[pve-devel] [PATCH proxmox-firewall v2 15/39] config: firewall: add firewall macros
Stefan Hanreich
s.hanreich at proxmox.com
Wed Apr 17 15:53:40 CEST 2024
Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
Reviewed-by: Max Carrara <m.carrara at proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-ve-config/resources/macros.json | 914 ++++++++++++++++++++
proxmox-ve-config/src/firewall/fw_macros.rs | 69 ++
proxmox-ve-config/src/firewall/mod.rs | 1 +
3 files changed, 984 insertions(+)
create mode 100644 proxmox-ve-config/resources/macros.json
create mode 100644 proxmox-ve-config/src/firewall/fw_macros.rs
diff --git a/proxmox-ve-config/resources/macros.json b/proxmox-ve-config/resources/macros.json
new file mode 100644
index 0000000..67e1d89
--- /dev/null
+++ b/proxmox-ve-config/resources/macros.json
@@ -0,0 +1,914 @@
+{
+ "Amanda": {
+ "code": [
+ {
+ "dport": "10080",
+ "proto": "udp"
+ },
+ {
+ "dport": "10080",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Amanda Backup"
+ },
+ "Auth": {
+ "code": [
+ {
+ "dport": "113",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Auth (identd) traffic"
+ },
+ "BGP": {
+ "code": [
+ {
+ "dport": "179",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Border Gateway Protocol traffic"
+ },
+ "BitTorrent": {
+ "code": [
+ {
+ "dport": "6881:6889",
+ "proto": "tcp"
+ },
+ {
+ "dport": "6881",
+ "proto": "udp"
+ }
+ ],
+ "desc": "BitTorrent traffic for BitTorrent 3.1 and earlier"
+ },
+ "BitTorrent32": {
+ "code": [
+ {
+ "dport": "6881:6999",
+ "proto": "tcp"
+ },
+ {
+ "dport": "6881",
+ "proto": "udp"
+ }
+ ],
+ "desc": "BitTorrent traffic for BitTorrent 3.2 and later"
+ },
+ "CVS": {
+ "code": [
+ {
+ "dport": "2401",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Concurrent Versions System pserver traffic"
+ },
+ "Ceph": {
+ "code": [
+ {
+ "dport": "6789",
+ "proto": "tcp"
+ },
+ {
+ "dport": "3300",
+ "proto": "tcp"
+ },
+ {
+ "dport": "6800:7300",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Daemons)"
+ },
+ "Citrix": {
+ "code": [
+ {
+ "dport": "1494",
+ "proto": "tcp"
+ },
+ {
+ "dport": "1604",
+ "proto": "udp"
+ },
+ {
+ "dport": "2598",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Citrix/ICA traffic (ICA, ICA Browser, CGP)"
+ },
+ "DAAP": {
+ "code": [
+ {
+ "dport": "3689",
+ "proto": "tcp"
+ },
+ {
+ "dport": "3689",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons)"
+ },
+ "DCC": {
+ "code": [
+ {
+ "dport": "6277",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Distributed Checksum Clearinghouse spam filtering mechanism"
+ },
+ "DHCPfwd": {
+ "code": [
+ {
+ "dport": "67:68",
+ "proto": "udp",
+ "sport": "67:68"
+ }
+ ],
+ "desc": "Forwarded DHCP traffic"
+ },
+ "DHCPv6": {
+ "code": [
+ {
+ "dport": "546:547",
+ "proto": "udp",
+ "sport": "546:547"
+ }
+ ],
+ "desc": "DHCPv6 traffic"
+ },
+ "DNS": {
+ "code": [
+ {
+ "dport": "53",
+ "proto": "udp"
+ },
+ {
+ "dport": "53",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Domain Name System traffic (upd and tcp)"
+ },
+ "Distcc": {
+ "code": [
+ {
+ "dport": "3632",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Distributed Compiler service"
+ },
+ "FTP": {
+ "code": [
+ {
+ "dport": "21",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "File Transfer Protocol"
+ },
+ "Finger": {
+ "code": [
+ {
+ "dport": "79",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Finger protocol (RFC 742)"
+ },
+ "GNUnet": {
+ "code": [
+ {
+ "dport": "2086",
+ "proto": "tcp"
+ },
+ {
+ "dport": "2086",
+ "proto": "udp"
+ },
+ {
+ "dport": "1080",
+ "proto": "tcp"
+ },
+ {
+ "dport": "1080",
+ "proto": "udp"
+ }
+ ],
+ "desc": "GNUnet secure peer-to-peer networking traffic"
+ },
+ "GRE": {
+ "code": [
+ {
+ "proto": "47"
+ }
+ ],
+ "desc": "Generic Routing Encapsulation tunneling protocol"
+ },
+ "Git": {
+ "code": [
+ {
+ "dport": "9418",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Git distributed revision control traffic"
+ },
+ "HKP": {
+ "code": [
+ {
+ "dport": "11371",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "OpenPGP HTTP key server protocol traffic"
+ },
+ "HTTP": {
+ "code": [
+ {
+ "dport": "80",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Hypertext Transfer Protocol (WWW)"
+ },
+ "HTTPS": {
+ "code": [
+ {
+ "dport": "443",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Hypertext Transfer Protocol (WWW) over SSL"
+ },
+ "HTTP/3": {
+ "code": [
+ {
+ "dport": "443",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Hypertext Transfer Protocol v3"
+ },
+ "ICPV2": {
+ "code": [
+ {
+ "dport": "3130",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Internet Cache Protocol V2 (Squid) traffic"
+ },
+ "ICQ": {
+ "code": [
+ {
+ "dport": "5190",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "AOL Instant Messenger traffic"
+ },
+ "IMAP": {
+ "code": [
+ {
+ "dport": "143",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Internet Message Access Protocol"
+ },
+ "IMAPS": {
+ "code": [
+ {
+ "dport": "993",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Internet Message Access Protocol over SSL"
+ },
+ "IPIP": {
+ "code": [
+ {
+ "proto": "94"
+ }
+ ],
+ "desc": "IPIP capsulation traffic"
+ },
+ "IPsec": {
+ "code": [
+ {
+ "dport": "500",
+ "proto": "udp",
+ "sport": "500"
+ },
+ {
+ "proto": "50"
+ }
+ ],
+ "desc": "IPsec traffic"
+ },
+ "IPsecah": {
+ "code": [
+ {
+ "dport": "500",
+ "proto": "udp",
+ "sport": "500"
+ },
+ {
+ "proto": "51"
+ }
+ ],
+ "desc": "IPsec authentication (AH) traffic"
+ },
+ "IPsecnat": {
+ "code": [
+ {
+ "dport": "500",
+ "proto": "udp"
+ },
+ {
+ "dport": "4500",
+ "proto": "udp"
+ },
+ {
+ "proto": "50"
+ }
+ ],
+ "desc": "IPsec traffic and Nat-Traversal"
+ },
+ "IRC": {
+ "code": [
+ {
+ "dport": "6667",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Internet Relay Chat traffic"
+ },
+ "Jetdirect": {
+ "code": [
+ {
+ "dport": "9100",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "HP Jetdirect printing"
+ },
+ "L2TP": {
+ "code": [
+ {
+ "dport": "1701",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Layer 2 Tunneling Protocol traffic"
+ },
+ "LDAP": {
+ "code": [
+ {
+ "dport": "389",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Lightweight Directory Access Protocol traffic"
+ },
+ "LDAPS": {
+ "code": [
+ {
+ "dport": "636",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Secure Lightweight Directory Access Protocol traffic"
+ },
+ "MDNS": {
+ "code": [
+ {
+ "dport": "5353",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Multicast DNS"
+ },
+ "MSNP": {
+ "code": [
+ {
+ "dport": "1863",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Microsoft Notification Protocol"
+ },
+ "MSSQL": {
+ "code": [
+ {
+ "dport": "1433",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Microsoft SQL Server"
+ },
+ "Mail": {
+ "code": [
+ {
+ "dport": "25",
+ "proto": "tcp"
+ },
+ {
+ "dport": "465",
+ "proto": "tcp"
+ },
+ {
+ "dport": "587",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Mail traffic (SMTP, SMTPS, Submission)"
+ },
+ "Munin": {
+ "code": [
+ {
+ "dport": "4949",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Munin networked resource monitoring traffic"
+ },
+ "MySQL": {
+ "code": [
+ {
+ "dport": "3306",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "MySQL server"
+ },
+ "NNTP": {
+ "code": [
+ {
+ "dport": "119",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "NNTP traffic (Usenet)."
+ },
+ "NNTPS": {
+ "code": [
+ {
+ "dport": "563",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Encrypted NNTP traffic (Usenet)"
+ },
+ "NTP": {
+ "code": [
+ {
+ "dport": "123",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Network Time Protocol (ntpd)"
+ },
+ "NeighborDiscovery": {
+ "code": [
+ {
+ "dport": "nd-router-solicit",
+ "proto": "icmpv6"
+ },
+ {
+ "dport": "nd-router-advert",
+ "proto": "icmpv6"
+ },
+ {
+ "dport": "nd-neighbor-solicit",
+ "proto": "icmpv6"
+ },
+ {
+ "dport": "nd-neighbor-advert",
+ "proto": "icmpv6"
+ }
+ ],
+ "desc": "IPv6 neighbor solicitation, neighbor and router advertisement"
+ },
+ "OSPF": {
+ "code": [
+ {
+ "proto": "89"
+ }
+ ],
+ "desc": "OSPF multicast traffic"
+ },
+ "OpenVPN": {
+ "code": [
+ {
+ "dport": "1194",
+ "proto": "udp"
+ }
+ ],
+ "desc": "OpenVPN traffic"
+ },
+ "PBS": {
+ "code": [
+ {
+ "dport": "8007",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Proxmox Backup Server"
+ },
+ "PCA": {
+ "code": [
+ {
+ "dport": "5632",
+ "proto": "udp"
+ },
+ {
+ "dport": "5631",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Symantec PCAnywere (tm)"
+ },
+ "PMG": {
+ "code": [
+ {
+ "dport": "8006",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Proxmox Mail Gateway web interface"
+ },
+ "POP3": {
+ "code": [
+ {
+ "dport": "110",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "POP3 traffic"
+ },
+ "POP3S": {
+ "code": [
+ {
+ "dport": "995",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Encrypted POP3 traffic"
+ },
+ "PPtP": {
+ "code": [
+ {
+ "proto": "47"
+ },
+ {
+ "dport": "1723",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Point-to-Point Tunneling Protocol"
+ },
+ "Ping": {
+ "code": [
+ {
+ "dport": "echo-request",
+ "proto": "icmp"
+ }
+ ],
+ "desc": "ICMP echo request"
+ },
+ "PostgreSQL": {
+ "code": [
+ {
+ "dport": "5432",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "PostgreSQL server"
+ },
+ "Printer": {
+ "code": [
+ {
+ "dport": "515",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Line Printer protocol printing"
+ },
+ "RDP": {
+ "code": [
+ {
+ "dport": "3389",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Microsoft Remote Desktop Protocol traffic"
+ },
+ "RIP": {
+ "code": [
+ {
+ "dport": "520",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Routing Information Protocol (bidirectional)"
+ },
+ "RNDC": {
+ "code": [
+ {
+ "dport": "953",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "BIND remote management protocol"
+ },
+ "Razor": {
+ "code": [
+ {
+ "dport": "2703",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Razor Antispam System"
+ },
+ "Rdate": {
+ "code": [
+ {
+ "dport": "37",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Remote time retrieval (rdate)"
+ },
+ "Rsync": {
+ "code": [
+ {
+ "dport": "873",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Rsync server"
+ },
+ "SANE": {
+ "code": [
+ {
+ "dport": "6566",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "SANE network scanning"
+ },
+ "SMB": {
+ "code": [
+ {
+ "dport": "135,445",
+ "proto": "udp"
+ },
+ {
+ "dport": "137:139",
+ "proto": "udp"
+ },
+ {
+ "dport": "1024:65535",
+ "proto": "udp",
+ "sport": "137"
+ },
+ {
+ "dport": "135,139,445",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Microsoft SMB traffic"
+ },
+ "SMBswat": {
+ "code": [
+ {
+ "dport": "901",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Samba Web Administration Tool"
+ },
+ "SMTP": {
+ "code": [
+ {
+ "dport": "25",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Simple Mail Transfer Protocol"
+ },
+ "SMTPS": {
+ "code": [
+ {
+ "dport": "465",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Encrypted Simple Mail Transfer Protocol"
+ },
+ "SNMP": {
+ "code": [
+ {
+ "dport": "161:162",
+ "proto": "udp"
+ },
+ {
+ "dport": "161",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Simple Network Management Protocol"
+ },
+ "SPAMD": {
+ "code": [
+ {
+ "dport": "783",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Spam Assassin SPAMD traffic"
+ },
+ "SSH": {
+ "code": [
+ {
+ "dport": "22",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Secure shell traffic"
+ },
+ "SVN": {
+ "code": [
+ {
+ "dport": "3690",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Subversion server (svnserve)"
+ },
+ "SixXS": {
+ "code": [
+ {
+ "dport": "3874",
+ "proto": "tcp"
+ },
+ {
+ "dport": "3740",
+ "proto": "udp"
+ },
+ {
+ "proto": "41"
+ },
+ {
+ "dport": "5072,8374",
+ "proto": "udp"
+ }
+ ],
+ "desc": "SixXS IPv6 Deployment and Tunnel Broker"
+ },
+ "Squid": {
+ "code": [
+ {
+ "dport": "3128",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Squid web proxy traffic"
+ },
+ "Submission": {
+ "code": [
+ {
+ "dport": "587",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Mail message submission traffic"
+ },
+ "Syslog": {
+ "code": [
+ {
+ "dport": "514",
+ "proto": "udp"
+ },
+ {
+ "dport": "514",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Syslog protocol (RFC 5424) traffic"
+ },
+ "TFTP": {
+ "code": [
+ {
+ "dport": "69",
+ "proto": "udp"
+ }
+ ],
+ "desc": "Trivial File Transfer Protocol traffic"
+ },
+ "Telnet": {
+ "code": [
+ {
+ "dport": "23",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Telnet traffic"
+ },
+ "Telnets": {
+ "code": [
+ {
+ "dport": "992",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Telnet over SSL"
+ },
+ "Time": {
+ "code": [
+ {
+ "dport": "37",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "RFC 868 Time protocol"
+ },
+ "Trcrt": {
+ "code": [
+ {
+ "dport": "33434:33524",
+ "proto": "udp"
+ },
+ {
+ "dport": "echo-request",
+ "proto": "icmp"
+ }
+ ],
+ "desc": "Traceroute (for up to 30 hops) traffic"
+ },
+ "VNC": {
+ "code": [
+ {
+ "dport": "5900:5999",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "VNC traffic for VNC display's 0 - 99"
+ },
+ "VNCL": {
+ "code": [
+ {
+ "dport": "5500",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "VNC traffic from Vncservers to Vncviewers in listen mode"
+ },
+ "Web": {
+ "code": [
+ {
+ "dport": "80",
+ "proto": "tcp"
+ },
+ {
+ "dport": "443",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "WWW traffic (HTTP and HTTPS)"
+ },
+ "Webcache": {
+ "code": [
+ {
+ "dport": "8080",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Web Cache/Proxy traffic (port 8080)"
+ },
+ "Webmin": {
+ "code": [
+ {
+ "dport": "10000",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Webmin traffic"
+ },
+ "Whois": {
+ "code": [
+ {
+ "dport": "43",
+ "proto": "tcp"
+ }
+ ],
+ "desc": "Whois (nicname, RFC 3912) traffic"
+ }
+}
diff --git a/proxmox-ve-config/src/firewall/fw_macros.rs b/proxmox-ve-config/src/firewall/fw_macros.rs
new file mode 100644
index 0000000..5fa8dab
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/fw_macros.rs
@@ -0,0 +1,69 @@
+use std::collections::HashMap;
+
+use serde::Deserialize;
+use std::sync::OnceLock;
+
+use crate::firewall::types::rule_match::Protocol;
+
+use super::types::rule_match::RuleOptions;
+
+#[derive(Clone, Debug, Default, Deserialize)]
+struct FwMacroData {
+ #[serde(rename = "desc")]
+ pub description: &'static str,
+ pub code: Vec<RuleOptions>,
+}
+
+#[derive(Clone, Debug, Default)]
+pub struct FwMacro {
+ pub _description: &'static str,
+ pub code: Vec<Protocol>,
+}
+
+fn macros() -> &'static HashMap<String, FwMacro> {
+ const MACROS: &str = include_str!("../../resources/macros.json");
+ static HASHMAP: OnceLock<HashMap<String, FwMacro>> = OnceLock::new();
+
+ HASHMAP.get_or_init(|| {
+ let macro_data: HashMap<String, FwMacroData> = match serde_json::from_str(MACROS) {
+ Ok(m) => m,
+ Err(err) => {
+ log::error!("could not load data for macros: {err}");
+ HashMap::new()
+ }
+ };
+
+ let mut macros = HashMap::new();
+
+ 'outer: for (name, data) in macro_data {
+ let mut code = Vec::new();
+
+ for c in data.code {
+ match Protocol::from_options(&c) {
+ Ok(Some(p)) => code.push(p),
+ Ok(None) => {
+ continue 'outer;
+ }
+ Err(err) => {
+ log::error!("could not parse data for macro {name}: {err}");
+ continue 'outer;
+ }
+ }
+ }
+
+ macros.insert(
+ name,
+ FwMacro {
+ _description: data.description,
+ code,
+ },
+ );
+ }
+
+ macros
+ })
+}
+
+pub fn get_macro(name: &str) -> Option<&'static FwMacro> {
+ macros().get(name)
+}
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
index afc3dcc..0f438ca 100644
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ b/proxmox-ve-config/src/firewall/mod.rs
@@ -1,5 +1,6 @@
pub mod cluster;
pub mod common;
+pub mod fw_macros;
pub mod guest;
pub mod host;
pub mod ports;
--
2.39.2
More information about the pve-devel
mailing list