Re: [pve-devel] [PATCH docs/firewall/manager/proxmox{-ve-rs, -firewall, -perl-rs} v3 00/24] autogenerate ipsets for sdn objects

From: Hannes Duerr <h.duerr@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Stefan Hanreich <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH docs/firewall/manager/proxmox{-ve-rs, -firewall, -perl-rs} v3 00/24] autogenerate ipsets for sdn objects
Date: Fri, 15 Nov 2024 12:17:21 +0100	[thread overview]
Message-ID: <704c1376-7657-47be-91d2-962ca145c1e6@proxmox.com> (raw)
In-Reply-To: <20241112122602.88598-1-s.hanreich@proxmox.com>

I tested this series in combination with the second patch series [0] 
implementing the forward chain, also containing some changes made in v4.

My test setup consisted of two clustered virtual Proxmox VE nodes.
I created a simple zone with vnet (no snat, no vlan aware), subnet and 
dhcp range.
I created a VLAN zone with a vlan aware vnet on top of vmbr0.
In the simple zone i created a second vnet with snat (no vlan aware), 
subnet and dhcp range.
Then I installed dnsmasq and enabled our pve IPAM Plugin. Afterwards i 
created one CT(guest100) and one VM(guest101).
I enabled the firewall on DC and Host level for both hosts and set it to 
nftables the rest was default settings.

1. I put both CT and VM on the same host in the simple zone, both 
configured to get dhcp addresses assigned. The assignment worked and 
also ip automatic ipset generation.
2. I enabled the Vnet firewall for all 3 Vnets (SDN -> Firewall -> Vnet 
select -> Options -> Firewall enable)
3. I created a forward rule on vnet level dropping every traffic between 
guest100 and guest101, which worked.
4. I switched the host firewall to iptables, the traffic flowed again as 
expected.
5. I switched back to nftables and disabled the rule, then i switched 
the default behavior to `drop` in Datacenter -> Firewall -> Forward 
which worked as well.
6. I switched default behavior back to `accept` and set the default 
behavior of the vnet to `drop` (SDN -> Firewall -> Vnet selecten -> 
Options -> Forward Policy).
7. I switched the setting back to forward.
8. I put bot CT and VM in the VLAN zone with static IP adresses and also 
created ipsets for the CT and VM.
9. I created a forward rule on vnet level dropping every traffic between 
guest 100 and 101, which worked (both hosts still on the same host)
10. I migrated guest 101 to the second host and they are still unable to 
communicate, as expected
15. I moved the guest101 into the snat vnet and pinged into the web to 
check if snat is working.
16. i created a rule dropping all traffic from all hosts to the vnet.

Looks good to me, please add my tested-by to both series.

Tested-by: Hannes Dürr <h.duerr@proxmox.com>

[0] 
https://lore.proxmox.com/pve-devel/20241112122615.88854-1-s.hanreich@proxmox.com/T/#m646bd4b0be7652b2cc8afc411e6c96366ddb9a14

On 12.11.24 13:25, Stefan Hanreich wrote:
> This patch series adds support for autogenerating ipsets for SDN objects. It
> autogenerates ipsets for every VNet as follows:
>
> * ipset containing all IP ranges of the VNet
> * ipset containing all gateways of the VNet
> * ipset containing all IP ranges of the subnet - except gateways
> * ipset containing all dhcp ranges of the vnet
>
> Additionally it generates an IPSet for every guest that has one or more IPAM
> entries in the pve IPAM.
>
> Those can then be used in the cluster / host / guest firewalls. Firewall rules
> automatically update on changes of the SDN / IPAM configuration. This patch
> series works for the old firewall as well as the new firewall.
>
> The ipsets in nftables currently get generated as named ipsets in every table,
> this means that the `nft list ruleset` output can get quite crowded for large
> SDN configurations or large IPAM databases. Another option would be to only
> include them as anonymous IPsets in the rules, which would make the nft output
> far less crowded but this way would use more memory when making extensive use of
> the sdn ipsets, since everytime it is used in a rule we create an entirely new
> ipset.
>
> The base for proxmox-ve-rs (which is a filtered version of the proxmox-firewall
> repository can be found here:)
>
> staff/s.hanreich/proxmox-ve-rs.git master
>
> Dependencies:
> * proxmox-perl-rs and proxmox-firewall depend on proxmox-ve-rs
> * pve-firewall depends on proxmox-perl-rs
> * pve-manager depends on pve-firewall
>
> Changes from v2:
> * rename end in IpRange to last to avoid confusion - thanks @Wolfgang
> * bump Rust to 1.82 - thanks @Wolfgang
> * improvements to the code generating IPSets - thanks @Wolfgang
> * implement AsRef<str> for SDN name types - thanks @Wolfgang
> * improve docstrings (proper capitalization and punctuation) - thanks @Wolfgang
> * included a patch that removes proxmox-ve-config from proxmox-firewall
>
> Changes from RFC:
> * added documentation
> * added separate SDN scope for IPSets
> * rustfmt fixes
>
> proxmox-ve-rs:
>
> Stefan Hanreich (16):
>    debian: add files for packaging
>    firewall: add sdn scope for ipsets
>    firewall: add ip range types
>    firewall: address: use new iprange type for ip entries
>    ipset: add range variant to addresses
>    iprange: add methods for converting an ip range to cidrs
>    ipset: address: add helper methods
>    firewall: guest: derive traits according to rust api guidelines
>    common: add allowlist
>    sdn: add name types
>    sdn: add ipam module
>    sdn: ipam: add method for generating ipsets
>    sdn: add config module
>    sdn: config: add method for generating ipsets
>    tests: add sdn config tests
>    tests: add ipam tests
>
>   .cargo/config.toml                            |    5 +
>   .gitignore                                    |    8 +
>   Cargo.toml                                    |   17 +
>   Makefile                                      |   69 +
>   build.sh                                      |   35 +
>   bump.sh                                       |   44 +
>   proxmox-ve-config/Cargo.toml                  |   19 +-
>   proxmox-ve-config/debian/changelog            |    5 +
>   proxmox-ve-config/debian/control              |   46 +
>   proxmox-ve-config/debian/copyright            |   19 +
>   proxmox-ve-config/debian/debcargo.toml        |    4 +
>   proxmox-ve-config/src/common/mod.rs           |   31 +
>   .../src/firewall/types/address.rs             | 1171 ++++++++++++++++-
>   proxmox-ve-config/src/firewall/types/alias.rs |    4 +-
>   proxmox-ve-config/src/firewall/types/ipset.rs |   32 +-
>   proxmox-ve-config/src/firewall/types/rule.rs  |    6 +-
>   proxmox-ve-config/src/guest/types.rs          |    7 +-
>   proxmox-ve-config/src/guest/vm.rs             |   11 +-
>   proxmox-ve-config/src/lib.rs                  |    2 +
>   proxmox-ve-config/src/sdn/config.rs           |  640 +++++++++
>   proxmox-ve-config/src/sdn/ipam.rs             |  368 ++++++
>   proxmox-ve-config/src/sdn/mod.rs              |  251 ++++
>   proxmox-ve-config/tests/sdn/main.rs           |  189 +++
>   proxmox-ve-config/tests/sdn/resources/ipam.db |   26 +
>   .../tests/sdn/resources/running-config.json   |   54 +
>   25 files changed, 2976 insertions(+), 87 deletions(-)
>   create mode 100644 .cargo/config.toml
>   create mode 100644 .gitignore
>   create mode 100644 Cargo.toml
>   create mode 100644 Makefile
>   create mode 100755 build.sh
>   create mode 100755 bump.sh
>   create mode 100644 proxmox-ve-config/debian/changelog
>   create mode 100644 proxmox-ve-config/debian/control
>   create mode 100644 proxmox-ve-config/debian/copyright
>   create mode 100644 proxmox-ve-config/debian/debcargo.toml
>   create mode 100644 proxmox-ve-config/src/common/mod.rs
>   create mode 100644 proxmox-ve-config/src/sdn/config.rs
>   create mode 100644 proxmox-ve-config/src/sdn/ipam.rs
>   create mode 100644 proxmox-ve-config/src/sdn/mod.rs
>   create mode 100644 proxmox-ve-config/tests/sdn/main.rs
>   create mode 100644 proxmox-ve-config/tests/sdn/resources/ipam.db
>   create mode 100644 proxmox-ve-config/tests/sdn/resources/running-config.json
>
>
> proxmox-firewall:
>
> Stefan Hanreich (3):
>    add proxmox-ve-rs crate - move proxmox-ve-config there
>    config: tests: add support for loading sdn and ipam config
>    ipsets: autogenerate ipsets for vnets and ipam
>
>   Cargo.toml                                    |    4 +-
>   Makefile                                      |    2 +-
>   proxmox-firewall/Cargo.toml                   |    2 +-
>   proxmox-firewall/src/config.rs                |   69 +
>   proxmox-firewall/src/firewall.rs              |   22 +-
>   proxmox-firewall/src/object.rs                |   41 +-
>   .../tests/input/.running-config.json          |   45 +
>   proxmox-firewall/tests/input/ipam.db          |   32 +
>   proxmox-firewall/tests/integration_tests.rs   |   10 +
>   .../integration_tests__firewall.snap          | 1288 +++++++++++++++++
>   proxmox-nftables/Cargo.toml                   |    2 +-
>   proxmox-nftables/src/expression.rs            |   17 +-
>   proxmox-nftables/src/types.rs                 |    2 +-
>   proxmox-ve-config/Cargo.toml                  |   25 -
>   proxmox-ve-config/resources/ct_helper.json    |   52 -
>   proxmox-ve-config/resources/macros.json       |  923 ------------
>   proxmox-ve-config/src/firewall/cluster.rs     |  374 -----
>   proxmox-ve-config/src/firewall/common.rs      |  184 ---
>   proxmox-ve-config/src/firewall/ct_helper.rs   |  115 --
>   proxmox-ve-config/src/firewall/fw_macros.rs   |   69 -
>   proxmox-ve-config/src/firewall/guest.rs       |  237 ---
>   proxmox-ve-config/src/firewall/host.rs        |  372 -----
>   proxmox-ve-config/src/firewall/mod.rs         |   10 -
>   proxmox-ve-config/src/firewall/parse.rs       |  494 -------
>   proxmox-ve-config/src/firewall/ports.rs       |   80 -
>   .../src/firewall/types/address.rs             |  615 --------
>   proxmox-ve-config/src/firewall/types/alias.rs |  174 ---
>   proxmox-ve-config/src/firewall/types/group.rs |   36 -
>   proxmox-ve-config/src/firewall/types/ipset.rs |  349 -----
>   proxmox-ve-config/src/firewall/types/log.rs   |  222 ---
>   proxmox-ve-config/src/firewall/types/mod.rs   |   14 -
>   proxmox-ve-config/src/firewall/types/port.rs  |  181 ---
>   proxmox-ve-config/src/firewall/types/rule.rs  |  412 ------
>   .../src/firewall/types/rule_match.rs          |  977 -------------
>   proxmox-ve-config/src/guest/mod.rs            |  115 --
>   proxmox-ve-config/src/guest/types.rs          |   38 -
>   proxmox-ve-config/src/guest/vm.rs             |  510 -------
>   proxmox-ve-config/src/host/mod.rs             |    1 -
>   proxmox-ve-config/src/host/utils.rs           |   70 -
>   proxmox-ve-config/src/lib.rs                  |    3 -
>   40 files changed, 1517 insertions(+), 6671 deletions(-)
>   create mode 100644 proxmox-firewall/tests/input/.running-config.json
>   create mode 100644 proxmox-firewall/tests/input/ipam.db
>   delete mode 100644 proxmox-ve-config/Cargo.toml
>   delete mode 100644 proxmox-ve-config/resources/ct_helper.json
>   delete mode 100644 proxmox-ve-config/resources/macros.json
>   delete mode 100644 proxmox-ve-config/src/firewall/cluster.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/common.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/ct_helper.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/fw_macros.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/guest.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/host.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/mod.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/parse.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/ports.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/address.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/alias.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/group.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/ipset.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/log.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/mod.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/port.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/rule.rs
>   delete mode 100644 proxmox-ve-config/src/firewall/types/rule_match.rs
>   delete mode 100644 proxmox-ve-config/src/guest/mod.rs
>   delete mode 100644 proxmox-ve-config/src/guest/types.rs
>   delete mode 100644 proxmox-ve-config/src/guest/vm.rs
>   delete mode 100644 proxmox-ve-config/src/host/mod.rs
>   delete mode 100644 proxmox-ve-config/src/host/utils.rs
>   delete mode 100644 proxmox-ve-config/src/lib.rs
>
>
> pve-firewall:
>
> Stefan Hanreich (2):
>    add support for loading sdn firewall configuration
>    api: load sdn ipsets
>
>   src/PVE/API2/Firewall/Cluster.pm |  8 +++--
>   src/PVE/API2/Firewall/Rules.pm   | 12 ++++---
>   src/PVE/API2/Firewall/VM.pm      |  3 +-
>   src/PVE/Firewall.pm              | 59 ++++++++++++++++++++++++++++----
>   4 files changed, 67 insertions(+), 15 deletions(-)
>
>
> proxmox-perl-rs:
>
> Stefan Hanreich (1):
>    add PVE::RS::Firewall::SDN module
>
>   pve-rs/Cargo.toml          |   1 +
>   pve-rs/Makefile            |   1 +
>   pve-rs/src/firewall/mod.rs |   1 +
>   pve-rs/src/firewall/sdn.rs | 130 +++++++++++++++++++++++++++++++++++++
>   pve-rs/src/lib.rs          |   1 +
>   5 files changed, 134 insertions(+)
>   create mode 100644 pve-rs/src/firewall/mod.rs
>   create mode 100644 pve-rs/src/firewall/sdn.rs
>
>
> pve-manager:
>
> Stefan Hanreich (1):
>    firewall: add sdn scope to IPRefSelector
>
>   www/manager6/form/IPRefSelector.js | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
>
>
> pve-docs:
>
> Stefan Hanreich (1):
>    sdn: add documentation for firewall integration
>
>   pvesdn.adoc | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 92 insertions(+)
>
>
> Summary over all repositories:
>    76 files changed, 4793 insertions(+), 6774 deletions(-)
>

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel