[pve-devel] [PATCH] add ips feature v3

Alexandre Derumier aderumier at odiso.com
Mon Mar 17 15:52:23 CET 2014


Signed-off-by: Alexandre Derumier <aderumier at odiso.com>

This add ips (like suricata) support through nfqueues.

this create a new chain PVEFW-Accept

-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept
-A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j NFQUEUE --queue-num 0 --queue-bypass
-A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j NFQUEUE --queue-num 0 --queue-bypass
-A PVEFW-Accept -j ACCEPT

it's using --queue-bypass (only available in 3.10 kernel), so it's suricata daemon is down,
packets are not dropped.

vmid.fw
-------
ips: 1

ips_queues: 0:3

1 or more queues can be defined (if we want cpu loadbalancing, or dedicated queue for a specific vm).
If not defined, default queue 0 is used.
---
 example/100.fw      |    6 ++++++
 src/PVE/Firewall.pm |   58 ++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/example/100.fw b/example/100.fw
index 94f178d..880e6c3 100644
--- a/example/100.fw
+++ b/example/100.fw
@@ -28,6 +28,12 @@ tcpflags: 1
 # enable DHCP
 dhcp: 1
 
+# enable ips
+ips: 1
+
+# specify nfqueue queues (optionnal)
+#ips_queues: 0
+ips_queues: 0:3
 
 [RULES]
 
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0f2bc11..7c05c45 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -440,6 +440,9 @@ my $pve_std_chains = {
 	# Drop DNS replies
 	{ action => 'DROP', proto => 'udp', sport => 53 },
     ],
+    'PVEFW-Accept' => [
+	{ action => 'ACCEPT' },
+    ],
     'PVEFW-tcpflags' => [
 	# same as shorewall tcpflags action.
 	# Packets arriving on this interface are checked for som illegal combinations of TCP flags
@@ -896,9 +899,9 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
 	ruleset_create_chain($ruleset, "$bridge-IN");
 	ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j $bridge-IN");
-	ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT");
+	ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j PVEFW-Accept");
 	# accept traffic to unmanaged bridge ports
-	ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j ACCEPT ");
+	ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j PVEFW-Accept");
     }
 }
 
@@ -939,7 +942,7 @@ sub ruleset_create_vm_chain {
     }
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
-	ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT");
+	ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j PVEFW-Accept");
     }
 
     if ($options->{tcpflags}) {
@@ -947,7 +950,8 @@ sub ruleset_create_vm_chain {
     }
 
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
-    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+
+    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept");
 
     if ($direction eq 'OUT') {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
@@ -985,6 +989,22 @@ sub ruleset_generate_vm_rules {
     }
 }
 
+sub ruleset_generate_vm_ipsrules {
+    my ($ruleset, $options, $direction, $iface) = @_;
+
+    if ($options->{ips} && $direction eq 'IN') {
+        my $nfqueue = "";
+        if($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) {
+            if(defined($3) && defined($1)) {
+                $nfqueue .= "--queue-balance $1:$3";
+            }elsif (defined($1)) {
+                $nfqueue .= "--queue-num $1";
+            }
+        }
+        ruleset_insertrule($ruleset, "PVEFW-Accept", "-m physdev --physdev-out $iface --physdev-is-bridged -j NFQUEUE $nfqueue --queue-bypass");
+    }
+}
+
 sub generate_venet_rules_direction {
     my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
 
@@ -1055,6 +1075,8 @@ sub generate_tap_rules_direction {
 
     ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction);
 
+    ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
+
     # implement policy
     my $policy;
 
@@ -1092,11 +1114,11 @@ sub enable_host_firewall {
     my $loglevel = get_option_log_level($options, "log_level_in");
 
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
-    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
+    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-i lo -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j PVEFW-Accept");  #corosync
 
     # we use RETURN because we need to check also tap rules
     my $accept_action = 'RETURN';
@@ -1117,11 +1139,11 @@ sub enable_host_firewall {
     $loglevel = get_option_log_level($options, "log_level_out");
 
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
-    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
+    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-o lo -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j PVEFW-Accept");
+    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j PVEFW-Accept"); #corosync
 
     # we use RETURN because we may want to check other thigs later
     $accept_action = 'RETURN';
@@ -1320,7 +1342,7 @@ sub parse_vmfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags|ips):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
@@ -1329,6 +1351,9 @@ sub parse_vmfw_option {
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
+    } elsif ($line =~ m/^(ips_queues):\s*((\d+)(:(\d+))?)\s*$/i) {
+	$opt = lc($1);
+	$value = $2;
     } else {
 	chomp $line;
 	die "can't parse option '$line'\n"
@@ -1755,8 +1780,7 @@ sub compile {
     }
 
     # fixme: this is an optimization? if so, we should also drop INVALID packages?
-    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-
+    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept");
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
-- 
1.7.10.4




More information about the pve-devel mailing list