[pve-devel] [PATCH proxmox-firewall v2 13/39] config: firewall: add host specific config + option types
Stefan Hanreich
s.hanreich at proxmox.com
Wed Apr 17 15:53:38 CEST 2024
Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
Reviewed-by: Max Carrara <m.carrara at proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-ve-config/src/firewall/host.rs | 372 +++++++++++++++++++++++++
proxmox-ve-config/src/firewall/mod.rs | 1 +
2 files changed, 373 insertions(+)
create mode 100644 proxmox-ve-config/src/firewall/host.rs
diff --git a/proxmox-ve-config/src/firewall/host.rs b/proxmox-ve-config/src/firewall/host.rs
new file mode 100644
index 0000000..2fd1f36
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/host.rs
@@ -0,0 +1,372 @@
+use std::io;
+use std::net::IpAddr;
+
+use anyhow::{bail, Error};
+use serde::Deserialize;
+
+use crate::host::utils::{host_ips, network_interface_cidrs};
+use proxmox_sys::nodename;
+
+use crate::firewall::parse;
+use crate::firewall::types::log::LogLevel;
+use crate::firewall::types::rule::Direction;
+use crate::firewall::types::{Alias, Cidr, Rule};
+
+/// default setting for the enabled key
+pub const HOST_ENABLED_DEFAULT: bool = true;
+/// default setting for the nftables key
+pub const HOST_NFTABLES_DEFAULT: bool = false;
+/// default return value for [`Config::allow_ndp()`]
+pub const HOST_ALLOW_NDP_DEFAULT: bool = true;
+/// default return value for [`Config::block_smurfs()`]
+pub const HOST_BLOCK_SMURFS_DEFAULT: bool = true;
+/// default return value for [`Config::block_synflood()`]
+pub const HOST_BLOCK_SYNFLOOD_DEFAULT: bool = false;
+/// default rate limit for synflood rule (packets / second)
+pub const HOST_BLOCK_SYNFLOOD_RATE_DEFAULT: i64 = 200;
+/// default rate limit for synflood rule (packets / second)
+pub const HOST_BLOCK_SYNFLOOD_BURST_DEFAULT: i64 = 1000;
+/// default return value for [`Config::block_invalid_tcp()`]
+pub const HOST_BLOCK_INVALID_TCP_DEFAULT: bool = false;
+/// default return value for [`Config::block_invalid_conntrack()`]
+pub const HOST_BLOCK_INVALID_CONNTRACK: bool = false;
+/// default setting for logging of invalid conntrack entries
+pub const HOST_LOG_INVALID_CONNTRACK: bool = false;
+
+#[derive(Debug, Default, Deserialize)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+pub struct Options {
+ #[serde(default, with = "parse::serde_option_bool")]
+ enable: Option<bool>,
+
+ #[serde(default, with = "parse::serde_option_bool")]
+ nftables: Option<bool>,
+
+ log_level_in: Option<LogLevel>,
+ log_level_out: Option<LogLevel>,
+
+ #[serde(default, with = "parse::serde_option_bool")]
+ log_nf_conntrack: Option<bool>,
+ #[serde(default, with = "parse::serde_option_bool")]
+ ndp: Option<bool>,
+
+ #[serde(default, with = "parse::serde_option_bool")]
+ nf_conntrack_allow_invalid: Option<bool>,
+
+ // is Option<Vec<>> for easier deserialization
+ #[serde(default, with = "parse::serde_option_conntrack_helpers")]
+ nf_conntrack_helpers: Option<Vec<String>>,
+
+ #[serde(default, with = "parse::serde_option_number")]
+ nf_conntrack_max: Option<i64>,
+ #[serde(default, with = "parse::serde_option_number")]
+ nf_conntrack_tcp_timeout_established: Option<i64>,
+ #[serde(default, with = "parse::serde_option_number")]
+ nf_conntrack_tcp_timeout_syn_recv: Option<i64>,
+
+ #[serde(default, with = "parse::serde_option_bool")]
+ nosmurfs: Option<bool>,
+
+ #[serde(default, with = "parse::serde_option_bool")]
+ protection_synflood: Option<bool>,
+ #[serde(default, with = "parse::serde_option_number")]
+ protection_synflood_burst: Option<i64>,
+ #[serde(default, with = "parse::serde_option_number")]
+ protection_synflood_rate: Option<i64>,
+
+ smurf_log_level: Option<LogLevel>,
+ tcp_flags_log_level: Option<LogLevel>,
+
+ #[serde(default, with = "parse::serde_option_bool")]
+ tcpflags: Option<bool>,
+}
+
+#[derive(Debug, Default)]
+pub struct Config {
+ pub(crate) config: super::common::Config<Options>,
+}
+
+impl Config {
+ pub fn new() -> Self {
+ Self {
+ config: Default::default(),
+ }
+ }
+
+ pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
+ let config = super::common::Config::parse(input, &Default::default())?;
+
+ if !config.groups.is_empty() {
+ bail!("host firewall config cannot declare groups");
+ }
+
+ if !config.aliases.is_empty() {
+ bail!("host firewall config cannot declare aliases");
+ }
+
+ if !config.ipsets.is_empty() {
+ bail!("host firewall config cannot declare ipsets");
+ }
+
+ Ok(Self { config })
+ }
+
+ pub fn rules(&self) -> &[Rule] {
+ &self.config.rules
+ }
+
+ pub fn management_ips() -> Result<Vec<Cidr>, Error> {
+ let mut management_cidrs = Vec::new();
+
+ for host_ip in host_ips() {
+ for network_interface_cidr in network_interface_cidrs() {
+ match (host_ip, network_interface_cidr) {
+ (IpAddr::V4(ip), Cidr::Ipv4(cidr)) => {
+ if cidr.contains_address(ip) {
+ management_cidrs.push(*network_interface_cidr);
+ }
+ }
+ (IpAddr::V6(ip), Cidr::Ipv6(cidr)) => {
+ if cidr.contains_address(ip) {
+ management_cidrs.push(*network_interface_cidr);
+ }
+ }
+ _ => continue,
+ };
+ }
+ }
+
+ Ok(management_cidrs)
+ }
+
+ pub fn hostname() -> &'static str {
+ nodename()
+ }
+
+ pub fn get_alias(&self, name: &str) -> Option<&Alias> {
+ self.config.alias(name)
+ }
+
+ /// returns value of enabled key or [`HOST_ENABLED_DEFAULT`] if unset
+ pub fn is_enabled(&self) -> bool {
+ self.config.options.enable.unwrap_or(HOST_ENABLED_DEFAULT)
+ }
+
+ /// returns value of nftables key or [`HOST_NFTABLES_DEFAULT`] if unset
+ pub fn nftables(&self) -> bool {
+ self.config
+ .options
+ .nftables
+ .unwrap_or(HOST_NFTABLES_DEFAULT)
+ }
+
+ /// returns value of ndp key or [`HOST_ALLOW_NDP_DEFAULT`] if unset
+ pub fn allow_ndp(&self) -> bool {
+ self.config.options.ndp.unwrap_or(HOST_ALLOW_NDP_DEFAULT)
+ }
+
+ /// returns value of nosmurfs key or [`HOST_BLOCK_SMURFS_DEFAULT`] if unset
+ pub fn block_smurfs(&self) -> bool {
+ self.config
+ .options
+ .nosmurfs
+ .unwrap_or(HOST_BLOCK_SMURFS_DEFAULT)
+ }
+
+ /// returns the log level for the smurf protection rule
+ ///
+ /// If there is no log level set, it returns [`LogLevel::default()`]
+ pub fn block_smurfs_log_level(&self) -> LogLevel {
+ self.config.options.smurf_log_level.unwrap_or_default()
+ }
+
+ /// returns value of protection_synflood key or [`HOST_BLOCK_SYNFLOOD_DEFAULT`] if unset
+ pub fn block_synflood(&self) -> bool {
+ self.config
+ .options
+ .protection_synflood
+ .unwrap_or(HOST_BLOCK_SYNFLOOD_DEFAULT)
+ }
+
+ /// returns value of protection_synflood_rate key or [`HOST_BLOCK_SYNFLOOD_RATE_DEFAULT`] if
+ /// unset
+ pub fn synflood_rate(&self) -> i64 {
+ self.config
+ .options
+ .protection_synflood_rate
+ .unwrap_or(HOST_BLOCK_SYNFLOOD_RATE_DEFAULT)
+ }
+
+ /// returns value of protection_synflood_burst key or [`HOST_BLOCK_SYNFLOOD_BURST_DEFAULT`] if
+ /// unset
+ pub fn synflood_burst(&self) -> i64 {
+ self.config
+ .options
+ .protection_synflood_burst
+ .unwrap_or(HOST_BLOCK_SYNFLOOD_BURST_DEFAULT)
+ }
+
+ /// returns value of tcpflags key or [`HOST_BLOCK_INVALID_TCP_DEFAULT`] if unset
+ pub fn block_invalid_tcp(&self) -> bool {
+ self.config
+ .options
+ .tcpflags
+ .unwrap_or(HOST_BLOCK_INVALID_TCP_DEFAULT)
+ }
+
+ /// returns the log level for the block invalid TCP packets rule
+ ///
+ /// If there is no log level set, it returns [`LogLevel::default()`]
+ pub fn block_invalid_tcp_log_level(&self) -> LogLevel {
+ self.config.options.tcp_flags_log_level.unwrap_or_default()
+ }
+
+ /// returns value of nf_conntrack_allow_invalid key or [`HOST_BLOCK_INVALID_CONNTRACK`] if
+ /// unset
+ pub fn block_invalid_conntrack(&self) -> bool {
+ !self
+ .config
+ .options
+ .nf_conntrack_allow_invalid
+ .unwrap_or(HOST_BLOCK_INVALID_CONNTRACK)
+ }
+
+ pub fn nf_conntrack_max(&self) -> Option<i64> {
+ self.config.options.nf_conntrack_max
+ }
+
+ pub fn nf_conntrack_tcp_timeout_established(&self) -> Option<i64> {
+ self.config.options.nf_conntrack_tcp_timeout_established
+ }
+
+ pub fn nf_conntrack_tcp_timeout_syn_recv(&self) -> Option<i64> {
+ self.config.options.nf_conntrack_tcp_timeout_syn_recv
+ }
+
+ /// returns value of log_nf_conntrack key or [`HOST_LOG_INVALID_CONNTRACK`] if unset
+ pub fn log_nf_conntrack(&self) -> bool {
+ self.config
+ .options
+ .log_nf_conntrack
+ .unwrap_or(HOST_LOG_INVALID_CONNTRACK)
+ }
+
+ pub fn conntrack_helpers(&self) -> Option<&Vec<String>> {
+ self.config.options.nf_conntrack_helpers.as_ref()
+ }
+
+ /// returns the log level for the given direction
+ ///
+ /// If there is no log level set it returns [`LogLevel::default()`]
+ pub fn log_level(&self, dir: Direction) -> LogLevel {
+ match dir {
+ Direction::In => self.config.options.log_level_in.unwrap_or_default(),
+ Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
+ }
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use crate::firewall::types::{
+ log::LogLevel,
+ rule::{Kind, RuleGroup, Verdict},
+ rule_match::{Ports, Protocol, RuleMatch, Udp},
+ };
+
+ use super::*;
+
+ #[test]
+ fn test_parse_config() {
+ const CONFIG: &str = r#"
+[OPTIONS]
+enable: 1
+nftables: 1
+log_level_in: debug
+log_level_out: emerg
+log_nf_conntrack: 0
+ndp: 1
+nf_conntrack_allow_invalid: yes
+nf_conntrack_helpers: ftp
+nf_conntrack_max: 44000
+nf_conntrack_tcp_timeout_established: 500000
+nf_conntrack_tcp_timeout_syn_recv: 44
+nosmurfs: no
+protection_synflood: 1
+protection_synflood_burst: 2500
+protection_synflood_rate: 300
+smurf_log_level: notice
+tcp_flags_log_level: nolog
+tcpflags: yes
+
+[RULES]
+
+GROUP tgr -i eth0 # acomm
+IN ACCEPT -p udp -dport 33 -sport 22 -log warning
+
+"#;
+
+ let mut config = CONFIG.as_bytes();
+ let config = Config::parse(&mut config).unwrap();
+
+ assert_eq!(
+ config.config.options,
+ Options {
+ enable: Some(true),
+ nftables: Some(true),
+ log_level_in: Some(LogLevel::Debug),
+ log_level_out: Some(LogLevel::Emergency),
+ log_nf_conntrack: Some(false),
+ ndp: Some(true),
+ nf_conntrack_allow_invalid: Some(true),
+ nf_conntrack_helpers: Some(vec!["ftp".to_string()]),
+ nf_conntrack_max: Some(44000),
+ nf_conntrack_tcp_timeout_established: Some(500000),
+ nf_conntrack_tcp_timeout_syn_recv: Some(44),
+ nosmurfs: Some(false),
+ protection_synflood: Some(true),
+ protection_synflood_burst: Some(2500),
+ protection_synflood_rate: Some(300),
+ smurf_log_level: Some(LogLevel::Notice),
+ tcp_flags_log_level: Some(LogLevel::Nolog),
+ tcpflags: Some(true),
+ }
+ );
+
+ assert_eq!(config.config.rules.len(), 2);
+
+ assert_eq!(
+ config.config.rules[0],
+ Rule {
+ disabled: false,
+ comment: Some("acomm".to_string()),
+ kind: Kind::Group(RuleGroup {
+ group: "tgr".to_string(),
+ iface: Some("eth0".to_string()),
+ }),
+ },
+ );
+
+ assert_eq!(
+ config.config.rules[1],
+ Rule {
+ disabled: false,
+ comment: None,
+ kind: Kind::Match(RuleMatch {
+ dir: Direction::In,
+ verdict: Verdict::Accept,
+ proto: Some(Protocol::Udp(Udp::new(Ports::from_u16(22, 33)))),
+ log: Some(LogLevel::Warning),
+ ..Default::default()
+ }),
+ },
+ );
+
+ Config::parse("[ALIASES]\ntest 127.0.0.1".as_bytes())
+ .expect_err("host config cannot contain aliases");
+
+ Config::parse("[GROUP test]".as_bytes()).expect_err("host config cannot contain groups");
+
+ Config::parse("[IPSET test]".as_bytes()).expect_err("host config cannot contain ipsets");
+ }
+}
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
index 82689c3..85fe6c4 100644
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ b/proxmox-ve-config/src/firewall/mod.rs
@@ -1,5 +1,6 @@
pub mod cluster;
pub mod common;
+pub mod host;
pub mod ports;
pub mod types;
--
2.39.2
More information about the pve-devel
mailing list