* [pve-devel] [PATCH pve-firewall v6 1/4] add support for loading sdn firewall configuration
2024-11-18 17:38 [pve-devel] [PATCH docs/firewall/manager v6 0/4] autogenerate ipsets for sdn objects Stefan Hanreich
@ 2024-11-18 17:38 ` Stefan Hanreich
2024-11-18 17:38 ` [pve-devel] [PATCH pve-firewall v6 2/4] ipsets: return sdn ipsets from api Stefan Hanreich
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hanreich @ 2024-11-18 17:38 UTC (permalink / raw)
To: pve-devel
This also includes support for parsing rules referencing IPSets in the
new SDN scope and generating those IPSets in the firewall. We always
load the new configuration, since loading the configuration always
includes validating the loaded rules. Validation fails without
including the SDN ipsets, leading to syslog error messages.
In the API, we only use the IPSets the user is actually allowed to use
for validating the rules - preventing users from using autogenerated
IPSets they have no permission for.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
src/PVE/API2/Firewall/Helpers.pm | 50 ++++++++++++++++++++++++++++++++
src/PVE/API2/Firewall/Makefile | 1 +
src/PVE/API2/Firewall/Rules.pm | 15 ++++++++++
src/PVE/Firewall.pm | 43 ++++++++++++++++++++++-----
src/PVE/Service/pve_firewall.pm | 4 +--
5 files changed, 103 insertions(+), 10 deletions(-)
create mode 100644 src/PVE/API2/Firewall/Helpers.pm
diff --git a/src/PVE/API2/Firewall/Helpers.pm b/src/PVE/API2/Firewall/Helpers.pm
new file mode 100644
index 0000000..a8c6fea
--- /dev/null
+++ b/src/PVE/API2/Firewall/Helpers.pm
@@ -0,0 +1,50 @@
+package PVE::API2::Firewall::Helpers;
+
+use strict;
+use warnings;
+
+use PVE::Cluster;
+use PVE::Network::SDN::Vnets;
+use PVE::RPCEnvironment;
+
+sub get_allowed_vnets {
+ my $rpcenv = eval { PVE::RPCEnvironment::get() };
+
+ if ($@) {
+ warn "could not initialize RPCEnvironment";
+ return {};
+ }
+
+ my $authuser = $rpcenv->get_user();
+
+ my $vnets = PVE::Network::SDN::Vnets::config(1);
+ my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
+
+ my $allowed_vnets = [];
+ foreach my $vnet (sort keys %{$vnets->{ids}}) {
+ my $zone = $vnets->{ids}->{$vnet}->{zone};
+ next if !$rpcenv->check_any($authuser, "/sdn/zones/$zone/$vnet", $privs, 1);
+ push @$allowed_vnets, $vnet;
+ }
+
+ return $allowed_vnets;
+}
+
+sub get_allowed_vms {
+ my $rpcenv = eval { PVE::RPCEnvironment::get() };
+
+ if ($@) {
+ warn "could not initialize RPCEnvironment";
+ return {};
+ }
+
+ my $authuser = $rpcenv->get_user();
+
+ my $guests = PVE::Cluster::get_vmlist();
+
+ return [
+ grep { $rpcenv->check($authuser, "/vms/$_", [ 'VM.Audit' ], 1) } sort keys $guests->{ids}->%*
+ ];
+}
+
+1;
diff --git a/src/PVE/API2/Firewall/Makefile b/src/PVE/API2/Firewall/Makefile
index e916755..6be8261 100644
--- a/src/PVE/API2/Firewall/Makefile
+++ b/src/PVE/API2/Firewall/Makefile
@@ -4,6 +4,7 @@ PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
LIB_SOURCES= \
Aliases.pm \
+ Helpers.pm \
IPSet.pm \
Rules.pm \
Cluster.pm \
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 9fcfb20..874fc37 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -7,6 +7,7 @@ use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise raise_param_exc);
use PVE::Firewall;
+use PVE::API2::Firewall::Helpers;
use base qw(PVE::RESTHandler);
@@ -237,6 +238,13 @@ sub register_create_rule {
my $rule = {};
+ # reloading the scoped SDN config for verification, so users can
+ # only use IPSets they have permissions for
+ my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms();
+ my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets();
+ my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets);
+ $cluster_conf->{sdn} = $sdn_conf;
+
PVE::Firewall::copy_rule_data($rule, $param);
PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
@@ -320,6 +328,13 @@ sub register_update_rule {
PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
+ # reloading the scoped SDN config for verification, so users can
+ # only use IPSets they have permissions for
+ my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms();
+ my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets();
+ my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets);
+ $cluster_conf->{sdn} = $sdn_conf;
+
PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
}
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a69d5dd..8cfe55d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -20,11 +20,13 @@ use PVE::INotify;
use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Network;
use PVE::ProcFSTools;
+use PVE::RPCEnvironment;
use PVE::SafeSyslog;
use PVE::Tools qw($IPV4RE $IPV6RE);
use PVE::Tools qw(run_command lock_file dir_glob_foreach);
use PVE::Firewall::Helpers;
+use PVE::RS::Firewall::SDN;
my $pvefw_conf_dir = "/etc/pve/firewall";
my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
@@ -1689,10 +1691,15 @@ sub verify_rule {
if (my $value = $rule->{$name}) {
if ($value =~ m/^\+/) {
- if ($value =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) {
- &$add_error($name, "no such ipset '$2'")
- if !($cluster_conf->{ipset}->{$2} || ($fw_conf && $fw_conf->{ipset}->{$2}));
-
+ if ($value =~ m@^\+(guest/|dc/|sdn/)?(${ipset_name_pattern})$@) {
+ if (
+ !($cluster_conf->{ipset}->{$2})
+ && !($fw_conf && $fw_conf->{ipset}->{$2})
+ && !($cluster_conf->{sdn} && $cluster_conf->{sdn}->{ipset}->{$2})
+ && !($fw_conf->{sdn} && $fw_conf->{sdn}->{ipset}->{$2})
+ ) {
+ $add_error->($name, "no such ipset '$2'")
+ }
} else {
&$add_error($name, "invalid ipset name '$value'");
}
@@ -2108,13 +2115,18 @@ sub ipt_gen_src_or_dst_match {
my $match;
if ($adr =~ m/^\+/) {
- if ($adr =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) {
+ if ($adr =~ m@^\+(guest/|dc/|sdn/)?(${ipset_name_pattern})$@) {
my $scope = $1 // "";
my $name = $2;
my $ipset_chain;
- if ($scope ne 'dc/' && $fw_conf && $fw_conf->{ipset}->{$name}) {
+
+ my $is_scope = sub { return !$scope || $scope eq "$_[0]/" };
+
+ if ($is_scope->('guest') && $fw_conf && $fw_conf->{ipset}->{$name}) {
$ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
- } elsif ($scope ne 'guest/' && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ } elsif ($is_scope->('dc') && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ $ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
+ } elsif ($is_scope->('sdn') && $cluster_conf->{sdn} && $cluster_conf->{sdn}->{ipset}->{$name}) {
$ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
} else {
die "no such ipset '$name'\n";
@@ -3655,6 +3667,7 @@ sub load_clusterfw_conf {
group_comments => {},
ipset => {} ,
ipset_comments => {},
+ sdn => load_sdn_conf(),
};
my $cluster_conf = generic_fw_config_parser($filename, $empty_conf, $empty_conf, 'cluster');
@@ -3663,6 +3676,19 @@ sub load_clusterfw_conf {
return $cluster_conf;
}
+sub load_sdn_conf {
+ my ($allowed_vms, $allowed_vnets) = @_;
+
+ my $empty_sdn_config = { ipset => {} , ipset_comments => {} };
+
+ my $sdn_config = eval {
+ PVE::RS::Firewall::SDN::config($allowed_vnets, $allowed_vms)
+ };
+ warn $@ if $@;
+
+ return $sdn_config // $empty_sdn_config;
+}
+
sub save_clusterfw_conf {
my ($cluster_conf) = @_;
@@ -3768,7 +3794,7 @@ sub compile {
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir);
} else { # normal operation
- $cluster_conf = load_clusterfw_conf(undef) if !$cluster_conf;
+ $cluster_conf = load_clusterfw_conf() if !$cluster_conf;
$hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
@@ -4043,6 +4069,7 @@ sub compile_ipsets {
}
generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef, $cluster_conf->{ipset});
+ generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef, $cluster_conf->{sdn}->{ipset});
return $ipset_ruleset;
}
diff --git a/src/PVE/Service/pve_firewall.pm b/src/PVE/Service/pve_firewall.pm
index 65cb2b8..02b507a 100755
--- a/src/PVE/Service/pve_firewall.pm
+++ b/src/PVE/Service/pve_firewall.pm
@@ -158,7 +158,7 @@ __PACKAGE__->register_method ({
PVE::Firewall::set_verbose(1); # show syntax errors
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
$res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;
if ($status eq 'running') {
@@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
PVE::Firewall::set_verbose(1);
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);
print "ipset cmdlist:\n";
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH pve-firewall v6 2/4] ipsets: return sdn ipsets from api
2024-11-18 17:38 [pve-devel] [PATCH docs/firewall/manager v6 0/4] autogenerate ipsets for sdn objects Stefan Hanreich
2024-11-18 17:38 ` [pve-devel] [PATCH pve-firewall v6 1/4] add support for loading sdn firewall configuration Stefan Hanreich
@ 2024-11-18 17:38 ` Stefan Hanreich
2024-11-18 17:38 ` [pve-devel] [PATCH pve-manager v6 3/4] firewall: add sdn scope to IPRefSelector Stefan Hanreich
2024-11-18 17:38 ` [pve-devel] [PATCH pve-docs v6 4/4] sdn: add documentation for firewall integration Stefan Hanreich
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hanreich @ 2024-11-18 17:38 UTC (permalink / raw)
To: pve-devel
In order for the new SDN ipsets to show up we need to adapt the
existing API endpoints so they read the SDN configuration. We reload
the SDN configuration explicitly, in order to return only the IPSets
the user is allowed to see.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 12 +++++++++++-
src/PVE/API2/Firewall/VM.pm | 10 +++++++++-
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 48ad90d..4d51b34 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -9,6 +9,7 @@ use PVE::Firewall;
use PVE::API2::Firewall::Aliases;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Groups;
+use PVE::API2::Firewall::Helpers;
use PVE::API2::Firewall::IPSet;
#fixme: locking?
@@ -255,7 +256,16 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
+ # we are explicitly loading the SDN config here with the scope of the current
+ # API user, so we only return the IPSets that the user can actually use
+ my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms();
+ my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets();
+ my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets);
+
+ my $cluster_refs = PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
+ my $sdn_refs = PVE::Firewall::Helpers::collect_refs($sdn_conf, $param->{type}, "sdn");
+
+ return [@$sdn_refs, @$cluster_refs];
}});
1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 4222103..2d25735 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -8,6 +8,7 @@ use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
+use PVE::API2::Firewall::Helpers;
use PVE::API2::Firewall::Aliases;
@@ -281,10 +282,17 @@ sub register_handlers {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
+ # we are explicitly loading the SDN config here with the scope of the current
+ # API user, so we only return the IPSets that the user can actually use
+ my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms();
+ my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets();
+ my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets);
+
my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $sdn_refs = PVE::Firewall::Helpers::collect_refs($sdn_conf, $param->{type}, "sdn");
my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- return [@$dc_refs, @$vm_refs];
+ return [@$dc_refs, @$sdn_refs, @$vm_refs];
}});
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread