all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH pve-firewall] Fix #4550 : host options: add nf_conntrack_helpers
@ 2023-03-09 15:34 Alexandre Derumier
  2023-03-13  9:46 ` [pve-devel] applied: " Wolfgang Bumiller
  0 siblings, 1 reply; 2+ messages in thread
From: Alexandre Derumier @ 2023-03-09 15:34 UTC (permalink / raw)
  To: pve-devel

kernel 6.1 have removed auto helpers loading.
This was deprecaded since multiple years.

We simply need to add rules in PREROUTING to load theses helpers.

supported protocols :
- amanda
- ftp
- irc (ipv4 only)
- netbios-ns (ipv4 only)
- pptp (ipv4 only)
- sane
- sip
- snmp (ipv4 only)
- tftp

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 src/PVE/Firewall.pm | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4924d51..87e44e0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -578,6 +578,18 @@ my $pve_fw_macros = {
     ],
 };
 
+my $pve_fw_helpers = {
+    'amanda' => { proto => 'udp', dport => '10080', 'v4' => 1, 'v6' => 1 },
+    'ftp' => { proto => 'tcp', dport => '21', 'v4' => 1, 'v6' => 1},
+    'irc' => { proto => 'tcp', dport => '6667', 'v4' => 1 },
+    'netbios-ns' => { proto => 'udp', dport => '137', 'v4' => 1 },
+    'pptp' => { proto => 'tcp', dport => '1723', 'v4' => 1, },
+    'sane' => { proto => 'tcp', dport => '6566', 'v4' => 1, 'v6' => 1 },
+    'sip' => { proto => 'udp', dport => '5060', 'v4' => 1, 'v6' => 1 },
+    'snmp' => { proto => 'udp', dport => '161', 'v4' => 1 },
+    'tftp' => { proto => 'udp', dport => '69', 'v4' => 1, 'v6' => 1},
+};
+
 my $pve_fw_parsed_macros;
 my $pve_fw_macro_descr;
 my $pve_fw_macro_ipversion = {};
@@ -1125,6 +1137,19 @@ sub parse_port_name_number_or_range {
     return (scalar(@elements) > 1);
 }
 
+PVE::JSONSchema::register_format('pve-fw-conntrack-helper', \&pve_fw_verify_conntrack_helper);
+sub pve_fw_verify_conntrack_helper {
+   my ($list) = @_;
+
+   my @helpers = split(/,/, $list);
+   die "extraneous commas in list\n" if $list ne join(',', @helpers);
+   foreach my $helper (@helpers) {
+	die "unknown helper $helper" if !$pve_fw_helpers->{$helper};
+   }
+
+   return $list;
+}
+
 PVE::JSONSchema::register_format('pve-fw-sport-spec', \&pve_fw_verify_sport_spec);
 sub pve_fw_verify_sport_spec {
    my ($portstr) = @_;
@@ -1344,6 +1369,13 @@ our $host_option_properties = {
 	default => 0,
 	optional => 1,
     },
+    nf_conntrack_helpers => {
+	type => 'string', format => 'pve-fw-conntrack-helper',
+	description => "Enable conntrack helpers for specific protocols. ".
+	    "Supported protocols: amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp, tftp",
+	default => '',
+	optional => 1,
+    },
     protection_synflood => {
 	description => "Enable synflood protection",
 	type => 'boolean',
@@ -2879,6 +2911,10 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
+    } elsif ($line =~ m/^(nf_conntrack_helpers):\s*(((\S+)[,]?)+)\s*$/i) {
+	$opt = lc($1);
+	$value = lc($2);
+	pve_fw_verify_conntrack_helper($value);
     } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established|nf_conntrack_tcp_timeout_syn_recv|protection_synflood_rate|protection_synflood_burst|protection_limit):\s*(\d+)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
@@ -3729,6 +3765,9 @@ sub compile_iptables_raw {
 
     my $hostfw_options = $hostfw_conf->{options} || {};
     my $protection_synflood = $hostfw_options->{protection_synflood} || 0;
+    my $conntrack_helpers = $hostfw_options->{nf_conntrack_helpers} || '';
+
+    ruleset_create_chain($ruleset, "PVEFW-PREROUTING") if $protection_synflood != 0 || $conntrack_helpers ne '';
 
     if($protection_synflood) {
 
@@ -3739,10 +3778,14 @@ sub compile_iptables_raw {
 	$protection_synflood_expire = $protection_synflood_expire * 1000;
 	my $protection_synflood_mask = $ipversion == 4 ? 32 : 64;
 
-	ruleset_create_chain($ruleset, "PVEFW-PREROUTING");
 	ruleset_addrule($ruleset, "PVEFW-PREROUTING", "-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-above $protection_synflood_rate/sec --hashlimit-burst $protection_synflood_burst --hashlimit-mode srcip --hashlimit-name syn --hashlimit-htable-size 2097152 --hashlimit-srcmask $protection_synflood_mask --hashlimit-htable-expire $protection_synflood_expire", "-j DROP");
     }
 
+    foreach my $conntrack_helper (split(/,/, $conntrack_helpers)) {
+	my $helper = $pve_fw_helpers->{$conntrack_helper};
+	ruleset_addrule($ruleset, "PVEFW-PREROUTING", "-p $helper->{proto} -m $helper->{proto} --dport $helper->{dport} -j CT", "--helper $conntrack_helper") if $helper && $helper->{"v$ipversion"};
+    }
+
     return $ruleset;
 }
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH pve-firewall] Fix #4550 : host options: add nf_conntrack_helpers
  2023-03-09 15:34 [pve-devel] [PATCH pve-firewall] Fix #4550 : host options: add nf_conntrack_helpers Alexandre Derumier
@ 2023-03-13  9:46 ` Wolfgang Bumiller
  0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2023-03-13  9:46 UTC (permalink / raw)
  To: Alexandre Derumier; +Cc: pve-devel

applied, thanks




^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-13  9:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-09 15:34 [pve-devel] [PATCH pve-firewall] Fix #4550 : host options: add nf_conntrack_helpers Alexandre Derumier
2023-03-13  9:46 ` [pve-devel] applied: " Wolfgang Bumiller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal