Stefan Hanreich [Wed, 3 Jul 2024 09:17:11 +0000 (11:17 +0200)]
conntrack: arp: move handling to guest chains
In order to make sure we are only affecting VM traffic and no host
interfaces that are bridged, move the rules into a chain that gets
executed inside the guest chain, rather than setting the rules
globally.
Since ether type matches on the respective Ethernet header, it
doesn't work for packets with VLAN header. Matching via meta protocol
ensures that VLAN encapsulated ARP packets are matched as well.
Otherwise ARP traffic inside VLANs gets dropped, due to them having
conntrack state invalid.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Wed, 3 Jul 2024 09:17:10 +0000 (11:17 +0200)]
cargo: bump proxmox-sys and proxmox-schema dependencies
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
[ TL: update to versions released since this patch was created and
updated proxmox-sys tree-wide ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Wed, 17 Jul 2024 13:16:46 +0000 (15:16 +0200)]
service: flush firewall rules on force disable
When disabling the nftables firewall again, there is a race condition
where the nftables ruleset never gets flushed and persists after
disabling.
The nftables firewall update loop does a noop when the force disable
file exists. It only flushes the ruleset when nftables is disabled in
the configuration file but the force disable file does not yet exist.
This can lead to the following situation:
* nftables is activated and created its ruleset
* user switches from nftables firewall back to iptables firewall
* pve-firewall runs and creates the force disable file
* proxmox-firewall sees that the file exists and does nothing
Reported-by: Hannes Laimer <h.laimer@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Mon, 10 Jun 2024 12:52:38 +0000 (14:52 +0200)]
rules: allow vital ICMP(v6) types
There are certain ICMP messages that should always pass through a
firewall irregardless of any other rules. This is particularly
important for ICMPv6. While we already handled NDP, there are certain
control messages that should always be able to pass through any
firewall, according to RFC 4890.
For ICMP we additionally allow 'Source Quench' as well.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Wed, 15 May 2024 13:37:19 +0000 (15:37 +0200)]
guest out: fix conntrack handling with default block/reject policy
The output chain did not have any connection tracking (conntrack)
rules, which lead to issues when the default output policy is not
accept. Also, move the conntrack rules to the beginning of all chains.
Originally-by: Laurent Guerby <laurent@guerby.net> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Wed, 15 May 2024 13:37:18 +0000 (15:37 +0200)]
guest out: fix handling ARP traffic with default block/reject policy
In order to be able to send outgoing ARP packets when the default
policy is set to drop or reject, we need to explicitly allow ARP
traffic in the outgoing chain of guests. We need to do this in the
guest chain itself in order to be able to filter spoofed packets via
the MAC filter.
Contrary to the out direction we can simply accept all incoming ARP
traffic, since we do not do any MAC filtering for incoming traffic.
Since we create fdb entries for every NIC, guests should only see ARP
traffic for their MAC addresses anyway.
Originally-by: Laurent Guerby <laurent@guerby.net> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Mon, 13 May 2024 12:14:25 +0000 (14:14 +0200)]
rules: use proper ICMPv6 type for rejecting IPv6 traffic
ICMPv6 has different message types for rejecting traffic. With ICMP we
used host-prohibited as rejection type, which doesn't exist in ICMPv6.
Add an additional rule for IPv6, so it uses admin-prohibited.
Additionally, add a terminal drop statement in order to prevent any
traffic that does not get matched from bypassing the reject chain.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 26 Apr 2024 14:02:38 +0000 (16:02 +0200)]
service: add flag file to force-disable nftables
This will be set in the iptables/Perl based pve-firewall service and
ensures that users pulling this service but not enabling it are
"protected" from log-spam due to some pve-firewall config not being
parsed correctly (yet).
