From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <root@kvmformation3.odiso.net>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id AE8C390CB3
 for <pve-devel@lists.proxmox.com>; Thu,  9 Mar 2023 16:34:18 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 710D3DBA8
 for <pve-devel@lists.proxmox.com>; Thu,  9 Mar 2023 16:34:18 +0100 (CET)
Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [185.151.191.93])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Thu,  9 Mar 2023 16:34:17 +0100 (CET)
Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12])
 by bastionodiso.odiso.net (Postfix) with ESMTP id 50B6780B8;
 Thu,  9 Mar 2023 16:34:17 +0100 (CET)
Received: by kvmformation3.odiso.net (Postfix, from userid 0)
 id 3DD6B232EC7; Thu,  9 Mar 2023 16:34:17 +0100 (CET)
From: Alexandre Derumier <aderumier@odiso.com>
To: pve-devel@lists.proxmox.com
Date: Thu,  9 Mar 2023 16:34:16 +0100
Message-Id: <20230309153416.477566-1-aderumier@odiso.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.065 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail
 domains are different
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 NO_DNS_FOR_FROM         0.001 Envelope sender has no MX or A DNS records
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [PATCH pve-firewall] Fix #4550 : host options: add
 nf_conntrack_helpers
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 15:34:18 -0000

kernel 6.1 have removed auto helpers loading.
This was deprecaded since multiple years.

We simply need to add rules in PREROUTING to load theses helpers.

supported protocols :
- amanda
- ftp
- irc (ipv4 only)
- netbios-ns (ipv4 only)
- pptp (ipv4 only)
- sane
- sip
- snmp (ipv4 only)
- tftp

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 src/PVE/Firewall.pm | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4924d51..87e44e0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -578,6 +578,18 @@ my $pve_fw_macros = {
     ],
 };
 
+my $pve_fw_helpers = {
+    'amanda' => { proto => 'udp', dport => '10080', 'v4' => 1, 'v6' => 1 },
+    'ftp' => { proto => 'tcp', dport => '21', 'v4' => 1, 'v6' => 1},
+    'irc' => { proto => 'tcp', dport => '6667', 'v4' => 1 },
+    'netbios-ns' => { proto => 'udp', dport => '137', 'v4' => 1 },
+    'pptp' => { proto => 'tcp', dport => '1723', 'v4' => 1, },
+    'sane' => { proto => 'tcp', dport => '6566', 'v4' => 1, 'v6' => 1 },
+    'sip' => { proto => 'udp', dport => '5060', 'v4' => 1, 'v6' => 1 },
+    'snmp' => { proto => 'udp', dport => '161', 'v4' => 1 },
+    'tftp' => { proto => 'udp', dport => '69', 'v4' => 1, 'v6' => 1},
+};
+
 my $pve_fw_parsed_macros;
 my $pve_fw_macro_descr;
 my $pve_fw_macro_ipversion = {};
@@ -1125,6 +1137,19 @@ sub parse_port_name_number_or_range {
     return (scalar(@elements) > 1);
 }
 
+PVE::JSONSchema::register_format('pve-fw-conntrack-helper', \&pve_fw_verify_conntrack_helper);
+sub pve_fw_verify_conntrack_helper {
+   my ($list) = @_;
+
+   my @helpers = split(/,/, $list);
+   die "extraneous commas in list\n" if $list ne join(',', @helpers);
+   foreach my $helper (@helpers) {
+	die "unknown helper $helper" if !$pve_fw_helpers->{$helper};
+   }
+
+   return $list;
+}
+
 PVE::JSONSchema::register_format('pve-fw-sport-spec', \&pve_fw_verify_sport_spec);
 sub pve_fw_verify_sport_spec {
    my ($portstr) = @_;
@@ -1344,6 +1369,13 @@ our $host_option_properties = {
 	default => 0,
 	optional => 1,
     },
+    nf_conntrack_helpers => {
+	type => 'string', format => 'pve-fw-conntrack-helper',
+	description => "Enable conntrack helpers for specific protocols. ".
+	    "Supported protocols: amanda, ftp, irc, netbios-ns, pptp, sane, sip, snmp, tftp",
+	default => '',
+	optional => 1,
+    },
     protection_synflood => {
 	description => "Enable synflood protection",
 	type => 'boolean',
@@ -2879,6 +2911,10 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
+    } elsif ($line =~ m/^(nf_conntrack_helpers):\s*(((\S+)[,]?)+)\s*$/i) {
+	$opt = lc($1);
+	$value = lc($2);
+	pve_fw_verify_conntrack_helper($value);
     } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established|nf_conntrack_tcp_timeout_syn_recv|protection_synflood_rate|protection_synflood_burst|protection_limit):\s*(\d+)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
@@ -3729,6 +3765,9 @@ sub compile_iptables_raw {
 
     my $hostfw_options = $hostfw_conf->{options} || {};
     my $protection_synflood = $hostfw_options->{protection_synflood} || 0;
+    my $conntrack_helpers = $hostfw_options->{nf_conntrack_helpers} || '';
+
+    ruleset_create_chain($ruleset, "PVEFW-PREROUTING") if $protection_synflood != 0 || $conntrack_helpers ne '';
 
     if($protection_synflood) {
 
@@ -3739,10 +3778,14 @@ sub compile_iptables_raw {
 	$protection_synflood_expire = $protection_synflood_expire * 1000;
 	my $protection_synflood_mask = $ipversion == 4 ? 32 : 64;
 
-	ruleset_create_chain($ruleset, "PVEFW-PREROUTING");
 	ruleset_addrule($ruleset, "PVEFW-PREROUTING", "-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-above $protection_synflood_rate/sec --hashlimit-burst $protection_synflood_burst --hashlimit-mode srcip --hashlimit-name syn --hashlimit-htable-size 2097152 --hashlimit-srcmask $protection_synflood_mask --hashlimit-htable-expire $protection_synflood_expire", "-j DROP");
     }
 
+    foreach my $conntrack_helper (split(/,/, $conntrack_helpers)) {
+	my $helper = $pve_fw_helpers->{$conntrack_helper};
+	ruleset_addrule($ruleset, "PVEFW-PREROUTING", "-p $helper->{proto} -m $helper->{proto} --dport $helper->{dport} -j CT", "--helper $conntrack_helper") if $helper && $helper->{"v$ipversion"};
+    }
+
     return $ruleset;
 }
 
-- 
2.30.2