From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-ve-rs v2 16/25] sdn: config: add method for generating ipsets
Date: Thu, 10 Oct 2024 17:56:28 +0200 [thread overview]
Message-ID: <20241010155637.255451-17-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20241010155637.255451-1-s.hanreich@proxmox.com>
We generate the following ipsets for every vnet in the running sdn
configuration:
* {vnet}-all: contains all subnets of the vnet
* {vnet}-no-gateway: contains all subnets of the vnet except for all
gateways
* {vnet}-gateway: contains all gateways in the vnet
* {vnet}-dhcp: contains all dhcp ranges configured in the vnet
All of them are in the new SDN scope, so the fully qualified name
would look something like this: `+sdn/{vnet-all}`.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-ve-config/src/sdn/config.rs | 72 +++++++++++++++++++++++++++++
1 file changed, 72 insertions(+)
diff --git a/proxmox-ve-config/src/sdn/config.rs b/proxmox-ve-config/src/sdn/config.rs
index b71084b..f6fc8c2 100644
--- a/proxmox-ve-config/src/sdn/config.rs
+++ b/proxmox-ve-config/src/sdn/config.rs
@@ -529,6 +529,78 @@ impl SdnConfig {
self.zones()
.flat_map(|zone| zone.vnets().map(move |vnet| (zone, vnet)))
}
+
+ /// Generates multiple [`Ipset`] for all SDN VNets.
+ ///
+ /// # Arguments
+ /// * `filter` - A [`Allowlist`] of VNet names for which IPsets should get returned
+ ///
+ /// It generates the following [`Ipset`] for all VNets in the config:
+ /// * all: Contains all CIDRs of all subnets in the VNet
+ /// * gateway: Contains all gateways of all subnets in the VNet (if any gateway exists)
+ /// * no-gateway: Matches all CIDRs of all subnets, except for the gateways (if any gateway
+ /// exists)
+ /// * dhcp: Contains all DHCP ranges of all subnets in the VNet (if any dhcp range exists)
+ pub fn ipsets<'a>(
+ &'a self,
+ filter: impl Into<Option<&'a Allowlist<VnetName>>>,
+ ) -> impl Iterator<Item = Ipset> + '_ {
+ let filter = filter.into();
+
+ self.zones
+ .values()
+ .flat_map(|zone| zone.vnets())
+ .filter(move |vnet| {
+ filter
+ .map(|list| list.is_allowed(&vnet.name))
+ .unwrap_or(true)
+ })
+ .flat_map(|vnet| {
+ let mut ipset_all = Ipset::new(IpsetName::new(
+ IpsetScope::Sdn,
+ format!("{}-all", vnet.name),
+ ));
+ ipset_all.comment = Some(format!("All subnets of VNet {}", vnet.name));
+
+ let mut ipset_gateway = Ipset::new(IpsetName::new(
+ IpsetScope::Sdn,
+ format!("{}-gateway", vnet.name),
+ ));
+ ipset_gateway.comment = Some(format!("All gateways of VNet {}", vnet.name));
+
+ let mut ipset_all_wo_gateway = Ipset::new(IpsetName::new(
+ IpsetScope::Sdn,
+ format!("{}-no-gateway", vnet.name),
+ ));
+ ipset_all_wo_gateway.comment = Some(format!(
+ "All subnets of VNet {}, excluding gateways",
+ vnet.name
+ ));
+
+ let mut ipset_dhcp = Ipset::new(IpsetName::new(
+ IpsetScope::Sdn,
+ format!("{}-dhcp", vnet.name),
+ ));
+ ipset_dhcp.comment = Some(format!("DHCP ranges of VNet {}", vnet.name));
+
+ for subnet in vnet.subnets.values() {
+ ipset_all.push((*subnet.cidr()).into());
+
+ ipset_all_wo_gateway.push((*subnet.cidr()).into());
+
+ if let Some(gateway) = subnet.gateway {
+ let gateway_nomatch = IpsetEntry::new(gateway, true, None);
+ ipset_all_wo_gateway.push(gateway_nomatch);
+
+ ipset_gateway.push(gateway.into());
+ }
+
+ ipset_dhcp.extend(subnet.dhcp_range.iter().cloned().map(IpsetEntry::from));
+ }
+
+ [ipset_all, ipset_gateway, ipset_all_wo_gateway, ipset_dhcp]
+ })
+ }
}
impl TryFrom<RunningConfig> for SdnConfig {
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-10-10 16:03 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-10 15:56 [pve-devel] [PATCH docs/firewall/manager/proxmox{-ve-rs, -firewall, -perl-rs} v2 00/25] autogenerate ipsets for sdn objects Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 01/25] debian: add files for packaging Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 02/25] bump serde_with to 3 Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 03/25] bump dependencies Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 04/25] firewall: add sdn scope for ipsets Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 05/25] firewall: add ip range types Stefan Hanreich
2024-11-06 13:13 ` Wolfgang Bumiller
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 06/25] firewall: address: use new iprange type for ip entries Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 07/25] ipset: add range variant to addresses Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 08/25] iprange: add methods for converting an ip range to cidrs Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 09/25] ipset: address: add helper methods Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 10/25] firewall: guest: derive traits according to rust api guidelines Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 11/25] common: add allowlist Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 12/25] sdn: add name types Stefan Hanreich
2024-11-06 14:18 ` Wolfgang Bumiller
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 13/25] sdn: add ipam module Stefan Hanreich
2024-11-06 14:52 ` Wolfgang Bumiller
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 14/25] sdn: ipam: add method for generating ipsets Stefan Hanreich
2024-11-06 15:12 ` Wolfgang Bumiller
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 15/25] sdn: add config module Stefan Hanreich
2024-10-10 15:56 ` Stefan Hanreich [this message]
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 17/25] tests: add sdn config tests Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 18/25] tests: add ipam tests Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 19/25] config: tests: add support for loading sdn and ipam config Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 20/25] ipsets: autogenerate ipsets for vnets and ipam Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-firewall v2 21/25] add support for loading sdn firewall configuration Stefan Hanreich
2024-11-07 10:44 ` Wolfgang Bumiller
2024-10-10 15:56 ` [pve-devel] [PATCH pve-firewall v2 22/25] api: load sdn ipsets Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-perl-rs v2 23/25] add PVE::RS::Firewall::SDN module Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 24/25] firewall: add sdn scope to IPRefSelector Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-docs v2 25/25] sdn: add documentation for firewall integration Stefan Hanreich
2024-11-12 12:34 ` [pve-devel] [PATCH docs/firewall/manager/proxmox{-ve-rs, -firewall, -perl-rs} v2 00/25] autogenerate ipsets for sdn objects Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241010155637.255451-17-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.