From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-ve-rs 02/15] firewall: add forward direction
Date: Wed, 11 Sep 2024 11:31:03 +0200 [thread overview]
Message-ID: <20240911093116.112960-3-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240911093116.112960-1-s.hanreich@proxmox.com>
This direction will be used for specifying rules on bridge-level
firewalls as well as rules on the cluster / host level that are for
forwarded network packets.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-ve-config/src/firewall/cluster.rs | 10 ++++++++++
proxmox-ve-config/src/firewall/guest.rs | 15 +++++++++++++++
proxmox-ve-config/src/firewall/host.rs | 4 ++++
proxmox-ve-config/src/firewall/mod.rs | 1 +
proxmox-ve-config/src/firewall/types/rule.rs | 10 ++++++++--
5 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/proxmox-ve-config/src/firewall/cluster.rs b/proxmox-ve-config/src/firewall/cluster.rs
index 223124b..b7bebae 100644
--- a/proxmox-ve-config/src/firewall/cluster.rs
+++ b/proxmox-ve-config/src/firewall/cluster.rs
@@ -25,6 +25,8 @@ pub const CLUSTER_EBTABLES_DEFAULT: bool = false;
pub const CLUSTER_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
/// default setting for [`Config::default_policy()`]
pub const CLUSTER_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
+/// default setting for [`Config::default_policy()`]
+pub const CLUSTER_POLICY_FORWARD_DEFAULT: Verdict = Verdict::Accept;
impl Config {
pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
@@ -86,6 +88,11 @@ impl Config {
.options
.policy_out
.unwrap_or(CLUSTER_POLICY_OUT_DEFAULT),
+ Direction::Forward => self
+ .config
+ .options
+ .policy_forward
+ .unwrap_or(CLUSTER_POLICY_FORWARD_DEFAULT),
}
}
@@ -121,6 +128,7 @@ pub struct Options {
policy_in: Option<Verdict>,
policy_out: Option<Verdict>,
+ policy_forward: Option<Verdict>,
}
#[cfg(test)]
@@ -148,6 +156,7 @@ log_ratelimit: 1,rate=10/second,burst=20
ebtables: 0
policy_in: REJECT
policy_out: REJECT
+policy_forward: DROP
[ALIASES]
@@ -191,6 +200,7 @@ IN BGP(REJECT) -log crit -source 1.2.3.4
)),
policy_in: Some(Verdict::Reject),
policy_out: Some(Verdict::Reject),
+ policy_forward: Some(Verdict::Drop),
}
);
diff --git a/proxmox-ve-config/src/firewall/guest.rs b/proxmox-ve-config/src/firewall/guest.rs
index c7e282f..b097f56 100644
--- a/proxmox-ve-config/src/firewall/guest.rs
+++ b/proxmox-ve-config/src/firewall/guest.rs
@@ -31,6 +31,8 @@ pub const GUEST_IPFILTER_DEFAULT: bool = false;
pub const GUEST_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
/// default return value for [`Config::default_policy()`]
pub const GUEST_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
+/// default return value for [`Config::default_policy()`]
+pub const GUEST_POLICY_FORWARD_DEFAULT: Verdict = Verdict::Accept;
#[derive(Debug, Default, Deserialize)]
#[cfg_attr(test, derive(Eq, PartialEq))]
@@ -52,6 +54,7 @@ pub struct Options {
log_level_in: Option<LogLevel>,
log_level_out: Option<LogLevel>,
+ log_level_forward: Option<LogLevel>,
#[serde(default, with = "serde_option_bool")]
macfilter: Option<bool>,
@@ -61,6 +64,8 @@ pub struct Options {
#[serde(rename = "policy_out")]
policy_out: Option<Verdict>,
+
+ policy_forward: Option<Verdict>,
}
#[derive(Debug)]
@@ -131,6 +136,7 @@ impl Config {
match dir {
Direction::In => self.config.options.log_level_in.unwrap_or_default(),
Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
+ Direction::Forward => self.config.options.log_level_forward.unwrap_or_default(),
}
}
@@ -179,6 +185,11 @@ impl Config {
.options
.policy_out
.unwrap_or(GUEST_POLICY_OUT_DEFAULT),
+ Direction::Forward => self
+ .config
+ .options
+ .policy_forward
+ .unwrap_or(GUEST_POLICY_FORWARD_DEFAULT),
}
}
@@ -206,11 +217,13 @@ dhcp: 1
ipfilter: 0
log_level_in: emerg
log_level_out: crit
+log_level_forward: warn
macfilter: 0
ndp:1
radv:1
policy_in: REJECT
policy_out: REJECT
+policy_forward: DROP
"#;
let config = CONFIG.as_bytes();
@@ -228,9 +241,11 @@ policy_out: REJECT
radv: Some(true),
log_level_in: Some(LogLevel::Emergency),
log_level_out: Some(LogLevel::Critical),
+ log_level_forward: Some(LogLevel::Warning),
macfilter: Some(false),
policy_in: Some(Verdict::Reject),
policy_out: Some(Verdict::Reject),
+ policy_forward: Some(Verdict::Drop),
}
);
}
diff --git a/proxmox-ve-config/src/firewall/host.rs b/proxmox-ve-config/src/firewall/host.rs
index 3de6fad..56ed46d 100644
--- a/proxmox-ve-config/src/firewall/host.rs
+++ b/proxmox-ve-config/src/firewall/host.rs
@@ -44,6 +44,7 @@ pub struct Options {
log_level_in: Option<LogLevel>,
log_level_out: Option<LogLevel>,
+ log_level_forward: Option<LogLevel>,
#[serde(default, with = "parse::serde_option_bool")]
log_nf_conntrack: Option<bool>,
@@ -262,6 +263,7 @@ impl Config {
match dir {
Direction::In => self.config.options.log_level_in.unwrap_or_default(),
Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
+ Direction::Forward => self.config.options.log_level_forward.unwrap_or_default(),
}
}
}
@@ -284,6 +286,7 @@ enable: 1
nftables: 1
log_level_in: debug
log_level_out: emerg
+log_level_forward: warn
log_nf_conntrack: 0
ndp: 1
nf_conntrack_allow_invalid: yes
@@ -316,6 +319,7 @@ IN ACCEPT -p udp -dport 33 -sport 22 -log warning
nftables: Some(true),
log_level_in: Some(LogLevel::Debug),
log_level_out: Some(LogLevel::Emergency),
+ log_level_forward: Some(LogLevel::Warning),
log_nf_conntrack: Some(false),
ndp: Some(true),
nf_conntrack_allow_invalid: Some(true),
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
index 2cf57e2..6ee3c31 100644
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ b/proxmox-ve-config/src/firewall/mod.rs
@@ -1,3 +1,4 @@
+pub mod bridge;
pub mod cluster;
pub mod common;
pub mod ct_helper;
diff --git a/proxmox-ve-config/src/firewall/types/rule.rs b/proxmox-ve-config/src/firewall/types/rule.rs
index 5374bb0..2c8f49c 100644
--- a/proxmox-ve-config/src/firewall/types/rule.rs
+++ b/proxmox-ve-config/src/firewall/types/rule.rs
@@ -13,19 +13,24 @@ pub enum Direction {
#[default]
In,
Out,
+ Forward,
}
impl std::str::FromStr for Direction {
type Err = Error;
fn from_str(s: &str) -> Result<Self, Error> {
- for (name, dir) in [("IN", Direction::In), ("OUT", Direction::Out)] {
+ for (name, dir) in [
+ ("IN", Direction::In),
+ ("OUT", Direction::Out),
+ ("FORWARD", Direction::Forward),
+ ] {
if s.eq_ignore_ascii_case(name) {
return Ok(dir);
}
}
- bail!("invalid direction: {s:?}, expect 'IN' or 'OUT'");
+ bail!("invalid direction: {s:?}, expect 'IN', 'OUT' or 'FORWARD'");
}
}
@@ -36,6 +41,7 @@ impl fmt::Display for Direction {
match self {
Direction::In => f.write_str("in"),
Direction::Out => f.write_str("out"),
+ Direction::Forward => f.write_str("forward"),
}
}
}
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-09-11 9:32 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 9:31 [pve-devel] [RFC firewall/manager/network/proxmox{-ve-rs, -firewall} 00/15] add forward chain firewalling for hosts and bridges Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-ve-rs 01/15] cargo: bump dependencies Stefan Hanreich
2024-09-11 9:31 ` Stefan Hanreich [this message]
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-ve-rs 03/15] firewall: add bridge firewall config parser Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-ve-rs 04/15] host: add struct representing bridge names Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-firewall 05/15] sdn: add support for loading vnet-level firewall config Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-firewall 06/15] sdn: create forward firewall rules Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-firewall 07/15] use std::mem::take over drain() Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH proxmox-firewall 08/15] cargo: bump dependencies Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-firewall 09/15] sdn: add vnet firewall configuration Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-firewall 10/15] api: add vnet endpoints Stefan Hanreich
2024-09-26 6:37 ` Thomas Lamprecht
2024-10-04 15:36 ` Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-manager 11/15] firewall: add forward direction to rule panel Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-manager 12/15] firewall: add vnet to firewall options component Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-manager 13/15] firewall: make base_url dynamically configurable in " Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-manager 14/15] sdn: add firewall panel Stefan Hanreich
2024-09-11 9:31 ` [pve-devel] [PATCH pve-network 15/15] firewall: add endpoints for vnet-level firewall Stefan Hanreich
2024-09-11 12:31 ` [pve-devel] [RFC firewall/manager/network/proxmox{-ve-rs, -firewall} 00/15] add forward chain firewalling for hosts and bridges Stefan Hanreich
2024-09-11 15:22 ` Gabriel Goller
2024-10-10 16:00 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240911093116.112960-3-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.