[pve-devel] [PATCH proxmox-firewall 15/37] config: firewall: add firewall macros

Tue Apr 2 19:16:07 CEST 2024

Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
 proxmox-ve-config/resources/macros.json     | 896 ++++++++++++++++++++
 proxmox-ve-config/src/firewall/fw_macros.rs |  69 ++
 proxmox-ve-config/src/firewall/mod.rs       |   1 +
 3 files changed, 966 insertions(+)
 create mode 100644 proxmox-ve-config/resources/macros.json
 create mode 100644 proxmox-ve-config/src/firewall/fw_macros.rs

diff --git a/proxmox-ve-config/resources/macros.json b/proxmox-ve-config/resources/macros.json
new file mode 100644
index 0000000..666bcbf
--- /dev/null
+++ b/proxmox-ve-config/resources/macros.json
@@ -0,0 +1,896 @@
+{
+  "Amanda": {
+    "code": [
+      {
+        "dport": "10080",
+        "proto": "udp"
+      },
+      {
+        "dport": "10080",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Amanda Backup"
+  },
+  "Auth": {
+    "code": [
+      {
+        "dport": "113",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Auth (identd) traffic"
+  },
+  "BGP": {
+    "code": [
+      {
+        "dport": "179",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Border Gateway Protocol traffic"
+  },
+  "BitTorrent": {
+    "code": [
+      {
+        "dport": "6881:6889",
+        "proto": "tcp"
+      },
+      {
+        "dport": "6881",
+        "proto": "udp"
+      }
+    ],
+    "desc": "BitTorrent traffic for BitTorrent 3.1 and earlier"
+  },
+  "BitTorrent32": {
+    "code": [
+      {
+        "dport": "6881:6999",
+        "proto": "tcp"
+      },
+      {
+        "dport": "6881",
+        "proto": "udp"
+      }
+    ],
+    "desc": "BitTorrent traffic for BitTorrent 3.2 and later"
+  },
+  "CVS": {
+    "code": [
+      {
+        "dport": "2401",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Concurrent Versions System pserver traffic"
+  },
+  "Ceph": {
+    "code": [
+      {
+        "dport": "6789",
+        "proto": "tcp"
+      },
+      {
+        "dport": "3300",
+        "proto": "tcp"
+      },
+      {
+        "dport": "6800:7300",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Daemons)"
+  },
+  "Citrix": {
+    "code": [
+      {
+        "dport": "1494",
+        "proto": "tcp"
+      },
+      {
+        "dport": "1604",
+        "proto": "udp"
+      },
+      {
+        "dport": "2598",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Citrix/ICA traffic (ICA, ICA Browser, CGP)"
+  },
+  "DAAP": {
+    "code": [
+      {
+        "dport": "3689",
+        "proto": "tcp"
+      },
+      {
+        "dport": "3689",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons)"
+  },
+  "DCC": {
+    "code": [
+      {
+        "dport": "6277",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Distributed Checksum Clearinghouse spam filtering mechanism"
+  },
+  "DHCPfwd": {
+    "code": [
+      {
+        "dport": "67:68",
+        "proto": "udp",
+        "sport": "67:68"
+      }
+    ],
+    "desc": "Forwarded DHCP traffic"
+  },
+  "DHCPv6": {
+    "code": [
+      {
+        "dport": "546:547",
+        "proto": "udp",
+        "sport": "546:547"
+      }
+    ],
+    "desc": "DHCPv6 traffic"
+  },
+  "DNS": {
+    "code": [
+      {
+        "dport": "53",
+        "proto": "udp"
+      },
+      {
+        "dport": "53",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Domain Name System traffic (upd and tcp)"
+  },
+  "Distcc": {
+    "code": [
+      {
+        "dport": "3632",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Distributed Compiler service"
+  },
+  "FTP": {
+    "code": [
+      {
+        "dport": "21",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "File Transfer Protocol"
+  },
+  "Finger": {
+    "code": [
+      {
+        "dport": "79",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Finger protocol (RFC 742)"
+  },
+  "GNUnet": {
+    "code": [
+      {
+        "dport": "2086",
+        "proto": "tcp"
+      },
+      {
+        "dport": "2086",
+        "proto": "udp"
+      },
+      {
+        "dport": "1080",
+        "proto": "tcp"
+      },
+      {
+        "dport": "1080",
+        "proto": "udp"
+      }
+    ],
+    "desc": "GNUnet secure peer-to-peer networking traffic"
+  },
+  "GRE": {
+    "code": [
+      {
+        "proto": "47"
+      }
+    ],
+    "desc": "Generic Routing Encapsulation tunneling protocol"
+  },
+  "Git": {
+    "code": [
+      {
+        "dport": "9418",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Git distributed revision control traffic"
+  },
+  "HKP": {
+    "code": [
+      {
+        "dport": "11371",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "OpenPGP HTTP key server protocol traffic"
+  },
+  "HTTP": {
+    "code": [
+      {
+        "dport": "80",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Hypertext Transfer Protocol (WWW)"
+  },
+  "HTTPS": {
+    "code": [
+      {
+        "dport": "443",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Hypertext Transfer Protocol (WWW) over SSL"
+  },
+  "ICPV2": {
+    "code": [
+      {
+        "dport": "3130",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Internet Cache Protocol V2 (Squid) traffic"
+  },
+  "ICQ": {
+    "code": [
+      {
+        "dport": "5190",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "AOL Instant Messenger traffic"
+  },
+  "IMAP": {
+    "code": [
+      {
+        "dport": "143",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Internet Message Access Protocol"
+  },
+  "IMAPS": {
+    "code": [
+      {
+        "dport": "993",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Internet Message Access Protocol over SSL"
+  },
+  "IPIP": {
+    "code": [
+      {
+        "proto": "94"
+      }
+    ],
+    "desc": "IPIP capsulation traffic"
+  },
+  "IPsec": {
+    "code": [
+      {
+        "dport": "500",
+        "proto": "udp",
+        "sport": "500"
+      },
+      {
+        "proto": "50"
+      }
+    ],
+    "desc": "IPsec traffic"
+  },
+  "IPsecah": {
+    "code": [
+      {
+        "dport": "500",
+        "proto": "udp",
+        "sport": "500"
+      },
+      {
+        "proto": "51"
+      }
+    ],
+    "desc": "IPsec authentication (AH) traffic"
+  },
+  "IPsecnat": {
+    "code": [
+      {
+        "dport": "500",
+        "proto": "udp"
+      },
+      {
+        "dport": "4500",
+        "proto": "udp"
+      },
+      {
+        "proto": "50"
+      }
+    ],
+    "desc": "IPsec traffic and Nat-Traversal"
+  },
+  "IRC": {
+    "code": [
+      {
+        "dport": "6667",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Internet Relay Chat traffic"
+  },
+  "Jetdirect": {
+    "code": [
+      {
+        "dport": "9100",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "HP Jetdirect printing"
+  },
+  "L2TP": {
+    "code": [
+      {
+        "dport": "1701",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Layer 2 Tunneling Protocol traffic"
+  },
+  "LDAP": {
+    "code": [
+      {
+        "dport": "389",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Lightweight Directory Access Protocol traffic"
+  },
+  "LDAPS": {
+    "code": [
+      {
+        "dport": "636",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Secure Lightweight Directory Access Protocol traffic"
+  },
+  "MDNS": {
+    "code": [
+      {
+        "dport": "5353",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Multicast DNS"
+  },
+  "MSNP": {
+    "code": [
+      {
+        "dport": "1863",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Microsoft Notification Protocol"
+  },
+  "MSSQL": {
+    "code": [
+      {
+        "dport": "1433",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Microsoft SQL Server"
+  },
+  "Mail": {
+    "code": [
+      {
+        "dport": "25",
+        "proto": "tcp"
+      },
+      {
+        "dport": "465",
+        "proto": "tcp"
+      },
+      {
+        "dport": "587",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Mail traffic (SMTP, SMTPS, Submission)"
+  },
+  "Munin": {
+    "code": [
+      {
+        "dport": "4949",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Munin networked resource monitoring traffic"
+  },
+  "MySQL": {
+    "code": [
+      {
+        "dport": "3306",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "MySQL server"
+  },
+  "NNTP": {
+    "code": [
+      {
+        "dport": "119",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "NNTP traffic (Usenet)."
+  },
+  "NNTPS": {
+    "code": [
+      {
+        "dport": "563",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Encrypted NNTP traffic (Usenet)"
+  },
+  "NTP": {
+    "code": [
+      {
+        "dport": "123",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Network Time Protocol (ntpd)"
+  },
+  "NeighborDiscovery": {
+    "code": [
+      {
+        "dport": "nd-router-solicit",
+        "proto": "icmpv6"
+      },
+      {
+        "dport": "nd-router-advert",
+        "proto": "icmpv6"
+      },
+      {
+        "dport": "nd-neighbor-solicit",
+        "proto": "icmpv6"
+      },
+      {
+        "dport": "nd-neighbor-advert",
+        "proto": "icmpv6"
+      }
+    ],
+    "desc": "IPv6 neighbor solicitation, neighbor and router advertisement"
+  },
+  "OSPF": {
+    "code": [
+      {
+        "proto": "89"
+      }
+    ],
+    "desc": "OSPF multicast traffic"
+  },
+  "OpenVPN": {
+    "code": [
+      {
+        "dport": "1194",
+        "proto": "udp"
+      }
+    ],
+    "desc": "OpenVPN traffic"
+  },
+  "PCA": {
+    "code": [
+      {
+        "dport": "5632",
+        "proto": "udp"
+      },
+      {
+        "dport": "5631",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Symantec PCAnywere (tm)"
+  },
+  "PMG": {
+    "code": [
+      {
+        "dport": "8006",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Proxmox Mail Gateway web interface"
+  },
+  "POP3": {
+    "code": [
+      {
+        "dport": "110",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "POP3 traffic"
+  },
+  "POP3S": {
+    "code": [
+      {
+        "dport": "995",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Encrypted POP3 traffic"
+  },
+  "PPtP": {
+    "code": [
+      {
+        "proto": "47"
+      },
+      {
+        "dport": "1723",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Point-to-Point Tunneling Protocol"
+  },
+  "Ping": {
+    "code": [
+      {
+        "dport": "echo-request",
+        "proto": "icmp"
+      }
+    ],
+    "desc": "ICMP echo request"
+  },
+  "PostgreSQL": {
+    "code": [
+      {
+        "dport": "5432",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "PostgreSQL server"
+  },
+  "Printer": {
+    "code": [
+      {
+        "dport": "515",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Line Printer protocol printing"
+  },
+  "RDP": {
+    "code": [
+      {
+        "dport": "3389",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Microsoft Remote Desktop Protocol traffic"
+  },
+  "RIP": {
+    "code": [
+      {
+        "dport": "520",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Routing Information Protocol (bidirectional)"
+  },
+  "RNDC": {
+    "code": [
+      {
+        "dport": "953",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "BIND remote management protocol"
+  },
+  "Razor": {
+    "code": [
+      {
+        "dport": "2703",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Razor Antispam System"
+  },
+  "Rdate": {
+    "code": [
+      {
+        "dport": "37",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Remote time retrieval (rdate)"
+  },
+  "Rsync": {
+    "code": [
+      {
+        "dport": "873",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Rsync server"
+  },
+  "SANE": {
+    "code": [
+      {
+        "dport": "6566",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "SANE network scanning"
+  },
+  "SMB": {
+    "code": [
+      {
+        "dport": "135,445",
+        "proto": "udp"
+      },
+      {
+        "dport": "137:139",
+        "proto": "udp"
+      },
+      {
+        "dport": "1024:65535",
+        "proto": "udp",
+        "sport": "137"
+      },
+      {
+        "dport": "135,139,445",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Microsoft SMB traffic"
+  },
+  "SMBswat": {
+    "code": [
+      {
+        "dport": "901",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Samba Web Administration Tool"
+  },
+  "SMTP": {
+    "code": [
+      {
+        "dport": "25",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Simple Mail Transfer Protocol"
+  },
+  "SMTPS": {
+    "code": [
+      {
+        "dport": "465",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Encrypted Simple Mail Transfer Protocol"
+  },
+  "SNMP": {
+    "code": [
+      {
+        "dport": "161:162",
+        "proto": "udp"
+      },
+      {
+        "dport": "161",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Simple Network Management Protocol"
+  },
+  "SPAMD": {
+    "code": [
+      {
+        "dport": "783",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Spam Assassin SPAMD traffic"
+  },
+  "SSH": {
+    "code": [
+      {
+        "dport": "22",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Secure shell traffic"
+  },
+  "SVN": {
+    "code": [
+      {
+        "dport": "3690",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Subversion server (svnserve)"
+  },
+  "SixXS": {
+    "code": [
+      {
+        "dport": "3874",
+        "proto": "tcp"
+      },
+      {
+        "dport": "3740",
+        "proto": "udp"
+      },
+      {
+        "proto": "41"
+      },
+      {
+        "dport": "5072,8374",
+        "proto": "udp"
+      }
+    ],
+    "desc": "SixXS IPv6 Deployment and Tunnel Broker"
+  },
+  "Squid": {
+    "code": [
+      {
+        "dport": "3128",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Squid web proxy traffic"
+  },
+  "Submission": {
+    "code": [
+      {
+        "dport": "587",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Mail message submission traffic"
+  },
+  "Syslog": {
+    "code": [
+      {
+        "dport": "514",
+        "proto": "udp"
+      },
+      {
+        "dport": "514",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Syslog protocol (RFC 5424) traffic"
+  },
+  "TFTP": {
+    "code": [
+      {
+        "dport": "69",
+        "proto": "udp"
+      }
+    ],
+    "desc": "Trivial File Transfer Protocol traffic"
+  },
+  "Telnet": {
+    "code": [
+      {
+        "dport": "23",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Telnet traffic"
+  },
+  "Telnets": {
+    "code": [
+      {
+        "dport": "992",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Telnet over SSL"
+  },
+  "Time": {
+    "code": [
+      {
+        "dport": "37",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "RFC 868 Time protocol"
+  },
+  "Trcrt": {
+    "code": [
+      {
+        "dport": "33434:33524",
+        "proto": "udp"
+      },
+      {
+        "dport": "echo-request",
+        "proto": "icmp"
+      }
+    ],
+    "desc": "Traceroute (for up to 30 hops) traffic"
+  },
+  "VNC": {
+    "code": [
+      {
+        "dport": "5900:5999",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "VNC traffic for VNC display's 0 - 99"
+  },
+  "VNCL": {
+    "code": [
+      {
+        "dport": "5500",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "VNC traffic from Vncservers to Vncviewers in listen mode"
+  },
+  "Web": {
+    "code": [
+      {
+        "dport": "80",
+        "proto": "tcp"
+      },
+      {
+        "dport": "443",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "WWW traffic (HTTP and HTTPS)"
+  },
+  "Webcache": {
+    "code": [
+      {
+        "dport": "8080",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Web Cache/Proxy traffic (port 8080)"
+  },
+  "Webmin": {
+    "code": [
+      {
+        "dport": "10000",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Webmin traffic"
+  },
+  "Whois": {
+    "code": [
+      {
+        "dport": "43",
+        "proto": "tcp"
+      }
+    ],
+    "desc": "Whois (nicname, RFC 3912) traffic"
+  }
+}
diff --git a/proxmox-ve-config/src/firewall/fw_macros.rs b/proxmox-ve-config/src/firewall/fw_macros.rs
new file mode 100644
index 0000000..5fa8dab
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/fw_macros.rs
@@ -0,0 +1,69 @@
+use std::collections::HashMap;
+
+use serde::Deserialize;
+use std::sync::OnceLock;
+
+use crate::firewall::types::rule_match::Protocol;
+
+use super::types::rule_match::RuleOptions;
+
+#[derive(Clone, Debug, Default, Deserialize)]
+struct FwMacroData {
+    #[serde(rename = "desc")]
+    pub description: &'static str,
+    pub code: Vec<RuleOptions>,
+}
+
+#[derive(Clone, Debug, Default)]
+pub struct FwMacro {
+    pub _description: &'static str,
+    pub code: Vec<Protocol>,
+}
+
+fn macros() -> &'static HashMap<String, FwMacro> {
+    const MACROS: &str = include_str!("../../resources/macros.json");
+    static HASHMAP: OnceLock<HashMap<String, FwMacro>> = OnceLock::new();
+
+    HASHMAP.get_or_init(|| {
+        let macro_data: HashMap<String, FwMacroData> = match serde_json::from_str(MACROS) {
+            Ok(m) => m,
+            Err(err) => {
+                log::error!("could not load data for macros: {err}");
+                HashMap::new()
+            }
+        };
+
+        let mut macros = HashMap::new();
+
+        'outer: for (name, data) in macro_data {
+            let mut code = Vec::new();
+
+            for c in data.code {
+                match Protocol::from_options(&c) {
+                    Ok(Some(p)) => code.push(p),
+                    Ok(None) => {
+                        continue 'outer;
+                    }
+                    Err(err) => {
+                        log::error!("could not parse data for macro {name}: {err}");
+                        continue 'outer;
+                    }
+                }
+            }
+
+            macros.insert(
+                name,
+                FwMacro {
+                    _description: data.description,
+                    code,
+                },
+            );
+        }
+
+        macros
+    })
+}
+
+pub fn get_macro(name: &str) -> Option<&'static FwMacro> {
+    macros().get(name)
+}
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
index afc3dcc..0f438ca 100644
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ b/proxmox-ve-config/src/firewall/mod.rs
@@ -1,5 +1,6 @@
 pub mod cluster;
 pub mod common;
+pub mod fw_macros;
 pub mod guest;
 pub mod host;
 pub mod ports;
-- 
2.39.2


