Additionally add information about the SDN VNet firewall, which has been introduced with this changes.
Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com> --- Makefile | 1 + gen-pve-firewall-vnet-opts.pl | 12 ++++++++ pve-firewall-vnet-opts.adoc | 8 ++++++ pve-firewall.adoc | 53 ++++++++++++++++++++++++++++++++--- 4 files changed, 70 insertions(+), 4 deletions(-) create mode 100755 gen-pve-firewall-vnet-opts.pl create mode 100644 pve-firewall-vnet-opts.adoc diff --git a/Makefile b/Makefile index 801a2a3..f30d77a 100644 --- a/Makefile +++ b/Makefile @@ -62,6 +62,7 @@ GEN_SCRIPTS= \ gen-pve-firewall-macros-adoc.pl \ gen-pve-firewall-rules-opts.pl \ gen-pve-firewall-vm-opts.pl \ + gen-pve-firewall-vnet-opts.pl \ gen-output-format-opts.pl API_VIEWER_FILES= \ diff --git a/gen-pve-firewall-vnet-opts.pl b/gen-pve-firewall-vnet-opts.pl new file mode 100755 index 0000000..c9f4f13 --- /dev/null +++ b/gen-pve-firewall-vnet-opts.pl @@ -0,0 +1,12 @@ +#!/usr/bin/perl + +use lib '.'; +use strict; +use warnings; + +use PVE::Firewall; +use PVE::RESTHandler; + +my $prop = $PVE::Firewall::vnet_option_properties; + +print PVE::RESTHandler::dump_properties($prop); diff --git a/pve-firewall-vnet-opts.adoc b/pve-firewall-vnet-opts.adoc new file mode 100644 index 0000000..ed1e88f --- /dev/null +++ b/pve-firewall-vnet-opts.adoc @@ -0,0 +1,8 @@ +`enable`: `<boolean>` ('default =' `0`):: + +Enable/disable firewall rules. + +`policy_forward`: `<ACCEPT | DROP>` :: + +Forward policy. + diff --git a/pve-firewall.adoc b/pve-firewall.adoc index b428703..339a42f 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -52,14 +52,22 @@ The Proxmox VE firewall groups the network into the following logical zones: Host:: -Traffic from/to a cluster node +Traffic from/to a cluster node or traffic forwarded by a cluster node VM:: Traffic from/to a specific VM -For each zone, you can define firewall rules for incoming and/or -outgoing traffic. +VNet:: + +Traffic flowing through a SDN VNet + +For each zone, you can define firewall rules for incoming, outgoing or +forwarded traffic. + +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is currently +only possible when using the new +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Configuration Files @@ -202,10 +210,46 @@ can selectively enable the firewall for each interface. This is required in addition to the general firewall `enable` option. +[[pve_firewall_vnet_configuration]] +VNet Configuration +~~~~~~~~~~~~~~~~~~ +VNet related configuration is read from: + + /etc/pve/sdn/firewall/<vnet_name>.fw + +This can be used for setting firewall configuration globally on a VNet level, +without having to set firewall rules for each VM inside the VNet separately. It +can only contain rules for the `FORWARD` direction, since there is no notion of +incoming or outgoing traffic. This affects all traffic travelling from one +bridge port to another, including the host interface. + +WARNING: This feature is currently only available for the new +xref:pve_firewall_nft[nftables-based proxmox-firewall] + +Since traffic passing the `FORWARD` chain is bi-directional, you need to create +rules for both directions if you want traffic to pass both ways. For instance if +HTTP traffic for a specific host should be allowed, you would need to create the +following rules: + +---- +FORWARD ACCEPT -dest 10.0.0.1 -dport 80 +FORWARD ACCEPT -source 10.0.0.1 -sport 80 +---- + +`[OPTIONS]`:: + +This is used to set VNet related firewall options. + +include::pve-firewall-vnet-opts.adoc[] + +`[RULES]`:: + +This section contains VNet specific firewall rules. + Firewall Rules -------------- -Firewall rules consists of a direction (`IN` or `OUT`) and an +Firewall rules consists of a direction (`IN`, `OUT` or `FORWARD`) and an action (`ACCEPT`, `DENY`, `REJECT`). You can also specify a macro name. Macros contain predefined sets of rules and options. Rules can be disabled by prefixing them with `|`. @@ -639,6 +683,7 @@ Ports used by {pve} * live migration (VM memory and local-disk data): 60000-60050 (TCP) +[[pve_firewall_nft]] nftables -------- -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel