From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id A061B1FF163
for <inbox@lore.proxmox.com>; Thu, 7 Nov 2024 16:58:13 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id DCAF833D07;
Thu, 7 Nov 2024 16:58:11 +0100 (CET)
Message-ID: <c79bd667-b49e-4108-a51b-6d51c7d8f189@proxmox.com>
Date: Thu, 7 Nov 2024 16:57:37 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: =?UTF-8?Q?Hannes_D=C3=BCrr?= <h.duerr@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Stefan Hanreich <s.hanreich@proxmox.com>
References: <20241010155650.255698-1-s.hanreich@proxmox.com>
<20241010155650.255698-18-s.hanreich@proxmox.com>
Content-Language: en-US
In-Reply-To: <20241010155650.255698-18-s.hanreich@proxmox.com>
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.037 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH pve-docs v2 17/17] firewall: add
documentation for forward direction
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
On 10/10/24 17:56, Stefan Hanreich wrote:
> Additionally add information about the SDN VNet firewall, which has
> been introduced with this changes.
>
> Signed-off-by: Stefan Hanreich<s.hanreich@proxmox.com>
> ---
> Makefile | 1 +
> gen-pve-firewall-vnet-opts.pl | 12 ++++++++
> pve-firewall-vnet-opts.adoc | 8 ++++++
> pve-firewall.adoc | 53 ++++++++++++++++++++++++++++++++---
> 4 files changed, 70 insertions(+), 4 deletions(-)
> create mode 100755 gen-pve-firewall-vnet-opts.pl
> create mode 100644 pve-firewall-vnet-opts.adoc
>
> diff --git a/Makefile b/Makefile
> index 801a2a3..f30d77a 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -62,6 +62,7 @@ GEN_SCRIPTS= \
> gen-pve-firewall-macros-adoc.pl \
> gen-pve-firewall-rules-opts.pl \
> gen-pve-firewall-vm-opts.pl \
> + gen-pve-firewall-vnet-opts.pl \
> gen-output-format-opts.pl
>
> API_VIEWER_FILES= \
> diff --git a/gen-pve-firewall-vnet-opts.pl b/gen-pve-firewall-vnet-opts.pl
> new file mode 100755
> index 0000000..c9f4f13
> --- /dev/null
> +++ b/gen-pve-firewall-vnet-opts.pl
> @@ -0,0 +1,12 @@
> +#!/usr/bin/perl
> +
> +use lib '.';
> +use strict;
> +use warnings;
> +
> +use PVE::Firewall;
> +use PVE::RESTHandler;
> +
> +my $prop = $PVE::Firewall::vnet_option_properties;
> +
> +print PVE::RESTHandler::dump_properties($prop);
> diff --git a/pve-firewall-vnet-opts.adoc b/pve-firewall-vnet-opts.adoc
> new file mode 100644
> index 0000000..ed1e88f
> --- /dev/null
> +++ b/pve-firewall-vnet-opts.adoc
> @@ -0,0 +1,8 @@
> +`enable`: `<boolean>` ('default =' `0`)::
> +
> +Enable/disable firewall rules.
> +
> +`policy_forward`: `<ACCEPT | DROP>` ::
> +
> +Forward policy.
> +
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index b428703..339a42f 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -52,14 +52,22 @@ The Proxmox VE firewall groups the network into the following logical zones:
>
> Host::
>
> -Traffic from/to a cluster node
> +Traffic from/to a cluster node or traffic forwarded by a cluster node
>
> VM::
>
> Traffic from/to a specific VM
>
> -For each zone, you can define firewall rules for incoming and/or
> -outgoing traffic.
> +VNet::
> +
> +Traffic flowing through a SDN VNet
> +
> +For each zone, you can define firewall rules for incoming, outgoing or
> +forwarded traffic.
This is not really true, I can not create rules on the forward chain of
VMs, can I?
I think the "Zones" section could benefit from some rewording because
IMO the Zone representation is not really fitting and also in the rest
of the article we are talking about 'Levels' and not 'Zones'.
I'd propose something like this:
Firewall rules can be created on 4 levels, Cluster, Node, Vnet, VM.
However, the Rules only act on the 3 levels Node, Vnet and VM.
The reason for this is the distributed architecture: if a firewall rule
is created at cluster level, it gets rolled out to all hosts and acts at
host level.
At host level the rules can act on and manipulate traffic from/into the
host. With the new proxmox-firewall based on nftables it is additionally
possible to create rules that act on and manipulate traffic passing
trough the host (forwarded).
The Vnet level is only available with the new proxmox-firewall. At Vnet
level the rules can act on and manipulate traffic passing through the
Vnet (forwarded).
At VM level the rules can act on and manipulate traffic from/into a VM.
> +
> +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is currently
> +only possible when using the new
> +xref:pve_firewall_nft[nftables-based proxmox-firewall].
>
>
> Configuration Files
> @@ -202,10 +210,46 @@ can selectively enable the firewall for each interface. This is
> required in addition to the general firewall `enable` option.
>
>
> +[[pve_firewall_vnet_configuration]]
> +VNet Configuration
> +~~~~~~~~~~~~~~~~~~
> +VNet related configuration is read from:
> +
> + /etc/pve/sdn/firewall/<vnet_name>.fw
> +
> +This can be used for setting firewall configuration globally on a VNet level,
> +without having to set firewall rules for each VM inside the VNet separately. It
> +can only contain rules for the `FORWARD` direction, since there is no notion of
> +incoming or outgoing traffic. This affects all traffic travelling from one
> +bridge port to another, including the host interface.
> +
> +WARNING: This feature is currently only available for the new
> +xref:pve_firewall_nft[nftables-based proxmox-firewall]
> +
> +Since traffic passing the `FORWARD` chain is bi-directional, you need to create
> +rules for both directions if you want traffic to pass both ways. For instance if
> +HTTP traffic for a specific host should be allowed, you would need to create the
> +following rules:
> +
> +----
> +FORWARD ACCEPT -dest 10.0.0.1 -dport 80
> +FORWARD ACCEPT -source 10.0.0.1 -sport 80
> +----
> +
> +`[OPTIONS]`::
> +
> +This is used to set VNet related firewall options.
> +
> +include::pve-firewall-vnet-opts.adoc[]
> +
> +`[RULES]`::
> +
> +This section contains VNet specific firewall rules.
> +
> Firewall Rules
> --------------
>
> -Firewall rules consists of a direction (`IN` or `OUT`) and an
> +Firewall rules consists of a direction (`IN`, `OUT` or `FORWARD`) and an
> action (`ACCEPT`, `DENY`, `REJECT`). You can also specify a macro
> name. Macros contain predefined sets of rules and options. Rules can be
> disabled by prefixing them with `|`.
> @@ -639,6 +683,7 @@ Ports used by {pve}
> * live migration (VM memory and local-disk data): 60000-60050 (TCP)
Here I'd also add that it is dependent on the Level the Rule is applied to.
>
>
> +[[pve_firewall_nft]]
> nftables
> --------
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel