[pve-devel] [PATCH] add global ipset blacklist

[Alexandre Derumier]

this is a predefined ipset == blacklist,

which block ips at the begin of PVE-FORWARD.

(usefull in case of ddos attack)

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 debian/example/cluster.fw |    6 ++++++
 src/PVE/Firewall.pm       |   27 ++++++++++++++++-----------
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/debian/example/cluster.fw b/debian/example/cluster.fw
index bf5a98f..457c993 100644
--- a/debian/example/cluster.fw
+++ b/debian/example/cluster.fw
@@ -38,3 +38,9 @@ IN  ACCEPT myserveralias
 192.168.0.0/24
 ! 10.0.0.0/8  #nomatch - needs kernel 3.7 or newer
 mynetworkalias
+
+#global ipset blacklist
+[ipset blacklist]
+
+10.0.0.8
+192.168.0./24
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0d9dcde..3c7333e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1388,7 +1388,7 @@ sub ruleset_addlog {
 
     $logrule = "$rule $logrule" if defined($rule);
 
-    ruleset_addrule($ruleset, $chain, $logrule)
+    ruleset_addrule($ruleset, $chain, $logrule);
 }
 
 sub generate_bridge_chains {
@@ -2618,6 +2618,21 @@ sub compile {
 
     my $hostfw_options = $hostfw_conf->{options} || {};
 
+    # fixme: what log level should we use here?
+    my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
+
+    if($hostfw_options->{optimize}){
+
+	my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
+    }
+
+    if ($cluster_conf->{ipset}->{blacklist}){
+	ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set PVEFW-blacklist src -j DROP");
+    }
+
     generate_std_chains($ruleset, $hostfw_options);
 
     my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
@@ -2688,16 +2703,6 @@ sub compile {
 	}
     }
 
-    if($hostfw_options->{optimize}){
-
-	my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
-	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
-	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
-    }
-
-    # fixme: what log level should we use here?
-    my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
-
     # fixme: should we really block inter-bridge traffic?
 
     # always allow traffic from containers?
-- 
1.7.10.4