From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-firewall 02/14] firewall: add connmark rule with VMID to all guest chains
Date: Mon, 17 Mar 2025 15:11:39 +0100 [thread overview]
Message-ID: <20250317141152.1247324-3-c.heiss@proxmox.com> (raw)
In-Reply-To: <20250317141152.1247324-1-c.heiss@proxmox.com>
Adds a connmark attribute with the VMID inside to anything flowing
in/out the guest, which are also carried over to all conntrack entries.
This enables differentiating conntrack entries between VMs for
live-migration.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Depends on patch #1 being applied first to proxmox-ve-rs & a appropriate
crate bump.
proxmox-firewall/src/firewall.rs | 14 ++-
.../integration_tests__firewall.snap | 85 ++++++++++++++++++-
proxmox-nftables/src/expression.rs | 9 ++
proxmox-nftables/src/statement.rs | 10 ++-
4 files changed, 114 insertions(+), 4 deletions(-)
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index 88fb460..9f7df56 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -6,7 +6,9 @@ use anyhow::{bail, Error};
use proxmox_nftables::command::{Add, Commands, Delete, Flush};
use proxmox_nftables::expression::{Meta, Payload};
use proxmox_nftables::helper::NfVec;
-use proxmox_nftables::statement::{AnonymousLimit, Log, LogLevel, Match, Set, SetOperation};
+use proxmox_nftables::statement::{
+ AnonymousLimit, Log, LogLevel, Mangle, Match, Set, SetOperation,
+};
use proxmox_nftables::types::{
AddElement, AddRule, ChainPart, MapValue, RateTimescale, SetName, TableFamily, TableName,
TablePart, Verdict,
@@ -934,7 +936,15 @@ impl Firewall {
vmid: Some(vmid),
};
- commands.reserve(config.rules().len());
+ commands.reserve(config.rules().len() + 1);
+
+ // Add a connmark to anything in/out the guest, to be able to later
+ // track/filter per guest, e.g. in the pve-conntrack-tool.
+ // Need to be first, such that it is always applied.
+ commands.push(Add::rule(AddRule::from_statement(
+ chain.clone(),
+ Mangle::ct_mark(vmid),
+ )));
for config_rule in config.rules() {
for rule in NftRule::from_config_rule(config_rule, &env)? {
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 9194fc6..aa29e6e 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -1,7 +1,6 @@
---
source: proxmox-firewall/tests/integration_tests.rs
expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
-snapshot_kind: text
---
{
"nftables": [
@@ -4373,6 +4372,27 @@ snapshot_kind: text
}
}
},
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": 100
+ }
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"rule": {
@@ -4648,6 +4668,27 @@ snapshot_kind: text
}
}
},
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": 100
+ }
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"rule": {
@@ -5034,6 +5075,27 @@ snapshot_kind: text
}
}
},
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": 101
+ }
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"rule": {
@@ -5096,6 +5158,27 @@ snapshot_kind: text
}
}
},
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-out",
+ "expr": [
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": 101
+ }
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"rule": {
diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs
index e9ef94f..cbafe85 100644
--- a/proxmox-nftables/src/expression.rs
+++ b/proxmox-nftables/src/expression.rs
@@ -12,6 +12,8 @@ use proxmox_ve_config::firewall::types::port::{PortEntry, PortList};
use proxmox_ve_config::firewall::types::rule_match::{IcmpCode, IcmpType, Icmpv6Code, Icmpv6Type};
#[cfg(feature = "config-ext")]
use proxmox_ve_config::firewall::types::Cidr;
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::guest::types::Vmid;
#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
@@ -267,6 +269,13 @@ impl From<&BridgeName> for Expression {
}
}
+#[cfg(feature = "config-ext")]
+impl From<Vmid> for Expression {
+ fn from(value: Vmid) -> Self {
+ Expression::Number(value.raw_value().into())
+ }
+}
+
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct Meta {
key: String,
diff --git a/proxmox-nftables/src/statement.rs b/proxmox-nftables/src/statement.rs
index 5483368..3264e6c 100644
--- a/proxmox-nftables/src/statement.rs
+++ b/proxmox-nftables/src/statement.rs
@@ -10,6 +10,7 @@ use proxmox_ve_config::firewall::types::rule::Verdict as ConfigVerdict;
#[cfg(feature = "config-ext")]
use proxmox_ve_config::guest::types::Vmid;
+use crate::expression::Ct;
use crate::expression::Meta;
use crate::helper::{NfVec, Null};
use crate::types::{RateTimescale, RateUnit, Verdict};
@@ -370,12 +371,19 @@ pub struct Mangle {
}
impl Mangle {
- pub fn set_mark(value: impl Into<Expression>) -> Self {
+ pub fn meta_mark(value: impl Into<Expression>) -> Self {
Self {
key: Meta::new("mark").into(),
value: value.into(),
}
}
+
+ pub fn ct_mark(value: impl Into<Expression>) -> Self {
+ Self {
+ key: Ct::new("mark", None).into(),
+ value: value.into(),
+ }
+ }
}
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
--
2.48.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-03-17 14:18 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 14:11 [pve-devel] [PATCH many 00/14] fix #5180: migrate conntrack state on live migration Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH proxmox-ve-rs 01/14] config: guest: allow access to raw Vmid value Christoph Heiss
2025-03-17 14:11 ` Christoph Heiss [this message]
2025-03-17 14:11 ` [pve-devel] [PATCH pve-firewall 03/14] firewall: add connmark rule with VMID to all guest chains Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH common 04/14] tools: add run_fork_detached() for spawning daemons Christoph Heiss
2025-03-18 10:28 ` Wolfgang Bumiller
2025-03-24 13:30 ` Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH qemu-server 05/14] qmp helpers: allow passing structured args via qemu_objectadd() Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH qemu-server 06/14] api2: qemu: add module exposing node migration capabilities Christoph Heiss
2025-04-24 12:01 ` Fiona Ebner
2025-03-17 14:11 ` [pve-devel] [PATCH qemu-server 07/14] fix #5180: libexec: add QEMU dbus-vmstate daemon for migrating conntrack Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH qemu-server 08/14] fix #5180: migrate: integrate helper for live-migrating conntrack info Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH manager 09/14] api2: capabilities: explicitly import CPU capabilities module Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH manager 10/14] api2: capabilities: proxy index endpoints to respective nodes Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH manager 11/14] api2: capabilities: expose new qemu/migration endpoint Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [PATCH manager 12/14] ui: window: Migrate: add checkbox for migrating VM conntrack state Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [RFC PATCH firewall 13/14] firewall: helpers: add sub for flushing conntrack entries by mark Christoph Heiss
2025-03-17 14:11 ` [pve-devel] [RFC PATCH qemu-server 14/14] migrate: flush old VM conntrack entries after successful migration Christoph Heiss
2025-03-18 8:52 ` [pve-devel] [PATCH many 00/14] fix #5180: migrate conntrack state on live migration DERUMIER, Alexandre via pve-devel
2025-04-24 11:37 ` Christoph Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250317141152.1247324-3-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal