From: "Max Carrara" <m.carrara@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Cc: "Wolfgang Bumiller" <w.bumiller@proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox-firewall 11/37] config: firewall: add generic parser for firewall configs
Date: Wed, 03 Apr 2024 12:47:05 +0200 [thread overview]
Message-ID: <D0AFESIVEQ0B.SYXRTSNUE4BB@proxmox.com> (raw)
In-Reply-To: <20240402171629.536804-12-s.hanreich@proxmox.com>
On Tue Apr 2, 2024 at 7:16 PM CEST, Stefan Hanreich wrote:
> Since the basic format of cluster, host and guest firewall
> configurations is the same, we create a generic parser that can handle
> the common config format. The main difference is in the available
> options, which can be passed via a generic parameter.
>
> Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> proxmox-ve-config/src/firewall/common.rs | 182 +++++++++++++++++++++
> proxmox-ve-config/src/firewall/mod.rs | 1 +
> proxmox-ve-config/src/firewall/parse.rs | 200 +++++++++++++++++++++++
> 3 files changed, 383 insertions(+)
> create mode 100644 proxmox-ve-config/src/firewall/common.rs
>
> diff --git a/proxmox-ve-config/src/firewall/common.rs b/proxmox-ve-config/src/firewall/common.rs
> new file mode 100644
> index 0000000..887339b
> --- /dev/null
> +++ b/proxmox-ve-config/src/firewall/common.rs
> @@ -0,0 +1,182 @@
> +use std::collections::HashMap;
> +use std::io;
> +
> +use anyhow::{bail, format_err, Error};
> +use serde::de::IntoDeserializer;
> +
> +use crate::firewall::parse::{parse_named_section_tail, split_key_value, SomeString};
> +use crate::firewall::types::ipset::{IpsetName, IpsetScope};
> +use crate::firewall::types::{Alias, Group, Ipset, Rule};
> +
> +#[derive(Debug, Default)]
> +pub struct Config<O>
> +where
> + O: Default + std::fmt::Debug + serde::de::DeserializeOwned,
> +{
> + pub(crate) options: O,
> + pub(crate) rules: Vec<Rule>,
> + pub(crate) aliases: HashMap<String, Alias>,
> + pub(crate) ipsets: HashMap<String, Ipset>,
> + pub(crate) groups: HashMap<String, Group>,
> +}
> +
> +enum Sec {
> + None,
> + Options,
> + Aliases,
> + Rules,
> + Ipset(String, Ipset),
> + Group(String, Group),
> +}
> +
> +#[derive(Default)]
> +pub struct ParserConfig {
> + /// Network interfaces must be of the form `netX`.
> + pub guest_iface_names: bool,
> + pub ipset_scope: Option<IpsetScope>,
> +}
> +
> +impl<O> Config<O>
> +where
> + O: Default + std::fmt::Debug + serde::de::DeserializeOwned,
> +{
> + pub fn new() -> Self {
> + Self::default()
> + }
> +
> + pub fn parse<R: io::BufRead>(input: R, parser_cfg: &ParserConfig) -> Result<Self, Error> {
> + let mut section = Sec::None;
> +
> + let mut this = Self::new();
> + let mut options = HashMap::new();
> +
> + for line in input.lines() {
> + let line = line?;
> + let line = line.trim();
> +
> + if line.is_empty() || line.starts_with('#') {
> + continue;
> + }
> +
> + if line.eq_ignore_ascii_case("[OPTIONS]") {
> + this.set_section(&mut section, Sec::Options)?;
> + } else if line.eq_ignore_ascii_case("[ALIASES]") {
> + this.set_section(&mut section, Sec::Aliases)?;
> + } else if line.eq_ignore_ascii_case("[RULES]") {
> + this.set_section(&mut section, Sec::Rules)?;
> + } else if let Some(line) = line.strip_prefix("[IPSET") {
> + let (name, comment) = parse_named_section_tail("ipset", line)?;
> +
> + let scope = parser_cfg.ipset_scope.ok_or_else(|| {
> + format_err!("IPSET in config, but no scope set in parser config")
> + })?;
> +
> + let ipset_name = IpsetName::new(scope, name.to_string());
> + let mut ipset = Ipset::new(ipset_name);
> + ipset.comment = comment.map(str::to_owned);
> +
> + this.set_section(&mut section, Sec::Ipset(name.to_string(), ipset))?;
> + } else if let Some(line) = line.strip_prefix("[group") {
> + let (name, comment) = parse_named_section_tail("group", line)?;
> + let mut group = Group::new();
> +
> + group.set_comment(comment.map(str::to_owned));
> +
> + this.set_section(&mut section, Sec::Group(name.to_owned(), group))?;
