pve-firewall.git
3 months agofix use of uninitialized value stable-5
Mira Limbeck [Mon, 26 Aug 2019 12:55:25 +0000 (14:55 +0200)]
fix use of uninitialized value

$param->{rename} was not checked for definedness even though it is
optional. This lead to a 'use of uninitialized value' when just updating
the cidr.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
(cherry picked from commit 13d39f198ad142a013077f4b3cc436257f7a1a11)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agoadd versioned (build)-depends on pve-cluster
Fabian Grünbichler [Wed, 7 Aug 2019 08:51:50 +0000 (10:51 +0200)]
add versioned (build)-depends on pve-cluster

for Corosync config helpers.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 months agolocalnet: use ringX instead of linkX
Fabian Grünbichler [Wed, 7 Aug 2019 08:42:16 +0000 (10:42 +0200)]
localnet: use ringX instead of linkX

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 months agoDisplay corosync rule info on localnet call
Stefan Reiter [Mon, 22 Jul 2019 13:21:55 +0000 (15:21 +0200)]
Display corosync rule info on localnet call

If no corosync.conf exists (i.e. a standalone node), the output is left
the same.

(cherry picked from commit 5305cfad594d8aada080a6a877241ca0493c1161)
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
4 months agoCheck if corosync.conf exists before calling parser
Stefan Reiter [Mon, 22 Jul 2019 13:21:54 +0000 (15:21 +0200)]
Check if corosync.conf exists before calling parser

Calling cfs_read_file with no corosync.conf (i.e. on a standalone node)
returns {} instead of undef. The previous patches assumes undef for this
scenario. To avoid confusing checks all over the place, simply leave the
config as undef if no file exists.

(cherry picked from commit 1473e5f7084409a95458b2d71d59430c6870d372)
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
4 months agoOnly enable multicast rules when needed
Stefan Reiter [Mon, 22 Jul 2019 13:21:53 +0000 (15:21 +0200)]
Only enable multicast rules when needed

In corosync 2.x multicast is the default, but if 'udpu' transport is
explicitly configured, we don't need to allow it.

Also, we filter incoming Multicast packets by their source.

Default behaviour prior to this patch series was to always allow
unicast, this has been kept (also needed to run current tests).

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
4 months agoUpdate and add tests for corosync firewall changes
Stefan Reiter [Mon, 22 Jul 2019 13:21:52 +0000 (15:21 +0200)]
Update and add tests for corosync firewall changes

Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.

New test rules have been introduced to check corosync rules relating to
different rings/links.

Includes hostnames in config to trigger resolving codepaths.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
(cherry picked from commit 6f6a6b3f8259c06fe9f7f14490caa5275996b5c6)

4 months agocorosync: refactor if conditions
Fabian Grünbichler [Mon, 22 Jul 2019 13:21:51 +0000 (15:21 +0200)]
corosync: refactor if conditions

to remove one level of indentation

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit a9c463ce6917bcccd012bcfc37b1c756a16958cc)
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
4 months agoCreate corosync firewall rules independently of localnet
Stefan Reiter [Mon, 22 Jul 2019 13:21:50 +0000 (15:21 +0200)]
Create corosync firewall rules independently of localnet

"localnet" does not necessarily correspond to the correct network for
corosync (e.g. corosync rings/link can be run independently from other PVE
cluster service networks).

This change uses the previously introduced sub 'for_all_corosync_addresses'
to iterate through all nodes in a corosync cluster and generate rules for
all nodes and all their respective ringX_addr's it finds.

The rules are generated as strict as possible, there is a specific rule
for every remote node and every ring/link. Also, communication "between"
different links/rings is not allowed, e.g. a remote ring1_addr cannot
contact a local ring0_addr, and vice versa.

Multicast is always allowed, for backwards compatibility. Note however,
that we no longer filter on the source of inbound multicast packets,
since that would require localnet, and thus introduce the bug we're
trying to fix once again.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
(cherry picked from commit 06208a013f82b8654d009c7f6e10c2bd25b316bd)

4 months agoonly add VM chains if VM firewall is enabled
Mira Limbeck [Tue, 6 Aug 2019 08:25:14 +0000 (10:25 +0200)]
only add VM chains if VM firewall is enabled

Before if a NIC had the firewall enabled and the MAC filter was active,
a rule was added to the tap device even if the VM firewall was not
enabled. This led to nested machines not being able to reach outside.

Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
not reach each other because of the MAC filter.

Now we check if the VM firewall is enabled and only add the MAC and
IP filters then.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
(cherry picked from commit 033a15b372734fcfb390c3b747f67bfa4643dabd)

4 months agofix indentation/whitspace
Fabian Grünbichler [Wed, 7 Aug 2019 07:28:14 +0000 (09:28 +0200)]
fix indentation/whitspace

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit ad722fb428d89084f2c58b4e82f9e5904c5a6a02)

4 months agoskip tap rule generation if vmfw is disabled
Fabian Grünbichler [Wed, 7 Aug 2019 07:25:36 +0000 (09:25 +0200)]
skip tap rule generation if vmfw is disabled

like for containers, and adapt code style to be identical.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit bd60a824555eec55e08909ca189d49962761c93b)

6 months agobump version to 3.0-22
Thomas Lamprecht [Tue, 28 May 2019 06:29:20 +0000 (08:29 +0200)]
bump version to 3.0-22

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agofix CT rule generation with ipfilter set
Thomas Lamprecht [Tue, 28 May 2019 06:06:39 +0000 (08:06 +0200)]
fix CT rule generation with ipfilter set

commit 255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...

But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...

First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agobump debian compat level to 10
Thomas Lamprecht [Tue, 21 May 2019 20:30:14 +0000 (22:30 +0200)]
bump debian compat level to 10

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agobuildsys: use dpkg-dev makefile helpers for pkg info
Thomas Lamprecht [Tue, 21 May 2019 20:28:39 +0000 (22:28 +0200)]
buildsys: use dpkg-dev makefile helpers for pkg info

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agod/control: fix build-depends-on-obsolete-package
Thomas Lamprecht [Tue, 21 May 2019 20:12:44 +0000 (22:12 +0200)]
d/control: fix build-depends-on-obsolete-package

build-depends: dh-systemd => use debhelper (>= 9.20160709)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agod/control: fix priority-extra-is-replaced-by-priority-optional
Thomas Lamprecht [Tue, 21 May 2019 20:11:48 +0000 (22:11 +0200)]
d/control: fix priority-extra-is-replaced-by-priority-optional

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agoRemove redundant logging of packets passing the tap chain.
Christian Ebner [Wed, 15 May 2019 15:09:13 +0000 (17:09 +0200)]
Remove redundant logging of packets passing the tap chain.

Incomming and outgoing packets passing the firewall bridge were unneccessarily
logged, leading to double entries.
The first log entry occurred when passing the bridge, the second when the packets
fate was decided (ACCEPT/DROP/REJECT).

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
7 months agobump version to 3.0-21
Thomas Lamprecht [Wed, 8 May 2019 10:18:38 +0000 (10:18 +0000)]
bump version to 3.0-21

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofollowup: do not replace original variable content
Thomas Lamprecht [Tue, 7 May 2019 09:52:58 +0000 (09:52 +0000)]
followup: do not replace original variable content

this could be confusing, if someone adds code which uses $net->{ip}
it may work for the case were ipfilter is off but not else (which may
not get tested), so keep the original $net intact and copy the scalar
value..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofollowup: code cleanup and comment
Thomas Lamprecht [Tue, 7 May 2019 09:40:57 +0000 (09:40 +0000)]
followup: code cleanup and comment

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofix #2193: arpfilter: CT: remove mask from net ip cidr.
Alexandre Derumier [Thu, 2 May 2019 05:04:16 +0000 (07:04 +0200)]
fix #2193: arpfilter: CT: remove mask from net ip cidr.

We need to send to ebtables an host address without prefix or with
/32 prefix.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
7 months agofix ipv6 PVEFW-reject
Alexandre Derumier [Mon, 29 Apr 2019 14:18:46 +0000 (16:18 +0200)]
fix ipv6 PVEFW-reject

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
7 months agobump version to 3.0-20
Thomas Lamprecht [Fri, 19 Apr 2019 05:11:22 +0000 (05:11 +0000)]
bump version to 3.0-20

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofix reading host.fw through IPCC interface
Thomas Lamprecht [Fri, 19 Apr 2019 04:51:38 +0000 (04:51 +0000)]
fix reading host.fw through IPCC interface

IPCC has no knowledge about FUSE based links, but we used
'local/host.fw' here, where local is always a link to
'nodes/<LOCAL-NODENAME>/', this works only when using the common file
system interface provided by FUSE, but not if we're talking directly
with our memdb file store through IPCC..

So use a nodename based path here, to avoid getting just empty
strings for host.fw.

fixes commit 0dbef53046fade02efec143d3b7a0f4f9021b618

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofix #2178: endless loop on ipv6 extension headers
Mira Limbeck [Wed, 17 Apr 2019 14:44:16 +0000 (16:44 +0200)]
fix #2178: endless loop on ipv6 extension headers

increment header and decrement payload size by the extensions size. the
length calculation is different for some extensions. in our case only
IPPROTO_FRAGMENT requires a different size calculation than the rest. in
addition 'proto' is now set in the loop when advancing from an
extension header. it moves on to the next extension or protocol now
instead of looping on the same 'proto' while advancing the payload.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
7 months agoremove useless unused Data::Dumper uses
Thomas Lamprecht [Wed, 17 Apr 2019 12:02:06 +0000 (12:02 +0000)]
remove useless unused Data::Dumper uses

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofirewall: split and order modules
Thomas Lamprecht [Fri, 12 Apr 2019 11:50:27 +0000 (13:50 +0200)]
firewall: split and order modules

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agouse IPCC to read FW files if the are backed by pmxcfs
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:36 +0000 (15:28 +0200)]
use IPCC to read FW files if the are backed by pmxcfs

This allows us to profit from the IPCC pmxcfs restart mechanisms,
which will block this call for the grace period (~10 seconds) and
transparently try to reconnect to the IPCC interface of pmxcfs, if a
restart is detected..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agoremove a level of indirection on FW config parsing
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:35 +0000 (15:28 +0200)]
remove a level of indirection on FW config parsing

the removed methods where only used by those we merged their code
into.

Opening the FH in the generic parser safes a bit of repetition too..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agomake verbose a global state
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:34 +0000 (15:28 +0200)]
make verbose a global state

This is part of the project 'stop the parameter rabbit hole madness'
and tries to make reading the firewall code a little bit easier.

Here we remove passing $verbose from 44 method signatures, while it
was used in 4 of those methods, a ration of 1/11 is simply not
acceptable for such a thing as a verbosity flag..

Remove it, and just make it a global variable with a setter for now.

Verbose is not modified in any API call, only in a Service
environment callablle by CLI, so we are save to do so.

If we decide to add some sort of firewall instance (i.e., a blessed
$self "object") with some state we could also move it there, but
making it global now doesn't hurt.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agobump version to 3.0-19
Thomas Lamprecht [Tue, 2 Apr 2019 09:18:30 +0000 (11:18 +0200)]
bump version to 3.0-19

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agobuildsys: no need to not pre-clean for source package
Thomas Lamprecht [Tue, 2 Apr 2019 09:18:21 +0000 (11:18 +0200)]
buildsys: no need to not pre-clean for source package

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agobuildsys: correctly cleanup source tarball
Thomas Lamprecht [Mon, 1 Apr 2019 11:57:41 +0000 (13:57 +0200)]
buildsys: correctly cleanup source tarball

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoallow to enable/disable and modify cluster wide log ratelimits
Thomas Lamprecht [Thu, 21 Mar 2019 06:57:43 +0000 (07:57 +0100)]
allow to enable/disable and modify cluster wide log ratelimits

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Christian Ebner <c.ebner@proxmox.com>
8 months agobuildsys: add dsc target
Thomas Lamprecht [Sun, 31 Mar 2019 13:43:40 +0000 (15:43 +0200)]
buildsys: add dsc target

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agocleanup makefiles, set target dirs per makefile
Thomas Lamprecht [Sun, 31 Mar 2019 13:24:42 +0000 (15:24 +0200)]
cleanup makefiles, set target dirs per makefile

be more consistent with the buildsystems of our other packages.
compared old to new with diffoscope, no real changes (besides
different SOURCE file, as base check commits differ)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agofix Razor macro
Thomas Lamprecht [Sat, 30 Mar 2019 16:36:16 +0000 (17:36 +0100)]
fix Razor macro

'ACCEPT' was plain wrong here and broken and disables ALL firewalling
for a Container, at least when used in a Security Group.

fixes 857f62c833a604eb8399467a94d325c1994367eb
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reported-by: Tom Weber <pve@junkyard.4t2.com>
8 months agoadd 'log_nf_conntrack' option description
Mira Limbeck [Tue, 19 Mar 2019 13:27:31 +0000 (14:27 +0100)]
add 'log_nf_conntrack' option description

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
8 months agofollowup: minor code style fix
Thomas Lamprecht [Tue, 19 Mar 2019 13:37:56 +0000 (14:37 +0100)]
followup: minor code style fix

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agofollowup: use default burst limit of 5
Thomas Lamprecht [Tue, 19 Mar 2019 13:36:40 +0000 (14:36 +0100)]
followup: use default burst limit of 5

it does not hurt and can be be used to see high frequeny occurences
of certain rules which hit.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agofix: #2123 Logging of user defined firewall rules
Christian Ebner [Mon, 18 Mar 2019 16:05:53 +0000 (17:05 +0100)]
fix: #2123 Logging of user defined firewall rules

This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.

The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.

For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
8 months agoebtables: test layer2_protocols in an external chain
Alexandre Derumier [Sun, 10 Mar 2019 07:25:07 +0000 (08:25 +0100)]
ebtables: test layer2_protocols in an external chain

We need the not matching DROP outside the main tapchain,
in a specific proto chain, and a ACCEPT in the main tap chain.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
8 months agoebtables: add arp filtering
Alexandre Derumier [Sun, 10 Mar 2019 07:25:06 +0000 (08:25 +0100)]
ebtables: add arp filtering

This implemented arp filtering if ipfilter is enable
https://bugzilla.proxmox.com/show_bug.cgi?id=2125

They are another filters possible (ipv4,rarp),
i don't known if we need them.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
9 months agobump version to 3.0-18
Thomas Lamprecht [Mon, 4 Mar 2019 09:27:42 +0000 (10:27 +0100)]
bump version to 3.0-18

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
9 months agod/control: bump version dependency to pve-doc-generator
Thomas Lamprecht [Fri, 22 Feb 2019 12:31:32 +0000 (13:31 +0100)]
d/control: bump version dependency to pve-doc-generator

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
9 months ago1891 Add zsh command completion for pve-firewall
Christian Ebner [Thu, 21 Feb 2019 13:24:59 +0000 (14:24 +0100)]
1891 Add zsh command completion for pve-firewall

Adds the zsh command completion scripts for pve-firewall.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
9 months agodaemon: cleanup '+' character at begin of line
Alexandre Derumier [Wed, 20 Feb 2019 00:16:58 +0000 (01:16 +0100)]
daemon: cleanup '+' character at begin of line

this stray '+' was introduced by
commit 151c209e05a9e15d5d7a9402391ca936e562a173 while it had no
effect let's remove it nonetheless.

9 months agoFix unitialized value $mark in bitwise operation
Alwin Antreich [Wed, 13 Feb 2019 11:27:58 +0000 (12:27 +0100)]
Fix unitialized value $mark in bitwise operation

Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
10 months agolog reject : add space after policy REJECT like drop
Alexandre Derumier [Tue, 5 Feb 2019 10:22:45 +0000 (11:22 +0100)]
log reject : add space after policy REJECT like drop

For log consistency and parsing, we already have a space after "policy DROP: "
but not REJECT

ex:

DROP
135 6 tap135i1-IN 05/Feb/2019:10:59:55 +0100 policy DROP: IN=.....

REJECT
232 6 tap232i1-IN 05/Feb/2019:10:59:28 +0100 policy REJECT:IN=....

10 months agofollowup: avoid long hash access, use own variable
Thomas Lamprecht [Mon, 4 Feb 2019 13:22:41 +0000 (14:22 +0100)]
followup: avoid long hash access, use own variable

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 months agoFix #1606 Add nf_conntrack_allow_invalid option
Christian Ebner [Fri, 1 Feb 2019 09:46:11 +0000 (10:46 +0100)]
Fix #1606 Add nf_conntrack_allow_invalid option

This adds the nf_conntrack_allow_invalid host firewall option to allow to disable
the dropping of invalid packets from the connection tracker point of view.
This is needed for some rare setups with asymmetrical multi-path routing.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
10 months agobuildsys: build a dbgsym package
Wolfgang Bumiller [Fri, 25 Jan 2019 09:56:16 +0000 (10:56 +0100)]
buildsys: build a dbgsym package

don't forcefully strip debug components out of the firewall
logger...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
10 months agobump version to 3.0-17
Thomas Lamprecht [Wed, 9 Jan 2019 15:54:29 +0000 (16:54 +0100)]
bump version to 3.0-17

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 months agolog and ignore ENOBUFS in nfct_catch
David Limbeck [Wed, 9 Jan 2019 14:32:10 +0000 (15:32 +0100)]
log and ignore ENOBUFS in nfct_catch

nfct_catch sets ENOBUFS if not enough buffer space is available. log
and continue operation instead of stopping. in addition log possible
other errors set by nfct_catch

Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
10 months agofixup va_arg usage
Wolfgang Bumiller [Wed, 9 Jan 2019 13:26:00 +0000 (14:26 +0100)]
fixup va_arg usage

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
11 months agoadd log_nf_conntrack host firewall option
David Limbeck [Thu, 13 Dec 2018 12:08:52 +0000 (13:08 +0100)]
add log_nf_conntrack host firewall option

add log_nf_conntrack host firewall option to enable or disable logging
of connections. restarts pvefw-logger if the option changes in the
config. the pvefw-logger is always restarted in the beginning to make
sure the current config is applied.

Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
11 months agoadd conntrack logging via libnetfilter_conntrack
David Limbeck [Thu, 13 Dec 2018 12:08:51 +0000 (13:08 +0100)]
add conntrack logging via libnetfilter_conntrack

add conntrack logging to pvefw-logger including timestamps (requires
/proc/sys/net/netfilter/nf_conntrack_timestamp to be 1).
this allows the tracking of sessions (start, end timestamps with
nf_conntrack_timestamp on [DESTROY] messages). commit includes
Build-Depends inclusion of libnetfilter-conntrack-dev and
libnetfilter_conntrack library in the Makefile.

Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
12 months agofix #2004: do not allow backwards ranges
Dominik Csapak [Fri, 30 Nov 2018 15:31:41 +0000 (16:31 +0100)]
fix #2004: do not allow backwards ranges

ranges like 10:5 are allowed by us, but iptables throws an error
that is only visible in the syslog and the firewall rules do not
get updated

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
12 months agofix #2005: only allow ascii port digits
Dominik Csapak [Fri, 30 Nov 2018 08:53:49 +0000 (09:53 +0100)]
fix #2005: only allow ascii port digits

perl accepts non-ascii digits for \d like U+09EA
which do not work with iptables

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
12 months agobump version to 3.0-16
Thomas Lamprecht [Fri, 30 Nov 2018 15:03:11 +0000 (16:03 +0100)]
bump version to 3.0-16

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
12 months agomacro: fix return verification failure
Dominik Csapak [Thu, 29 Nov 2018 13:29:03 +0000 (14:29 +0100)]
macro: fix return verification failure

macros are strings not integers

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
12 months agobump version to 3.0-15
Thomas Lamprecht [Fri, 23 Nov 2018 13:05:23 +0000 (14:05 +0100)]
bump version to 3.0-15

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
12 months agod/control: add missing Build-Depends
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:46 +0000 (15:14 +0100)]
d/control: add missing Build-Depends

Found while building in a clean chroot.

Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
12 months agoFix #1971: display firewall rule properties
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:45 +0000 (15:14 +0100)]
Fix #1971: display firewall rule properties

This is the list of the properties that should get returned in the
pretty print format, too, not just in yaml/json output.

Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
15 months agod/rules: fix pvefw-logger service unit-name
Thomas Lamprecht [Tue, 4 Sep 2018 07:50:37 +0000 (09:50 +0200)]
d/rules: fix pvefw-logger service unit-name

debhelpers on stretch do not care about the wrong uinit name, and the
name used is always the one from --name.
But buster cares, so fix it to the right one.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
15 months agobump version to 3.0-14
Wolfgang Bumiller [Fri, 24 Aug 2018 08:51:19 +0000 (10:51 +0200)]
bump version to 3.0-14

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
15 months agoFix #1841: ebtables: sort interfaces per guest
Stoiko Ivanov [Thu, 23 Aug 2018 14:04:50 +0000 (16:04 +0200)]
Fix #1841: ebtables: sort interfaces per guest

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
17 months agobump version to 3.0-13
Wolfgang Bumiller [Thu, 28 Jun 2018 12:47:25 +0000 (14:47 +0200)]
bump version to 3.0-13

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
17 months agoebtables: sort guest chains during rulecreation
Stoiko Ivanov [Thu, 28 Jun 2018 12:41:56 +0000 (14:41 +0200)]
ebtables: sort guest chains during rulecreation

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
17 months agoapi: host, vm: explicit import raise_param_exc
Thomas Lamprecht [Thu, 14 Jun 2018 10:08:52 +0000 (12:08 +0200)]
api: host, vm: explicit import raise_param_exc

we inherited the import from PVE::RESTHandler but may want to get rid
of it there. So explicitly import it here.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
17 months agowhitespace fixup
Wolfgang Bumiller [Wed, 13 Jun 2018 11:26:28 +0000 (13:26 +0200)]
whitespace fixup

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
17 months agobump version to 3.0-12
Wolfgang Bumiller [Tue, 12 Jun 2018 10:02:32 +0000 (12:02 +0200)]
bump version to 3.0-12

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
17 months agofixup active_chains distinction when deleting chains
Wolfgang Bumiller [Tue, 12 Jun 2018 10:00:10 +0000 (12:00 +0200)]
fixup active_chains distinction when deleting chains

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
18 months agofixup changelog UNRELEASED
Thomas Lamprecht [Wed, 6 Jun 2018 14:18:48 +0000 (16:18 +0200)]
fixup changelog UNRELEASED

18 months agobump version to 3.0-11
Thomas Lamprecht [Wed, 6 Jun 2018 14:15:01 +0000 (16:15 +0200)]
bump version to 3.0-11

18 months agorename ebtables_enable to ebtables
Stoiko Ivanov [Wed, 6 Jun 2018 09:56:05 +0000 (11:56 +0200)]
rename ebtables_enable to ebtables

and register ebtables option with the API

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
18 months agobump version to 3.0-10
Wolfgang Bumiller [Tue, 29 May 2018 13:14:43 +0000 (15:14 +0200)]
bump version to 3.0-10

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
18 months agotypo fixup
Wolfgang Bumiller [Tue, 29 May 2018 13:08:25 +0000 (15:08 +0200)]
typo fixup

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
18 months agoDon't change external ebtables rules
Stoiko Ivanov [Sat, 26 May 2018 20:50:30 +0000 (22:50 +0200)]
Don't change external ebtables rules

  * Fixes #1764
  * Introduces ebtables_enable option to cluster config
  * All ebtables chains not created by PVE are left in place
  * get_ruleset_status optionally takes an additional argument
    (a regex indicating which chains should be left intact)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
18 months agobump version to 3.0-9
Wolfgang Bumiller [Thu, 17 May 2018 12:41:40 +0000 (14:41 +0200)]
bump version to 3.0-9

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
18 months agofix PVEFW-FORWARD chain not being used
Wolfgang Bumiller [Thu, 17 May 2018 11:09:23 +0000 (13:09 +0200)]
fix PVEFW-FORWARD chain not being used

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
19 months agobump version to 3.0-8
Wolfgang Bumiller [Wed, 11 Apr 2018 12:26:15 +0000 (14:26 +0200)]
bump version to 3.0-8

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
20 months agoebtables_get_chains: deal with empty chains
Wolfgang Bumiller [Thu, 29 Mar 2018 07:48:28 +0000 (09:48 +0200)]
ebtables_get_chains: deal with empty chains

Since we don't have signatures in ebtables we need to also
see empty chains to not think we have to create them.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agoadd ebtables dependency
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:31 +0000 (10:53 +0200)]
add ebtables dependency

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agoavoid double spaces in ruleset_addrule
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:30 +0000 (10:53 +0200)]
avoid double spaces in ruleset_addrule

ebtables doesn't have comment rules we could store the
digest in, so we need to match the ebtables-save output
instead.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agoapply ebtables_ruleset
Alexandre Derumier [Wed, 28 Mar 2018 08:53:29 +0000 (10:53 +0200)]
apply ebtables_ruleset

need ebtables-save && ebtables-restore,  ebtables debian package don't include them.

ebtables-restore need to restore the full ruleset (atomicaly),
so we can't update only 1 chain

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agocompile ebtables rules
Alexandre Derumier [Wed, 28 Mar 2018 08:53:28 +0000 (10:53 +0200)]
compile ebtables rules

-A FORWARD -j PVEFW-FORWARD
   -A PVEFW-FORWARD -p IPv4 -j ACCEPT  #filter mac in iptables for ipv4, so we can speedup rules with conntrack established
   -A PVEFW-FORWARD -p IPv6 -j ACCEPT
   -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -i tap110i0 -j tap110i0-OUT
-A tap110i0-OUT -s ! 36:97:15:91:19:3c -j DROP
-A tap110i0-OUT -p ARP -j ACCEPT
-A tap110i0-OUT -j DROP
-A tap110i0-OUT -j ACCEPT
-A PVEFW-FWBR-OUT -i veth130.1 -j veth130.1-OUT
-A veth130.1-OUT -s ! 36:95:a9:ae:f5:ec -j DROP
-A veth130.1-OUT -j ACCEPT

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months ago/etc/services can also define 'sctp' services
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:27 +0000 (10:53 +0200)]
/etc/services can also define 'sctp' services

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agoadd get_etc_ethertypes
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:26 +0000 (10:53 +0200)]
add get_etc_ethertypes

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agoparse_protocol_file: support lines without end comments
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:25 +0000 (10:53 +0200)]
parse_protocol_file: support lines without end comments

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agosplit parser out of get_etc_protocols
Wolfgang Bumiller [Wed, 28 Mar 2018 08:53:24 +0000 (10:53 +0200)]
split parser out of get_etc_protocols

Into a reusable parse_protocol_file.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
20 months agobump version to 3.0-7
Wolfgang Bumiller [Mon, 12 Mar 2018 13:58:19 +0000 (14:58 +0100)]
bump version to 3.0-7

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
20 months agomultiport: add explaining comment
Fabian Grünbichler [Mon, 12 Mar 2018 11:38:51 +0000 (12:38 +0100)]
multiport: add explaining comment

about ordering single port matches before multiport matches,
and improve readability by adding some blank lines after returns.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
20 months agofix and improve multiport handling
Wolfgang Bumiller [Mon, 12 Mar 2018 10:55:18 +0000 (11:55 +0100)]
fix and improve multiport handling

The multiport `--ports` parameter is an `OR` match on source
and destination ports, so we should not use it.

We also don't actually use the port count, so let the port
range parser simply return a boolean and use the counter
only for the internal check. This also fixes a regression
caused by the previous multiport check which caused a single
port range to be recognized as a multiport option while it
did not have to be one, causing entries such as the SMB
macro to be added with `--match multiport` mistakenly, which
refused to accept the source port option.

Additionally, we now allow the case with 1 multiport and 1
single port entry: In order for the iptables command to
accept this the single port entry must come first, otherwise
it'll be passed to the multiport matcher (because why
shouldn't it interpret a singular `--Xport` as an alias to
the plural version `--Xports`... *sigh*).

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: 6a241ca745f7 ("check multiport limit in port ranges")

21 months agobump version to 3.0-6
Dietmar Maurer [Thu, 8 Mar 2018 12:53:54 +0000 (13:53 +0100)]
bump version to 3.0-6

21 months agobuild: use git rev-parse for GITVERSION
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:56 +0000 (13:33 +0100)]
build: use git rev-parse for GITVERSION

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
21 months agodebian: remove duplicate dh_systemd_enable code
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:55 +0000 (13:33 +0100)]
debian: remove duplicate dh_systemd_enable code

dh_systemd_enable already includes this snippet via the #DEBHELPER#
stanza, no need to duplicate it manually.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
21 months agodebian: drop preinst
Fabian Grünbichler [Thu, 8 Mar 2018 12:33:54 +0000 (13:33 +0100)]
debian: drop preinst

the only actual code was for upgrading from PVE 3 to PVE 4..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>