We can remove this again once we're sure that all edge cases are
covered, or this service here becomes the default.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Thu, 25 Apr 2024 17:23:07 +0000 (19:23 +0200)]
firewall: improve error handling of firewall
Error handling of the firewall binary should now be much more robust
on configuration errors. Instead of panicking in some cases it should
now log an error.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Thu, 25 Apr 2024 17:16:08 +0000 (19:16 +0200)]
config: nftables: add support for icmp-type any
We support any as wildcard for matching all icmp types. Implement
parsing logic for parsing the any value and support converting the any
value into an nftables expression.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Wed, 24 Apr 2024 16:15:20 +0000 (18:15 +0200)]
fix #5410: config: fix naming scheme for names in firewall config
This should bring the allowed names on par with the pve-firewall
naming scheme, allowing also underscores together with minus, as long
it isn't the first character [1].
Stefan Hanreich [Tue, 23 Apr 2024 16:02:53 +0000 (18:02 +0200)]
firewall: properly handle REJECT rules
Currently we generated DROP statements for all rules involving REJECT.
We only need to generate DROP when in the postrouting chain of tables
with type bridge, since REJECT is disallowed there. Otherwise we jump
into the do-reject chain which properly handles rejects for different
protocol types.
Reported-By: Stefan Sterz <s.sterz@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Tue, 23 Apr 2024 09:21:39 +0000 (11:21 +0200)]
firewall: properly cleanup tables when firewall is inactive
When executing multiple nft commands they are transactional, either
all get applied or none. When only the host or guest firewall is
active, only one table exists and this causes the delete commands to
fail. To fix this we need to send the delete commands separately.
It might make sense to support running multiple separate batches in
the NftClient in the future in order to avoid having to call nft
twice.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:53:08 +0000 (10:53 +0100)]
firewall: add files for debian packaging
Suggested-By: Fabian Grünbichler <f.gruenbichler@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
[ TL: squash in various fixes and clean-ups ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 14:29:05 +0000 (15:29 +0100)]
firewall: add ruleset generation logic
We create the rules from the firewall config by utilizing the
ToNftRules and ToNftObjects traits to convert the firewall config
structs to nftables objects/chains/rules.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:50:20 +0000 (10:50 +0100)]
firewall: add object generation logic
ToNftObjects is basically a conversion trait that converts firewall
config structs into nftables objects. It returns a list of commands
that create the respective nftables objects.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 15:37:58 +0000 (16:37 +0100)]
firewall: add rule generation logic
ToNftRules is basically a conversion trait for firewall config structs
to convert them into the respective nftables statements.
We are passing a list of rules to the method, which then modifies the
list of rules such that all relevant rules in the list have statements
appended that apply the configured constraints from the firewall
config.
This is particularly relevant for the rule generation logic for
ipsets. Due to how sets work in nftables we need to generate two rules
for every ipset: a rule for the v4 ipset and a rule for the v6 ipset.
This is because sets can only contain either v4 or v6 addresses. By
passing a list of all generated rules we can duplicate all rules and
then add a statement for the v4 or v6 set respectively.
This also enables us to start with multiple rules, which is required
for using log statements in conjunction with limit statements.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:48:30 +0000 (10:48 +0100)]
firewall: add config loader
We load the firewall configuration from the default paths, as well as
only the guest configurations that are local to the node itself. In
the future we could change this to use pmxcfs directly instead.
We also load information from nftables directly about dynamically
created chains (mostly chains for the guest firewall).
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:51:54 +0000 (10:51 +0100)]
firewall: add base ruleset
This is the skeleton for the firewall that contains all the base
chains required for the firewall.
The file applies atomically, which means that it flushes all objects
and recreates them - except for the cluster/host/guest chain. This
means that it can be run at any point in time, since it only updates
the chains that are not managed by the firewall itself.
This also means that when we change the rules in the chains (e.g.
during an update) we can always just re-run the nft-file and the
firewall should use the new chains while still retaining the
configuration generated by the firewall daemon.
This also means that when re-creating the firewall rules, the
cluster/host/guest chains need to be flushed manually before creating
new rules.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 15:52:06 +0000 (16:52 +0100)]
nftables: types: add conversion traits
Some parts of the firewall config map directly to nftables objects, so
we introduce conversion traits for convenient conversion into the
respective nftables objects / types.
They are guarded behind a feature, so the nftables crate can be used
standalone without depending on the proxmox-ve-config crate.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Wed, 17 Apr 2024 12:55:35 +0000 (14:55 +0200)]
nftables: commands: add types
Add rust types for most of the nftables commands as defined by
libnftables-json [1].
Different commands require different keys to be set for the same type
of object. E.g. deleting an object usually only requires a name +
name of the container (table/chain/rule). Creating an object usually
requires a few more keys, depending on the type of object created.
In order to be able to model the different objects for the different
commands, I've created specific models for a command where necessary.
Parts that are common across multiple commands (e.g. names) have been
moved to their own structs, so they can be reused.
Stefan Hanreich [Wed, 17 Apr 2024 12:54:45 +0000 (14:54 +0200)]
nftables: statement: add conversion traits for config types
Some types from the firewall configuration map directly onto nftables
statements. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.
As with the expressions, those are guarded behind a feature so the
nftables crate can be used standalone without having to pull in the
proxmox-ve-config crate.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 13:36:44 +0000 (14:36 +0100)]
nftables: expression: implement conversion traits for firewall config
Some types from the firewall configuration map directly onto nftables
expressions. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.
Those are guarded behind a feature so the nftables crate can be used
standalone without having to pull in the proxmox-ve-config crate.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:34:25 +0000 (10:34 +0100)]
nftables: add helpers
Several objects, statements and expressions in nftables-json require
null values, for instance:
{ "flush": { "ruleset": null }}
For this purpose we define our own Null type, which we can then easily
use for defining types that accept Null as value.
Several keys accept as value either a singular element (string or
object) if there is only one object, but an array if there are
multiple objects. For instance when adding a single element to a set:
NfVec<T> is a wrapper for Vec<T> that serializes into T iff Vec
contains one element, otherwise it serializes like a Vec would
normally do.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:30:32 +0000 (10:30 +0100)]
nftables: add crate for libnftables bindings
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:27:17 +0000 (10:27 +0100)]
config: firewall: add conntrack helper types
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:19:03 +0000 (10:19 +0100)]
config: firewall: add generic parser for firewall configs
Since the basic format of cluster, host and guest firewall
configurations is the same, we create a generic parser that can handle
the common config format. The main difference is in the available
options, which can be passed via a generic parameter.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:14:05 +0000 (10:14 +0100)]
config: firewall: add types for rules
Additionally we implement FromStr for all rule types and parts, which
can be used for parsing firewall config rules. Initial rule parsing
works by parsing the different options into a HashMap and only then
de-serializing a struct from the parsed options.
This intermediate step makes rule parsing a lot easier, since we can
reuse the deserialization logic from serde. Also, we can split the
parsing/deserialization logic from the validation logic.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:04:38 +0000 (10:04 +0100)]
config: guest: add helpers for parsing guest network config
Currently this is parsing the config files via the filesystem. In the
future we could also get this information from pmxcfs directly via
IPC which should be more performant, particularly for a large number
of VMs.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 09:01:14 +0000 (10:01 +0100)]
config: host: add helpers for host network configuration
Currently the helpers for obtaining the host network configuration
panic on error, which could be avoided by the use of
OnceLock::get_or_init, but this method is currently only available in
nightly versions.
Generally, if there is a problem with obtaining the network config for
the node I would deem it acceptable for now, since that would usually
mean something is amiss with the network configuration and a firewall
won't really do anything then anyway.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Tue, 2 Apr 2024 11:33:33 +0000 (13:33 +0200)]
config: firewall: add types for ip addresses
Includes types for all kinds of IP values that can occur in the
firewall config. Additionally, FromStr implementations are available
for parsing from the config files.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Stefan Hanreich [Fri, 29 Mar 2024 08:41:50 +0000 (09:41 +0100)]
config: add proxmox-ve-config crate
Co-authored-by: Wolfgang Bumiller<w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>