From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 81E641FF168 for ; Tue, 12 Nov 2024 13:29:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6D1BD28054; Tue, 12 Nov 2024 13:27:00 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Tue, 12 Nov 2024 13:26:15 +0100 Message-Id: <20241112122615.88854-19-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241112122615.88854-1-s.hanreich@proxmox.com> References: <20241112122615.88854-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.242 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Additionally add information about the SDN VNet firewall, which has been introduced with this changes. Signed-off-by: Stefan Hanreich --- Makefile | 1 + gen-pve-firewall-vnet-opts.pl | 12 +++++++ pve-firewall-vnet-opts.adoc | 8 +++++ pve-firewall.adoc | 65 +++++++++++++++++++++++++++++++---- 4 files changed, 80 insertions(+), 6 deletions(-) create mode 100755 gen-pve-firewall-vnet-opts.pl create mode 100644 pve-firewall-vnet-opts.adoc diff --git a/Makefile b/Makefile index 801a2a3..f30d77a 100644 --- a/Makefile +++ b/Makefile @@ -62,6 +62,7 @@ GEN_SCRIPTS= \ gen-pve-firewall-macros-adoc.pl \ gen-pve-firewall-rules-opts.pl \ gen-pve-firewall-vm-opts.pl \ + gen-pve-firewall-vnet-opts.pl \ gen-output-format-opts.pl API_VIEWER_FILES= \ diff --git a/gen-pve-firewall-vnet-opts.pl b/gen-pve-firewall-vnet-opts.pl new file mode 100755 index 0000000..c9f4f13 --- /dev/null +++ b/gen-pve-firewall-vnet-opts.pl @@ -0,0 +1,12 @@ +#!/usr/bin/perl + +use lib '.'; +use strict; +use warnings; + +use PVE::Firewall; +use PVE::RESTHandler; + +my $prop = $PVE::Firewall::vnet_option_properties; + +print PVE::RESTHandler::dump_properties($prop); diff --git a/pve-firewall-vnet-opts.adoc b/pve-firewall-vnet-opts.adoc new file mode 100644 index 0000000..ed1e88f --- /dev/null +++ b/pve-firewall-vnet-opts.adoc @@ -0,0 +1,8 @@ +`enable`: `` ('default =' `0`):: + +Enable/disable firewall rules. + +`policy_forward`: `` :: + +Forward policy. + diff --git a/pve-firewall.adoc b/pve-firewall.adoc index b428703..d5c664f 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -48,18 +48,34 @@ there is no need to maintain a different set of rules for IPv6. Zones ----- -The Proxmox VE firewall groups the network into the following logical zones: +The Proxmox VE firewall groups the network into the following logical zones. +Depending on the zone, you can define firewall rules for incoming, outgoing or +forwarded traffic. Host:: -Traffic from/to a cluster node +Traffic going from/to a host or traffic that is forwarded by a host. + +You can define rules for this zone either at the datacenter level or at the node +level. Rules at node level take precedence over rules at datacenter level. VM:: -Traffic from/to a specific VM +Traffic going from/to a VM or CT. + +You cannot define rules for the forward direction, only for incoming / outgoing. + +VNet:: -For each zone, you can define firewall rules for incoming and/or -outgoing traffic. +Traffic passing through a SDN VNet, either from guest to guest or from host to +guest and vice-versa. Since this traffic is always forwarded traffic, it is only +possible to create rules with direction forward. + + +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is currently +only possible when using the new +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward rules will be +ignored by the stock `pve-firewall` and have no effect! Configuration Files @@ -202,10 +218,46 @@ can selectively enable the firewall for each interface. This is required in addition to the general firewall `enable` option. +[[pve_firewall_vnet_configuration]] +VNet Configuration +~~~~~~~~~~~~~~~~~~ +VNet related configuration is read from: + + /etc/pve/sdn/firewall/.fw + +This can be used for setting firewall configuration globally on a VNet level, +without having to set firewall rules for each VM inside the VNet separately. It +can only contain rules for the `FORWARD` direction, since there is no notion of +incoming or outgoing traffic. This affects all traffic travelling from one +bridge port to another, including the host interface. + +WARNING: This feature is currently only available for the new +xref:pve_firewall_nft[nftables-based proxmox-firewall] + +Since traffic passing the `FORWARD` chain is bi-directional, you need to create +rules for both directions if you want traffic to pass both ways. For instance if +HTTP traffic for a specific host should be allowed, you would need to create the +following rules: + +---- +FORWARD ACCEPT -dest 10.0.0.1 -dport 80 +FORWARD ACCEPT -source 10.0.0.1 -sport 80 +---- + +`[OPTIONS]`:: + +This is used to set VNet related firewall options. + +include::pve-firewall-vnet-opts.adoc[] + +`[RULES]`:: + +This section contains VNet specific firewall rules. + Firewall Rules -------------- -Firewall rules consists of a direction (`IN` or `OUT`) and an +Firewall rules consists of a direction (`IN`, `OUT` or `FORWARD`) and an action (`ACCEPT`, `DENY`, `REJECT`). You can also specify a macro name. Macros contain predefined sets of rules and options. Rules can be disabled by prefixing them with `|`. @@ -639,6 +691,7 @@ Ports used by {pve} * live migration (VM memory and local-disk data): 60000-60050 (TCP) +[[pve_firewall_nft]] nftables -------- -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel