 +0100)]
firewall update : load cluster conf for host rules

Currently we can't use ipsets defined in cluster in host rules

host.fw
----------
[OPTIONS]

log_level_in: debug
enable: 1
tcp_flags_log_level: debug
log_level_out: debug
tcpflags: 1
smurf_log_level: debug

[RULES]

IN ACCEPT -source +whitelist

in sub update {
my $hostfw_conf = load_hostfw_conf();
}

$VAR1 = {
          'options' => {
                         'enable' => 1,
                         'log_level_in' => 'debug',
                         'tcp_flags_log_level' => 'debug',
                         'log_level_out' => 'debug',
                         'tcpflags' => 1,
                         'smurf_log_level' => 'debug'
                       },
          'ipset' => {},
          'rules' => [
                       {
                         'source' => '+whitelist',
                         'enable' => 1,
                         'errors' => {
                                       'source' => 'no such ipset \'whitelist\''
                                     },
                         'action' => 'ACCEPT',
                         'type' => 'in'
                       }
                     ]
        };

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agobump version to 1.0-14
Dietmar Maurer [Fri, 5 Dec 2014 12:42:07 +0000 (13:42 +0100)]
bump version to 1.0-14

4 years agodo not use ipset list chains
Dietmar Maurer [Sat, 29 Nov 2014 07:40:46 +0000 (08:40 +0100)]
do not use ipset list chains

Instead, we directly use -v4 and -v6 names inside iptables rules.

So we can safely remove the preinst script.

4 years agobump version to 1.0-13
Dietmar Maurer [Fri, 28 Nov 2014 11:46:25 +0000 (12:46 +0100)]
bump version to 1.0-13

4 years agofix ipset remove order
Dietmar Maurer [Fri, 28 Nov 2014 11:43:31 +0000 (12:43 +0100)]
fix ipset remove order

4 years agoadd debian/dirs file to install /var/lib/pve-firewall
Dietmar Maurer [Fri, 28 Nov 2014 10:39:47 +0000 (11:39 +0100)]
add debian/dirs file to install /var/lib/pve-firewall

4 years agobump version to 1.0-12
Dietmar Maurer [Fri, 28 Nov 2014 08:00:13 +0000 (09:00 +0100)]
bump version to 1.0-12

4 years agoadd preinst script
Dietmar Maurer [Fri, 28 Nov 2014 07:56:21 +0000 (08:56 +0100)]
add preinst script

We need to clear ipset from older installation, because sets cannot be
swapped if there type does not match.

4 years agobump version to 1.0-11
Dietmar Maurer [Fri, 28 Nov 2014 07:04:26 +0000 (08:04 +0100)]
bump version to 1.0-11

4 years agoverify_rule: correctly set ipversion for aliases
Dietmar Maurer [Fri, 28 Nov 2014 07:01:52 +0000 (08:01 +0100)]
verify_rule: correctly set ipversion for aliases

4 years agosave restore commands into files (debug help)
Dietmar Maurer [Fri, 28 Nov 2014 06:09:37 +0000 (07:09 +0100)]
save restore commands into files (debug help)

To make it easier to debug restore errors.

4 years agobump version to 1.0-10
Dietmar Maurer [Wed, 26 Nov 2014 06:04:21 +0000 (07:04 +0100)]
bump version to 1.0-10

4 years agopve-firewall compile: improve output format
Dietmar Maurer [Wed, 26 Nov 2014 06:03:14 +0000 (07:03 +0100)]
pve-firewall compile: improve output format

4 years agoAPI2::Firewall::IPSet: fix alias check for ipv6 addresses
Dietmar Maurer [Mon, 17 Nov 2014 11:41:03 +0000 (12:41 +0100)]
API2::Firewall::IPSet: fix alias check for ipv6 addresses

4 years agoget_ipset_cmdlist: avoid restore problems due to wrong order
Dietmar Maurer [Mon, 10 Nov 2014 11:50:29 +0000 (12:50 +0100)]
get_ipset_cmdlist: avoid restore problems due to wrong order

4 years agoimprove error messages
Dietmar Maurer [Mon, 10 Nov 2014 11:49:00 +0000 (12:49 +0100)]
improve error messages

4 years agodo not emit smurfs chain for ipv6
Dietmar Maurer [Mon, 10 Nov 2014 11:47:31 +0000 (12:47 +0100)]
do not emit smurfs chain for ipv6

4 years agoipv6 addrtype does not work with kernel 2.6.32, use -d ff00::/8 instead
Dietmar Maurer [Mon, 10 Nov 2014 11:45:02 +0000 (12:45 +0100)]
ipv6 addrtype does not work with kernel 2.6.32, use -d ff00::/8 instead

4 years agoadd ipv6 examples
Alexandre Derumier [Tue, 15 Jul 2014 23:14:32 +0000 (01:14 +0200)]
add ipv6 examples

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agoip6tables : remove_pvefw_chains
Alexandre Derumier [Tue, 15 Jul 2014 23:14:31 +0000 (01:14 +0200)]
ip6tables : remove_pvefw_chains

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agoapply ipv6 ruleset
Alexandre Derumier [Tue, 15 Jul 2014 23:14:30 +0000 (01:14 +0200)]
apply ipv6 ruleset

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agocompile ipv6 ruleset
Alexandre Derumier [Tue, 15 Jul 2014 23:14:29 +0000 (01:14 +0200)]
compile ipv6 ruleset

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agoadd ip6tables standard chains
Alexandre Derumier [Tue, 15 Jul 2014 23:14:28 +0000 (01:14 +0200)]
add ip6tables standard chains

- icmp types in reject are different than ipv4
- broadcast not exist in ipv6
- I don't think that smurf attack exist (no broadcast)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agoadd icmpv6 support
Dietmar Maurer [Tue, 4 Nov 2014 09:53:01 +0000 (10:53 +0100)]
add icmpv6 support

skip icmpv6 rule for iptables rules
skip icmp rule for ip6tables rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
4 years agoadd ipv6 ipset support
Dietmar Maurer [Tue, 4 Nov 2014 07:43:38 +0000 (08:43 +0100)]
add ipv6 ipset support

big change here,
we create now a ipset which include 2 others ipsets for ipv4 and ipv6

PVEFW-0-blacklist list:set
    PVEFW-0-blacklist-v4 hash:net family inet4
    PVEFW-0-blacklist-v6 hash:net family inet6

v4 and v6, are only created if ip address are defined in the set
in iptables rules, we use the main set.

Benchmark show no performance impact

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
4 years agoipset_match: implement simulation of list type ipsets
Dietmar Maurer [Tue, 4 Nov 2014 06:44:37 +0000 (07:44 +0100)]
ipset_match: implement simulation of list type ipsets

4 years agoresolve_alias: use better regex to detect alias
Dietmar Maurer [Mon, 3 Nov 2014 05:23:26 +0000 (06:23 +0100)]
resolve_alias: use better regex to detect alias

4 years agocode cleanup
Dietmar Maurer [Fri, 31 Oct 2014 12:06:52 +0000 (13:06 +0100)]
code cleanup

4 years agocheck ipversion of aliases
Alexandre Derumier [Tue, 15 Jul 2014 23:14:24 +0000 (01:14 +0200)]
check ipversion of aliases

also add support for ipv6

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agoskip group rules generation if rule ipversion don't match iptables version
Alexandre Derumier [Tue, 15 Jul 2014 23:14:22 +0000 (01:14 +0200)]
skip group rules generation if rule ipversion don't match iptables version

we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables

if rule ipversion is undef, we apply to both iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agouse integer compare for $ipversion
Dietmar Maurer [Fri, 31 Oct 2014 11:08:10 +0000 (12:08 +0100)]
use integer compare for $ipversion

4 years agoenable hostfw for ipv4 only
Alexandre Derumier [Tue, 15 Jul 2014 23:14:21 +0000 (01:14 +0200)]
enable hostfw for ipv4 only

currently pveproxy don't works with ipv6,
so let's generate host fw ipv4 only for the moment

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agofix venet rule generation: venet can have ipv4 and ipv6 address
Dietmar Maurer [Fri, 31 Oct 2014 11:03:17 +0000 (12:03 +0100)]
fix venet rule generation: venet can have ipv4 and ipv6 address

4 years ago$ipversion is interger, so use '!=' instead of string 'ne'
Dietmar Maurer [Thu, 30 Oct 2014 12:35:55 +0000 (13:35 +0100)]
$ipversion is interger, so use '!=' instead of string 'ne'

4 years agoskip vms rules generation if rule ipversion don't match iptables version
Alexandre Derumier [Tue, 15 Jul 2014 23:14:20 +0000 (01:14 +0200)]
skip vms rules generation if rule ipversion don't match iptables version

we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables

if rule ipversion is undef, we apply to both iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agoverify_rule: detected mixed ipv4/ipv6 addresses
Dietmar Maurer [Thu, 30 Oct 2014 12:27:01 +0000 (13:27 +0100)]
verify_rule: detected mixed ipv4/ipv6 addresses

4 years agoparse_address_list: improve type detection
Dietmar Maurer [Thu, 30 Oct 2014 12:12:58 +0000 (13:12 +0100)]
parse_address_list: improve type detection

4 years agoparse_address_list: make sure we only have one type of addresses (ipv4 or ipv6)
Dietmar Maurer [Thu, 30 Oct 2014 11:58:09 +0000 (12:58 +0100)]
parse_address_list: make sure we only have one type of addresses (ipv4 or ipv6)

4 years agofix error message
Dietmar Maurer [Thu, 30 Oct 2014 11:52:29 +0000 (12:52 +0100)]
fix error message

4 years agorename pve-fw-v4addr-spec to pve-fw-addr-spec
Dietmar Maurer [Thu, 30 Oct 2014 11:43:52 +0000 (12:43 +0100)]
rename pve-fw-v4addr-spec to pve-fw-addr-spec

Because we allow ipv4 and ipv6 addresses now.

4 years agoparse_rules src && dst ipversion
Alexandre Derumier [Tue, 15 Jul 2014 23:14:19 +0000 (01:14 +0200)]
parse_rules src && dst ipversion

check the ipversion of src and dst in rules

(fixme : parse ip in range)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agocleanup generate_std_chains: don't overwrite global variable $pve_std_chains
Dietmar Maurer [Thu, 30 Oct 2014 11:21:00 +0000 (12:21 +0100)]
cleanup generate_std_chains: don't overwrite global variable $pve_std_chains

Instead, pass $ipversion and use local var $std_chains.

4 years agomove $pve_std_chains to $pve_std_chains->{$ipversion}
Alexandre Derumier [Tue, 15 Jul 2014 23:14:18 +0000 (01:14 +0200)]
move $pve_std_chains to $pve_std_chains->{$ipversion}

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agosplit compile to compile_iptables_filter
Alexandre Derumier [Tue, 15 Jul 2014 23:14:17 +0000 (01:14 +0200)]
split compile to compile_iptables_filter

compile just read configs file and will call compile_iptables_filter for iptables and ip6tables

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
4 years agobump version to 1.0-9
Dietmar Maurer [Tue, 14 Oct 2014 14:30:01 +0000 (16:30 +0200)]
bump version to 1.0-9

4 years agofix max ipset name lenght
Dietmar Maurer [Tue, 14 Oct 2014 14:28:44 +0000 (16:28 +0200)]
fix max ipset name lenght

4 years agomake dependency to cman/clvm optional
Dietmar Maurer [Mon, 8 Sep 2014 11:06:39 +0000 (13:06 +0200)]
make dependency to cman/clvm optional

4 years agodo not start daemons during installation
Dietmar Maurer [Mon, 8 Sep 2014 10:25:13 +0000 (12:25 +0200)]
do not start daemons during installation

4 years agobump version to 1.0-8
Dietmar Maurer [Mon, 8 Sep 2014 10:17:02 +0000 (12:17 +0200)]
bump version to 1.0-8

4 years agoFirewall/IPSet: implement permission
Dietmar Maurer [Mon, 21 Jul 2014 08:48:00 +0000 (10:48 +0200)]
Firewall/IPSet: implement permission

Facor out common code into PVE/Firewall.

4 years agoFirewall/Rules: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 08:24:09 +0000 (10:24 +0200)]
Firewall/Rules: add permissions

4 years agoFirewall/Groups: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:54:42 +0000 (09:54 +0200)]
Firewall/Groups: add permissions

4 years agoFirewall/VM: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:52:01 +0000 (09:52 +0200)]
Firewall/VM: add permissions

4 years agoFirewall/Host: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:40:34 +0000 (09:40 +0200)]
Firewall/Host: add permissions

4 years agoFirewall/Cluster: add permissions
Dietmar Maurer [Mon, 21 Jul 2014 07:33:18 +0000 (09:33 +0200)]
Firewall/Cluster: add permissions

4 years agogenerate MAC and IP filter rules if firewall is enabled on NIC
Dietmar Maurer [Thu, 26 Jun 2014 07:07:27 +0000 (09:07 +0200)]
generate MAC and IP filter rules if firewall is enabled on NIC

Only omit rules if firewall is disabled. Also remove ipfilter for
venet, because that is not required (kernel does that job for us).

4 years agobump version to 1.0-7
Dietmar Maurer [Thu, 26 Jun 2014 05:13:16 +0000 (07:13 +0200)]
bump version to 1.0-7

4 years agoproxy host rule API calls to correct node
Dietmar Maurer [Thu, 26 Jun 2014 05:12:06 +0000 (07:12 +0200)]
proxy host rule API calls to correct node

4 years agobump version to 1.0-6
Dietmar Maurer [Thu, 12 Jun 2014 06:37:43 +0000 (08:37 +0200)]
bump version to 1.0-6

4 years agoadd example for ipfilter ipset
Dietmar Maurer [Thu, 12 Jun 2014 06:36:05 +0000 (08:36 +0200)]
add example for ipfilter ipset

4 years agoadd regression tests for ipfilter
Dietmar Maurer [Thu, 12 Jun 2014 06:32:11 +0000 (08:32 +0200)]
add regression tests for ipfilter

4 years agofwtester: add more network (net1, net2) to vm100 to test ipfilter
Dietmar Maurer [Thu, 12 Jun 2014 06:30:33 +0000 (08:30 +0200)]
fwtester: add more network (net1, net2) to vm100 to test ipfilter

4 years agoimplement negative ipset match
Dietmar Maurer [Thu, 12 Jun 2014 06:29:32 +0000 (08:29 +0200)]
implement negative ipset match

To simulate ipfilter.