From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id AF6EF1FF37F for ; Thu, 18 Apr 2024 18:15:52 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B787831156; Thu, 18 Apr 2024 18:14:53 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 18 Apr 2024 18:14:10 +0200 Message-Id: <20240418161434.709473-16-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418161434.709473-1-s.hanreich@proxmox.com> References: <20240418161434.709473-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.288 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall v3 15/39] config: firewall: add firewall macros X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/resources/macros.json | 914 ++++++++++++++++++++ proxmox-ve-config/src/firewall/fw_macros.rs | 69 ++ proxmox-ve-config/src/firewall/mod.rs | 1 + 3 files changed, 984 insertions(+) create mode 100644 proxmox-ve-config/resources/macros.json create mode 100644 proxmox-ve-config/src/firewall/fw_macros.rs diff --git a/proxmox-ve-config/resources/macros.json b/proxmox-ve-config/resources/macros.json new file mode 100644 index 0000000..67e1d89 --- /dev/null +++ b/proxmox-ve-config/resources/macros.json @@ -0,0 +1,914 @@ +{ + "Amanda": { + "code": [ + { + "dport": "10080", + "proto": "udp" + }, + { + "dport": "10080", + "proto": "tcp" + } + ], + "desc": "Amanda Backup" + }, + "Auth": { + "code": [ + { + "dport": "113", + "proto": "tcp" + } + ], + "desc": "Auth (identd) traffic" + }, + "BGP": { + "code": [ + { + "dport": "179", + "proto": "tcp" + } + ], + "desc": "Border Gateway Protocol traffic" + }, + "BitTorrent": { + "code": [ + { + "dport": "6881:6889", + "proto": "tcp" + }, + { + "dport": "6881", + "proto": "udp" + } + ], + "desc": "BitTorrent traffic for BitTorrent 3.1 and earlier" + }, + "BitTorrent32": { + "code": [ + { + "dport": "6881:6999", + "proto": "tcp" + }, + { + "dport": "6881", + "proto": "udp" + } + ], + "desc": "BitTorrent traffic for BitTorrent 3.2 and later" + }, + "CVS": { + "code": [ + { + "dport": "2401", + "proto": "tcp" + } + ], + "desc": "Concurrent Versions System pserver traffic" + }, + "Ceph": { + "code": [ + { + "dport": "6789", + "proto": "tcp" + }, + { + "dport": "3300", + "proto": "tcp" + }, + { + "dport": "6800:7300", + "proto": "tcp" + } + ], + "desc": "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Daemons)" + }, + "Citrix": { + "code": [ + { + "dport": "1494", + "proto": "tcp" + }, + { + "dport": "1604", + "proto": "udp" + }, + { + "dport": "2598", + "proto": "tcp" + } + ], + "desc": "Citrix/ICA traffic (ICA, ICA Browser, CGP)" + }, + "DAAP": { + "code": [ + { + "dport": "3689", + "proto": "tcp" + }, + { + "dport": "3689", + "proto": "udp" + } + ], + "desc": "Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons)" + }, + "DCC": { + "code": [ + { + "dport": "6277", + "proto": "tcp" + } + ], + "desc": "Distributed Checksum Clearinghouse spam filtering mechanism" + }, + "DHCPfwd": { + "code": [ + { + "dport": "67:68", + "proto": "udp", + "sport": "67:68" + } + ], + "desc": "Forwarded DHCP traffic" + }, + "DHCPv6": { + "code": [ + { + "dport": "546:547", + "proto": "udp", + "sport": "546:547" + } + ], + "desc": "DHCPv6 traffic" + }, + "DNS": { + "code": [ + { + "dport": "53", + "proto": "udp" + }, + { + "dport": "53", + "proto": "tcp" + } + ], + "desc": "Domain Name System traffic (upd and tcp)" + }, + "Distcc": { + "code": [ + { + "dport": "3632", + "proto": "tcp" + } + ], + "desc": "Distributed Compiler service" + }, + "FTP": { + "code": [ + { + "dport": "21", + "proto": "tcp" + } + ], + "desc": "File Transfer Protocol" + }, + "Finger": { + "code": [ + { + "dport": "79", + "proto": "tcp" + } + ], + "desc": "Finger protocol (RFC 742)" + }, + "GNUnet": { + "code": [ + { + "dport": "2086", + "proto": "tcp" + }, + { + "dport": "2086", + "proto": "udp" + }, + { + "dport": "1080", + "proto": "tcp" + }, + { + "dport": "1080", + "proto": "udp" + } + ], + "desc": "GNUnet secure peer-to-peer networking traffic" + }, + "GRE": { + "code": [ + { + "proto": "47" + } + ], + "desc": "Generic Routing Encapsulation tunneling protocol" + }, + "Git": { + "code": [ + { + "dport": "9418", + "proto": "tcp" + } + ], + "desc": "Git distributed revision control traffic" + }, + "HKP": { + "code": [ + { + "dport": "11371", + "proto": "tcp" + } + ], + "desc": "OpenPGP HTTP key server protocol traffic" + }, + "HTTP": { + "code": [ + { + "dport": "80", + "proto": "tcp" + } + ], + "desc": "Hypertext Transfer Protocol (WWW)" + }, + "HTTPS": { + "code": [ + { + "dport": "443", + "proto": "tcp" + } + ], + "desc": "Hypertext Transfer Protocol (WWW) over SSL" + }, + "HTTP/3": { + "code": [ + { + "dport": "443", + "proto": "udp" + } + ], + "desc": "Hypertext Transfer Protocol v3" + }, + "ICPV2": { + "code": [ + { + "dport": "3130", + "proto": "udp" + } + ], + "desc": "Internet Cache Protocol V2 (Squid) traffic" + }, + "ICQ": { + "code": [ + { + "dport": "5190", + "proto": "tcp" + } + ], + "desc": "AOL Instant Messenger traffic" + }, + "IMAP": { + "code": [ + { + "dport": "143", + "proto": "tcp" + } + ], + "desc": "Internet Message Access Protocol" + }, + "IMAPS": { + "code": [ + { + "dport": "993", + "proto": "tcp" + } + ], + "desc": "Internet Message Access Protocol over SSL" + }, + "IPIP": { + "code": [ + { + "proto": "94" + } + ], + "desc": "IPIP capsulation traffic" + }, + "IPsec": { + "code": [ + { + "dport": "500", + "proto": "udp", + "sport": "500" + }, + { + "proto": "50" + } + ], + "desc": "IPsec traffic" + }, + "IPsecah": { + "code": [ + { + "dport": "500", + "proto": "udp", + "sport": "500" + }, + { + "proto": "51" + } + ], + "desc": "IPsec authentication (AH) traffic" + }, + "IPsecnat": { + "code": [ + { + "dport": "500", + "proto": "udp" + }, + { + "dport": "4500", + "proto": "udp" + }, + { + "proto": "50" + } + ], + "desc": "IPsec traffic and Nat-Traversal" + }, + "IRC": { + "code": [ + { + "dport": "6667", + "proto": "tcp" + } + ], + "desc": "Internet Relay Chat traffic" + }, + "Jetdirect": { + "code": [ + { + "dport": "9100", + "proto": "tcp" + } + ], + "desc": "HP Jetdirect printing" + }, + "L2TP": { + "code": [ + { + "dport": "1701", + "proto": "udp" + } + ], + "desc": "Layer 2 Tunneling Protocol traffic" + }, + "LDAP": { + "code": [ + { + "dport": "389", + "proto": "tcp" + } + ], + "desc": "Lightweight Directory Access Protocol traffic" + }, + "LDAPS": { + "code": [ + { + "dport": "636", + "proto": "tcp" + } + ], + "desc": "Secure Lightweight Directory Access Protocol traffic" + }, + "MDNS": { + "code": [ + { + "dport": "5353", + "proto": "udp" + } + ], + "desc": "Multicast DNS" + }, + "MSNP": { + "code": [ + { + "dport": "1863", + "proto": "tcp" + } + ], + "desc": "Microsoft Notification Protocol" + }, + "MSSQL": { + "code": [ + { + "dport": "1433", + "proto": "tcp" + } + ], + "desc": "Microsoft SQL Server" + }, + "Mail": { + "code": [ + { + "dport": "25", + "proto": "tcp" + }, + { + "dport": "465", + "proto": "tcp" + }, + { + "dport": "587", + "proto": "tcp" + } + ], + "desc": "Mail traffic (SMTP, SMTPS, Submission)" + }, + "Munin": { + "code": [ + { + "dport": "4949", + "proto": "tcp" + } + ], + "desc": "Munin networked resource monitoring traffic" + }, + "MySQL": { + "code": [ + { + "dport": "3306", + "proto": "tcp" + } + ], + "desc": "MySQL server" + }, + "NNTP": { + "code": [ + { + "dport": "119", + "proto": "tcp" + } + ], + "desc": "NNTP traffic (Usenet)." + }, + "NNTPS": { + "code": [ + { + "dport": "563", + "proto": "tcp" + } + ], + "desc": "Encrypted NNTP traffic (Usenet)" + }, + "NTP": { + "code": [ + { + "dport": "123", + "proto": "udp" + } + ], + "desc": "Network Time Protocol (ntpd)" + }, + "NeighborDiscovery": { + "code": [ + { + "dport": "nd-router-solicit", + "proto": "icmpv6" + }, + { + "dport": "nd-router-advert", + "proto": "icmpv6" + }, + { + "dport": "nd-neighbor-solicit", + "proto": "icmpv6" + }, + { + "dport": "nd-neighbor-advert", + "proto": "icmpv6" + } + ], + "desc": "IPv6 neighbor solicitation, neighbor and router advertisement" + }, + "OSPF": { + "code": [ + { + "proto": "89" + } + ], + "desc": "OSPF multicast traffic" + }, + "OpenVPN": { + "code": [ + { + "dport": "1194", + "proto": "udp" + } + ], + "desc": "OpenVPN traffic" + }, + "PBS": { + "code": [ + { + "dport": "8007", + "proto": "tcp" + } + ], + "desc": "Proxmox Backup Server" + }, + "PCA": { + "code": [ + { + "dport": "5632", + "proto": "udp" + }, + { + "dport": "5631", + "proto": "tcp" + } + ], + "desc": "Symantec PCAnywere (tm)" + }, + "PMG": { + "code": [ + { + "dport": "8006", + "proto": "tcp" + } + ], + "desc": "Proxmox Mail Gateway web interface" + }, + "POP3": { + "code": [ + { + "dport": "110", + "proto": "tcp" + } + ], + "desc": "POP3 traffic" + }, + "POP3S": { + "code": [ + { + "dport": "995", + "proto": "tcp" + } + ], + "desc": "Encrypted POP3 traffic" + }, + "PPtP": { + "code": [ + { + "proto": "47" + }, + { + "dport": "1723", + "proto": "tcp" + } + ], + "desc": "Point-to-Point Tunneling Protocol" + }, + "Ping": { + "code": [ + { + "dport": "echo-request", + "proto": "icmp" + } + ], + "desc": "ICMP echo request" + }, + "PostgreSQL": { + "code": [ + { + "dport": "5432", + "proto": "tcp" + } + ], + "desc": "PostgreSQL server" + }, + "Printer": { + "code": [ + { + "dport": "515", + "proto": "tcp" + } + ], + "desc": "Line Printer protocol printing" + }, + "RDP": { + "code": [ + { + "dport": "3389", + "proto": "tcp" + } + ], + "desc": "Microsoft Remote Desktop Protocol traffic" + }, + "RIP": { + "code": [ + { + "dport": "520", + "proto": "udp" + } + ], + "desc": "Routing Information Protocol (bidirectional)" + }, + "RNDC": { + "code": [ + { + "dport": "953", + "proto": "tcp" + } + ], + "desc": "BIND remote management protocol" + }, + "Razor": { + "code": [ + { + "dport": "2703", + "proto": "tcp" + } + ], + "desc": "Razor Antispam System" + }, + "Rdate": { + "code": [ + { + "dport": "37", + "proto": "tcp" + } + ], + "desc": "Remote time retrieval (rdate)" + }, + "Rsync": { + "code": [ + { + "dport": "873", + "proto": "tcp" + } + ], + "desc": "Rsync server" + }, + "SANE": { + "code": [ + { + "dport": "6566", + "proto": "tcp" + } + ], + "desc": "SANE network scanning" + }, + "SMB": { + "code": [ + { + "dport": "135,445", + "proto": "udp" + }, + { + "dport": "137:139", + "proto": "udp" + }, + { + "dport": "1024:65535", + "proto": "udp", + "sport": "137" + }, + { + "dport": "135,139,445", + "proto": "tcp" + } + ], + "desc": "Microsoft SMB traffic" + }, + "SMBswat": { + "code": [ + { + "dport": "901", + "proto": "tcp" + } + ], + "desc": "Samba Web Administration Tool" + }, + "SMTP": { + "code": [ + { + "dport": "25", + "proto": "tcp" + } + ], + "desc": "Simple Mail Transfer Protocol" + }, + "SMTPS": { + "code": [ + { + "dport": "465", + "proto": "tcp" + } + ], + "desc": "Encrypted Simple Mail Transfer Protocol" + }, + "SNMP": { + "code": [ + { + "dport": "161:162", + "proto": "udp" + }, + { + "dport": "161", + "proto": "tcp" + } + ], + "desc": "Simple Network Management Protocol" + }, + "SPAMD": { + "code": [ + { + "dport": "783", + "proto": "tcp" + } + ], + "desc": "Spam Assassin SPAMD traffic" + }, + "SSH": { + "code": [ + { + "dport": "22", + "proto": "tcp" + } + ], + "desc": "Secure shell traffic" + }, + "SVN": { + "code": [ + { + "dport": "3690", + "proto": "tcp" + } + ], + "desc": "Subversion server (svnserve)" + }, + "SixXS": { + "code": [ + { + "dport": "3874", + "proto": "tcp" + }, + { + "dport": "3740", + "proto": "udp" + }, + { + "proto": "41" + }, + { + "dport": "5072,8374", + "proto": "udp" + } + ], + "desc": "SixXS IPv6 Deployment and Tunnel Broker" + }, + "Squid": { + "code": [ + { + "dport": "3128", + "proto": "tcp" + } + ], + "desc": "Squid web proxy traffic" + }, + "Submission": { + "code": [ + { + "dport": "587", + "proto": "tcp" + } + ], + "desc": "Mail message submission traffic" + }, + "Syslog": { + "code": [ + { + "dport": "514", + "proto": "udp" + }, + { + "dport": "514", + "proto": "tcp" + } + ], + "desc": "Syslog protocol (RFC 5424) traffic" + }, + "TFTP": { + "code": [ + { + "dport": "69", + "proto": "udp" + } + ], + "desc": "Trivial File Transfer Protocol traffic" + }, + "Telnet": { + "code": [ + { + "dport": "23", + "proto": "tcp" + } + ], + "desc": "Telnet traffic" + }, + "Telnets": { + "code": [ + { + "dport": "992", + "proto": "tcp" + } + ], + "desc": "Telnet over SSL" + }, + "Time": { + "code": [ + { + "dport": "37", + "proto": "tcp" + } + ], + "desc": "RFC 868 Time protocol" + }, + "Trcrt": { + "code": [ + { + "dport": "33434:33524", + "proto": "udp" + }, + { + "dport": "echo-request", + "proto": "icmp" + } + ], + "desc": "Traceroute (for up to 30 hops) traffic" + }, + "VNC": { + "code": [ + { + "dport": "5900:5999", + "proto": "tcp" + } + ], + "desc": "VNC traffic for VNC display's 0 - 99" + }, + "VNCL": { + "code": [ + { + "dport": "5500", + "proto": "tcp" + } + ], + "desc": "VNC traffic from Vncservers to Vncviewers in listen mode" + }, + "Web": { + "code": [ + { + "dport": "80", + "proto": "tcp" + }, + { + "dport": "443", + "proto": "tcp" + } + ], + "desc": "WWW traffic (HTTP and HTTPS)" + }, + "Webcache": { + "code": [ + { + "dport": "8080", + "proto": "tcp" + } + ], + "desc": "Web Cache/Proxy traffic (port 8080)" + }, + "Webmin": { + "code": [ + { + "dport": "10000", + "proto": "tcp" + } + ], + "desc": "Webmin traffic" + }, + "Whois": { + "code": [ + { + "dport": "43", + "proto": "tcp" + } + ], + "desc": "Whois (nicname, RFC 3912) traffic" + } +} diff --git a/proxmox-ve-config/src/firewall/fw_macros.rs b/proxmox-ve-config/src/firewall/fw_macros.rs new file mode 100644 index 0000000..5fa8dab --- /dev/null +++ b/proxmox-ve-config/src/firewall/fw_macros.rs @@ -0,0 +1,69 @@ +use std::collections::HashMap; + +use serde::Deserialize; +use std::sync::OnceLock; + +use crate::firewall::types::rule_match::Protocol; + +use super::types::rule_match::RuleOptions; + +#[derive(Clone, Debug, Default, Deserialize)] +struct FwMacroData { + #[serde(rename = "desc")] + pub description: &'static str, + pub code: Vec, +} + +#[derive(Clone, Debug, Default)] +pub struct FwMacro { + pub _description: &'static str, + pub code: Vec, +} + +fn macros() -> &'static HashMap { + const MACROS: &str = include_str!("../../resources/macros.json"); + static HASHMAP: OnceLock> = OnceLock::new(); + + HASHMAP.get_or_init(|| { + let macro_data: HashMap = match serde_json::from_str(MACROS) { + Ok(m) => m, + Err(err) => { + log::error!("could not load data for macros: {err}"); + HashMap::new() + } + }; + + let mut macros = HashMap::new(); + + 'outer: for (name, data) in macro_data { + let mut code = Vec::new(); + + for c in data.code { + match Protocol::from_options(&c) { + Ok(Some(p)) => code.push(p), + Ok(None) => { + continue 'outer; + } + Err(err) => { + log::error!("could not parse data for macro {name}: {err}"); + continue 'outer; + } + } + } + + macros.insert( + name, + FwMacro { + _description: data.description, + code, + }, + ); + } + + macros + }) +} + +pub fn get_macro(name: &str) -> Option<&'static FwMacro> { + macros().get(name) +} diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs index afc3dcc..0f438ca 100644 --- a/proxmox-ve-config/src/firewall/mod.rs +++ b/proxmox-ve-config/src/firewall/mod.rs @@ -1,5 +1,6 @@ pub mod cluster; pub mod common; +pub mod fw_macros; pub mod guest; pub mod host; pub mod ports; -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel