From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 711E11FF170
	for <inbox@lore.proxmox.com>; Tue, 19 Nov 2024 16:36:48 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 152F82F32F;
	Tue, 19 Nov 2024 16:36:45 +0100 (CET)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 19 Nov 2024 16:36:06 +0100
Message-Id: <20241119153610.228658-2-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20241119153610.228658-1-s.hanreich@proxmox.com>
References: <20241119153610.228658-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.232 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [PATCH pve-firewall v8 1/5] add support for loading sdn
 firewall configuration
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

This also includes support for parsing rules referencing IPSets in the
new SDN scope and generating those IPSets in the firewall. We always
load the new configuration, since loading the configuration always
includes validating the loaded rules. Validation fails without
including the SDN ipsets, leading to syslog error messages.

In the API, we only use the IPSets the user is actually allowed to use
for validating the rules - preventing users from using autogenerated
IPSets they have no permission for.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/API2/Firewall/Helpers.pm | 50 ++++++++++++++++++++++++++++++++
 src/PVE/API2/Firewall/Makefile   |  1 +
 src/PVE/API2/Firewall/Rules.pm   | 25 ++++++++++++++++
 src/PVE/Firewall.pm              | 42 ++++++++++++++++++++++-----
 src/PVE/Service/pve_firewall.pm  |  4 +--
 5 files changed, 112 insertions(+), 10 deletions(-)
 create mode 100644 src/PVE/API2/Firewall/Helpers.pm

diff --git a/src/PVE/API2/Firewall/Helpers.pm b/src/PVE/API2/Firewall/Helpers.pm
new file mode 100644
index 0000000..a8c6fea
--- /dev/null
+++ b/src/PVE/API2/Firewall/Helpers.pm
@@ -0,0 +1,50 @@
+package PVE::API2::Firewall::Helpers;
+
+use strict;
+use warnings;
+
+use PVE::Cluster;
+use PVE::Network::SDN::Vnets;
+use PVE::RPCEnvironment;
+
+sub get_allowed_vnets {
+    my $rpcenv = eval { PVE::RPCEnvironment::get() };
+
+    if ($@) {
+	warn "could not initialize RPCEnvironment";
+	return {};
+    }
+
+    my $authuser = $rpcenv->get_user();
+
+    my $vnets = PVE::Network::SDN::Vnets::config(1);
+    my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
+
+    my $allowed_vnets = [];
+    foreach my $vnet (sort keys %{$vnets->{ids}}) {
+	my $zone = $vnets->{ids}->{$vnet}->{zone};
+	next if !$rpcenv->check_any($authuser, "/sdn/zones/$zone/$vnet", $privs, 1);
+	push @$allowed_vnets, $vnet;
+    }
+
+    return $allowed_vnets;
+}
+
+sub get_allowed_vms {
+    my $rpcenv = eval { PVE::RPCEnvironment::get() };
+
+    if ($@) {
+	warn "could not initialize RPCEnvironment";
+	return {};
+    }
+
+    my $authuser = $rpcenv->get_user();
+
+    my $guests = PVE::Cluster::get_vmlist();
+
+    return [
+	grep { $rpcenv->check($authuser, "/vms/$_", [ 'VM.Audit' ], 1) } sort keys $guests->{ids}->%*
+    ];
+}
+
+1;
diff --git a/src/PVE/API2/Firewall/Makefile b/src/PVE/API2/Firewall/Makefile
index e916755..6be8261 100644
--- a/src/PVE/API2/Firewall/Makefile
+++ b/src/PVE/API2/Firewall/Makefile
@@ -4,6 +4,7 @@ PERLDIR=$(DESTDIR)/$(PREFIX)/share/perl5
 
 LIB_SOURCES=			\
 	Aliases.pm		\
+	Helpers.pm		\
 	IPSet.pm		\
 	Rules.pm		\
 	Cluster.pm		\
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 9fcfb20..bbcf732 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -7,6 +7,7 @@ use PVE::JSONSchema qw(get_standard_option);
 use PVE::Exception qw(raise raise_param_exc);
 
 use PVE::Firewall;
+use PVE::API2::Firewall::Helpers;
 
 use base qw(PVE::RESTHandler);
 
@@ -237,6 +238,18 @@ sub register_create_rule {
 
 		my $rule = {};
 
+		# reloading the scoped SDN config for verification, so users can
+		# only use IPSets they have permissions for
+		my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms();
+		my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets();
+		my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets);
+
+		if ($cluster_conf) {
+		    $cluster_conf->{sdn} = $sdn_conf;
+		} else {
+		    $fw_conf->{sdn} = $sdn_conf;
+		}
+
 		PVE::Firewall::copy_rule_data($rule, $param);
 		PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
 
@@ -320,6 +333,18 @@ sub register_update_rule {
 
 		    PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
 
+		    # reloading the scoped SDN config for verification, so users can
+		    # only use IPSets they have permissions for
+		    my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms();
+		    my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets();
+		    my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets);
+
+		    if ($cluster_conf) {
+			$cluster_conf->{sdn} = $sdn_conf;
+		    } else {
+			$fw_conf->{sdn} = $sdn_conf;
+		    }
+
 		    PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
 		}
 
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a69d5dd..6437db0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -25,6 +25,7 @@ use PVE::Tools qw($IPV4RE $IPV6RE);
 use PVE::Tools qw(run_command lock_file dir_glob_foreach);
 
 use PVE::Firewall::Helpers;
+use PVE::RS::Firewall::SDN;
 
 my $pvefw_conf_dir = "/etc/pve/firewall";
 my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
@@ -1689,10 +1690,15 @@ sub verify_rule {
 
 	if (my $value = $rule->{$name}) {
 	    if ($value =~ m/^\+/) {
-		if ($value =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) {
-		    &$add_error($name, "no such ipset '$2'")
-			if !($cluster_conf->{ipset}->{$2} || ($fw_conf && $fw_conf->{ipset}->{$2}));
-
+		if ($value =~ m@^\+(guest/|dc/|sdn/)?(${ipset_name_pattern})$@) {
+		    if (
+			!($cluster_conf->{ipset}->{$2})
+			&& !($fw_conf && $fw_conf->{ipset}->{$2})
+			&& !($cluster_conf->{sdn} && $cluster_conf->{sdn}->{ipset}->{$2})
+			&& !($fw_conf->{sdn} && $fw_conf->{sdn}->{ipset}->{$2})
+		    ) {
+			$add_error->($name, "no such ipset '$2'")
+		    }
 		} else {
 		    &$add_error($name, "invalid ipset name '$value'");
 		}
@@ -2108,13 +2114,18 @@ sub ipt_gen_src_or_dst_match {
 
     my $match;
     if ($adr =~ m/^\+/) {
-	if ($adr =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) {
+	if ($adr =~ m@^\+(guest/|dc/|sdn/)?(${ipset_name_pattern})$@) {
 	    my $scope = $1 // "";
 	    my $name = $2;
 	    my $ipset_chain;
-	    if ($scope ne 'dc/' && $fw_conf && $fw_conf->{ipset}->{$name}) {
+
+	    my $is_scope = sub { return !$scope || $scope eq "$_[0]/" };
+
+	    if ($is_scope->('guest') && $fw_conf && $fw_conf->{ipset}->{$name}) {
 		$ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
-	    } elsif ($scope ne 'guest/' && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
+	    } elsif ($is_scope->('dc') && $cluster_conf && $cluster_conf->{ipset}->{$name}) {
+		$ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
+	    } elsif ($is_scope->('sdn') && $cluster_conf->{sdn} && $cluster_conf->{sdn}->{ipset}->{$name}) {
 		$ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
 	    } else {
 		die "no such ipset '$name'\n";
@@ -3655,6 +3666,7 @@ sub load_clusterfw_conf {
 	group_comments => {},
 	ipset => {} ,
 	ipset_comments => {},
+	sdn => load_sdn_conf(),
     };
 
     my $cluster_conf = generic_fw_config_parser($filename, $empty_conf, $empty_conf, 'cluster');
@@ -3663,6 +3675,19 @@ sub load_clusterfw_conf {
     return $cluster_conf;
 }
 
+sub load_sdn_conf {
+    my ($allowed_vms, $allowed_vnets) = @_;
+
+    my $empty_sdn_config = { ipset => {} , ipset_comments => {} };
+
+    my $sdn_config = eval {
+	PVE::RS::Firewall::SDN::config($allowed_vnets, $allowed_vms)
+    };
+    warn $@ if $@;
+
+    return $sdn_config // $empty_sdn_config;
+}
+
 sub save_clusterfw_conf {
     my ($cluster_conf) = @_;
 
@@ -3768,7 +3793,7 @@ sub compile {
 
 	$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir);
     } else { # normal operation
-	$cluster_conf = load_clusterfw_conf(undef) if !$cluster_conf;
+	$cluster_conf = load_clusterfw_conf() if !$cluster_conf;
 
 	$hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
 
@@ -4043,6 +4068,7 @@ sub compile_ipsets {
     }
 
     generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef, $cluster_conf->{ipset});
+    generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef, $cluster_conf->{sdn}->{ipset});
 
     return $ipset_ruleset;
 }
diff --git a/src/PVE/Service/pve_firewall.pm b/src/PVE/Service/pve_firewall.pm
index 65cb2b8..02b507a 100755
--- a/src/PVE/Service/pve_firewall.pm
+++ b/src/PVE/Service/pve_firewall.pm
@@ -158,7 +158,7 @@ __PACKAGE__->register_method ({
 
 	    PVE::Firewall::set_verbose(1); # show syntax errors
 
-	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
+	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 	    $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;
 
 	    if ($status eq 'running') {
@@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
 
 	    PVE::Firewall::set_verbose(1);
 
-	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
+	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 	    my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);
 
 	    print "ipset cmdlist:\n";
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel