From 88733a748c21283a6f1168f88a679056c68325c9 Mon Sep 17 00:00:00 2001 From: Alexandre Derumier Date: Tue, 22 Apr 2014 10:44:59 +0200 Subject: [PATCH] add global ipset blacklist this is a predefined ipset == blacklist, which block ips at the begin of PVE-FORWARD. (usefull in case of ddos attack) Signed-off-by: Alexandre Derumier --- debian/example/cluster.fw | 6 ++++++ src/PVE/Firewall.pm | 27 ++++++++++++++++----------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/debian/example/cluster.fw b/debian/example/cluster.fw index bf5a98f..457c993 100644 --- a/debian/example/cluster.fw +++ b/debian/example/cluster.fw @@ -38,3 +38,9 @@ IN ACCEPT myserveralias 192.168.0.0/24 ! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer mynetworkalias + +#global ipset blacklist +[ipset blacklist] + +10.0.0.8 +192.168.0./24 diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index ac89966..c4bc308 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1398,7 +1398,7 @@ sub ruleset_addlog { $logrule = "$rule $logrule" if defined($rule); - ruleset_addrule($ruleset, $chain, $logrule) + ruleset_addrule($ruleset, $chain, $logrule); } sub generate_bridge_chains { @@ -2655,6 +2655,21 @@ sub compile { my $hostfw_options = $hostfw_conf->{options} || {}; + # fixme: what log level should we use here? + my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); + + if($hostfw_options->{optimize}){ + + my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT"; + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + } + + if ($cluster_conf->{ipset}->{blacklist}){ + ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set PVEFW-blacklist src -j DROP"); + } + generate_std_chains($ruleset, $hostfw_options); my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); @@ -2725,16 +2740,6 @@ sub compile { } } - if($hostfw_options->{optimize}){ - - my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT"; - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP"); - } - - # fixme: what log level should we use here? - my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); - # fixme: should we really block inter-bridge traffic? # always allow traffic from containers? -- 2.39.2