Thomas Lamprecht [Tue, 30 Apr 2024 08:27:18 +0000 (10:27 +0200)]
also signal force-disable nftables if FW is completely disabled
If the FW is disabled on cluster level then touch the file flag to
signal that the nftables FW should not run, to avoid that a config
that uses some keys the new ipl doesn't yet understand causes log-spam
there.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 26 Apr 2024 14:04:51 +0000 (16:04 +0200)]
service: create flag file to signal if nftables impl should not run
The new nftables/rust based proxmox-firewall is still a WIP w.r.t.
understanding all oddities the firewall config provides.
This is not a problem in general, as it's released as tech-preview,
but the new service needs to parse the config to check if it's
enabled, so if that fails due to not recognizing some edge case, the
users get some scary looking log-spam.
So use a flag in the memory-backed /run as a side-channel that does
not need any parsing to signal if the new implementation should be
disabled.
This can be removed again once proxmox-firewall covers all possible
cases for sure and/or becomes the new default.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Fri, 19 Apr 2024 09:42:36 +0000 (11:42 +0200)]
add configuration option for new nftables firewall
Introduces new nftables configuration option that en/disables the new
nftables firewall.
pve-firewall reads this option and only generates iptables rules when
nftables is set to `0` or if the proxmox-firewall package is not
installed at all. Conversely, proxmox-firewall only generates rules
when the option is set to `1`.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
[ TL: mark as tech preview and clarify is_enabled method name ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Leo Nunner [Tue, 11 Jul 2023 09:41:15 +0000 (11:41 +0200)]
parser: fix scoped alias resolution
We tried to resolve aliases in some places where the cluster
configuration didn't get set. It's probably better to handle these cases
directly in the function at hand, instead of at every place where this
issues might arise.
This seemingly fixes the issues reported on pve-user and the forum:
* https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/
* https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/
Leo Nunner [Tue, 13 Jun 2023 12:06:33 +0000 (14:06 +0200)]
fix #4556: api: return scoped IPSets and aliases
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Leo Nunner [Wed, 7 Jun 2023 10:17:49 +0000 (12:17 +0200)]
fix #4556: introduce 'dc' and 'vm' prefix for aliases
since they had the same issue as IPSets, detailed in #4556. The format
works the same as for IPSets:
dc/alias
Looks for the alias on the Datacenter level.
vm/alias
Looks for the alias on the VM level.
alias
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Leo Nunner [Wed, 7 Jun 2023 10:17:48 +0000 (12:17 +0200)]
fix #4556: introduce 'dc' and 'vm' prefix for IPSets
to differentiate whether they should be taken from the datacenter config
or from the local config. The parser now accepts IPSets in the following
format:
+dc/ipset
Looks for the IPSet on the Datacenter level.
+vm/ipset
Looks for the IPSet on the VM level.
+ipset
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Thomas Lamprecht [Mon, 22 May 2023 12:24:20 +0000 (14:24 +0200)]
buildsys: rework doc-gen cleanup and makefile inclusion
The NOVIEW variable is useless now anyway, and the cleanup-docgen
target is a bit dangerous (removes _all_ *.adoc files) and it's just
a single line, so avoid complexity.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
fix #4730: add safeguards to prevent ICMP type misuse
without this additional conditions, it's possible to break the firewall by
setting an ICMP-type value as dport for non-ICMP protocols, e.g. 'any' for
'tcp'.
by rejecting the invalid rule/parameter, the rest of the ruleset is still
applied properly, and the error messages are a lot more informative as well.
Thomas Lamprecht [Tue, 11 Apr 2023 14:23:40 +0000 (16:23 +0200)]
fix variables declared in conditional statement
as that can trigger hard to reproduce/debug bugs; as with such
statements the variable won't be necessarily undef if the post-if
evaluates to false, but rather will hold the (now bogus) value from
the last time it evaluated to true.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Thu, 19 Jan 2023 10:25:04 +0000 (11:25 +0100)]
api: Add optional parameters `since` and `until` for timestamp filter
The optional unix epoch timestamps parameters `since` and `until` are introduced
in order to filter firewall logs files. If one of these flags is set, also
rotated logfiles are included. This is handled in the `dump_fw_logfile` helper
function. Filtering is now performed based on a callback function passed to
`dump_fw_logfile`.
This patch depends on the corresponding patch in the pve-common repository.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
[w.bumiller@proxmox.com: fixup 'continue' -> 'next'] Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Stefan Hrdlicka [Tue, 13 Dec 2022 15:14:18 +0000 (16:14 +0100)]
allow non zero ip address host bits to be entered
They can already be set directly via the cluster.fw file. Net::IP is just a
bit more picky with what it allows:
For example:
error: 192.168.1.155/24
correct: 192.168.1.0/24
This cleans the entered IP and removes the non zero host bits.
Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
Leo Nunner [Mon, 24 Oct 2022 10:02:01 +0000 (12:02 +0200)]
fix #4268: add 'force' parameter to delete IPSet with members
Currently, trying to delete a non-empty IPSet will throw an error.
Manually deleting all members of the set might be a time-consuming
process, which the force parameter allows to bypass.
Leo Nunner [Wed, 28 Sep 2022 09:11:44 +0000 (11:11 +0200)]
fix #4204: automatically update usages of group when it is renamed
When renaming a group, the usages didn't get updated automatically. To
get around problems with atomicity, the old rule is first cloned with the
new name, the usages are updated and only when updating has finished, the
old rule is deleted.
The subroutines that lock/update host configs had to be changed so that
it's possible to lock any config, not just the one of the current host.
Thomas Lamprecht [Mon, 12 Sep 2022 15:22:39 +0000 (17:22 +0200)]
macros: s/SPICE/SPICEproxy/
while I'm still a bit on the edge about the usefulness of this macro,
it should better convey for what it is, as SPICE itself doesn't
really have a direct port (in PVE that is), but all runs through our
spiceproxy, so name the macro that way.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!
note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.
The former is simply new and we can control it, so do so instead of
ignoring it, if it seems worth while we can also expose that as
option or do some fancier auto calculation, maybe depending on ipset
size.
The u32 `initval` is a bit different, its not a config in the exact
traditional sense but would allow to recreate an bit to bit
indentical save/restore - but we do not really do that and we cannot
pre-calculate that our self (or at least I'd rather like to avoid
doing that from perl).. So, ignore it actively for now to avoid
false-postivie detection in pending changes.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
fix #2721: remove reject tcp 43 from default drop and reject actions
first, '43' is a typo, it should say '113' (if it really is like
legacy shorewall [0]). this tcp port corresponds to the ident or
authentication service protocol.
second, nowdays this reject is not included in shorewall anymore.
furthermore it would make no sense to reject specifically this
one port.
Stoiko Ivanov [Wed, 26 May 2021 14:51:59 +0000 (16:51 +0200)]
set sysctls on every apply
setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.
Thomas Lamprecht [Mon, 24 May 2021 09:15:50 +0000 (11:15 +0200)]
d/rules: cleanup systemd overrides
both, `override_dh_systemd_enable` and `override_dh_systemd_start`
are ignored with current compat level 12, and will become an error in
level >= 13, so drop them and use `override_dh_installsystemd` for
both of the previous uses.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
iptables-restore has a buffer limit of 1024 for paramters [0].
If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.
Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.
Mira Limbeck [Mon, 22 Feb 2021 12:00:18 +0000 (13:00 +0100)]
fix #2358: allow --<opt> in firewall rule config files
The docs mention --<opt> as valid syntax for firewall rules, but the
code that parses the .fw files only accepts -<opt>. To make it
consistent with the docs and the API, also accept --<opt>.
In addition allow 'proto' as option, not only '-p'.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Mira Limbeck [Fri, 29 May 2020 12:22:04 +0000 (14:22 +0200)]
introduce new icmp-type parameter
Currently icmp types are handled via 'dport'. This is not documented
anywhere except for a single line of comment in the code. To untangle
the icmp-type handling from the dport handling a new 'icmp-type'
parameter is introduced.
The valid 'icmp-type' values are limited to the names
(icmp[v6]_type_names hash in the code, same as ip[6]tables provides).
Type[/Code] values are not supported.
Support for ipv6-icmp is added to icmp-type parameter handling. This makes it
possible to specify icmpv6 types via the GUI.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Stoiko Ivanov [Tue, 2 Jun 2020 08:06:17 +0000 (10:06 +0200)]
fix #2773: ebtables: keep policy of custom chains
currently all ebtalbes chains are created with a hardcoded policy of ACCEPT.
This patch changes the functionality to store the configured policy of a
chain while reading the 'ebtables-save' output and uses this policy when
creating the command list.
This is only relevant for ebtablers chains not generated by pve-firewall (the
ones having an action of 'ignore' in the status-hash).
Reported on the pve-user list:
https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html
Minimally tested with the example from the thread.
Mira Limbeck [Wed, 29 Apr 2020 13:45:24 +0000 (15:45 +0200)]
fix wrong icmpv6 types
This removes icmpv6-type 'any' as it is not supported by ip6tables. Also
introduced new icmpv6 types 'beyond-scope', 'failed-policy' and
'reject-route'. These values were taken from 'ip6tables -p icmpv6 -h'.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Mira Limbeck [Wed, 29 Apr 2020 13:45:23 +0000 (15:45 +0200)]
fix iptables-restore failing if icmp-type value > 255
This has to be done in both icmp and icmpv6 cases. Currently if
'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
is no icmp-type handling. As this is meant to fix the iptables-restore
failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
introduced.
These error messages are not logged as warnings are ignored. To get
these messages you have to run pve-firewall compile and look at the
output.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
api/ipsets: parse_cidr before checking for duplicates
for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here. otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.
Mira Limbeck [Thu, 30 Apr 2020 10:26:41 +0000 (12:26 +0200)]
fix #2686: don't add arp-ip-src filter for dhcp
When the IPFilter setting is enabled and the container has DHCP
configured on an interface no 'arp-ip-src' filter should be added as we
don't have an IP address.
Previously '--arp-ip-src dhcp' was passed to ebtables which led to an error.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>