> + } else if line.starts_with('[') {
> + bail!("invalid section {line:?}");
> + } else {
> + match &mut section {
> + Sec::None => bail!("config line with no section: {line:?}"),
> + Sec::Options => Self::parse_option(line, &mut options)?,
> + Sec::Aliases => this.parse_alias(line)?,
> + Sec::Rules => this.parse_rule(line, parser_cfg)?,
> + Sec::Ipset(_name, ipset) => ipset.parse_entry(line)?,
> + Sec::Group(_name, group) => group.parse_entry(line)?,
> + }
> + }
> + }
> + this.set_section(&mut section, Sec::None)?;
> +
> + this.options = O::deserialize(IntoDeserializer::<
> + '_,
> + crate::firewall::parse::SerdeStringError,
> + >::into_deserializer(options))?;
> +
> + Ok(this)
> + }
> +
> + fn parse_option(line: &str, options: &mut HashMap<String, SomeString>) -> Result<(), Error> {
> + let (key, value) = split_key_value(line)
> + .ok_or_else(|| format_err!("expected colon separated key and value, found {line:?}"))?;
> +
> + if options.insert(key.to_string(), value.into()).is_some() {
> + bail!("duplicate option {key:?}");
> + }
> +
> + Ok(())
> + }
> +
> + fn parse_alias(&mut self, line: &str) -> Result<(), Error> {
> + let alias: Alias = line.parse()?;
> +
> + if self
> + .aliases
> + .insert(alias.name().to_string(), alias)
> + .is_some()
> + {
> + bail!("duplicate alias: {line}");
> + }
> +
> + Ok(())
> + }
> +
> + fn parse_rule(&mut self, line: &str, parser_cfg: &ParserConfig) -> Result<(), Error> {
> + let rule: Rule = line.parse()?;
> +
> + if parser_cfg.guest_iface_names {
> + if let Some(iface) = rule.iface() {
> + let _ = iface
> + .strip_prefix("net")
> + .ok_or_else(|| {
> + format_err!("interface name must be of the form \"net<number>\"")
> + })?
> + .parse::<u16>()
> + .map_err(|_| {
> + format_err!("interface name must be of the form \"net<number>\"")
> + })?;
> + }
> + }
> +
> + self.rules.push(rule);
> + Ok(())
> + }
> +
> + fn set_section(&mut self, sec: &mut Sec, to: Sec) -> Result<(), Error> {
> + let prev = std::mem::replace(sec, to);
> +
> + match prev {
> + Sec::Ipset(name, ipset) => {
> + if self.ipsets.insert(name.clone(), ipset).is_some() {
> + bail!("duplicate ipset: {name:?}");
> + }
> + }
> + Sec::Group(name, group) => {
> + if self.groups.insert(name.clone(), group).is_some() {
> + bail!("duplicate group: {name:?}");
> + }
> + }
> + _ => (),
> + }
> +
> + Ok(())
> + }
> +
> + pub fn ipsets(&self) -> &HashMap<String, Ipset> {
> + &self.ipsets
> + }
> +
> + pub fn alias(&self, name: &str) -> Option<&Alias> {
> + self.aliases.get(name)
> + }
> +}
> diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
> index 2e0f31e..591ee52 100644
> --- a/proxmox-ve-config/src/firewall/mod.rs
> +++ b/proxmox-ve-config/src/firewall/mod.rs
> @@ -1,3 +1,4 @@
> +pub mod common;
> pub mod ports;
> pub mod types;
>
> diff --git a/proxmox-ve-config/src/firewall/parse.rs b/proxmox-ve-config/src/firewall/parse.rs
> index 227e045..9cc2b8a 100644
> --- a/proxmox-ve-config/src/firewall/parse.rs
> +++ b/proxmox-ve-config/src/firewall/parse.rs
> @@ -61,6 +61,16 @@ pub fn match_digits(line: &str) -> Option<(&str, &str)> {
>
> None
> }
> +
> +/// Separate a `key: value` line, trimming whitespace.
> +///
> +/// Returns `None` if the `key` would be empty.
> +pub fn split_key_value(line: &str) -> Option<(&str, &str)> {
> + line.split_once(':')
> + .map(|(key, value)| (key.trim(), value.trim()))
> +}
> +
> +/// Parse a boolean.
> pub fn parse_bool(value: &str) -> Result<bool, Error> {
> Ok(
> if value == "0"
> @@ -81,6 +91,196 @@ pub fn parse_bool(value: &str) -> Result<bool, Error> {
> )
> }
>
> +/// Parse the *remainder* of a section line, that is `<whitespace>NAME] #optional comment`.
> +/// The `kind` parameter is used for error messages and should be the section type.
> +///
> +/// Return the name and the optional comment.
> +pub fn parse_named_section_tail<'a>(
> + kind: &'static str,
> + line: &'a str,
> +) -> Result<(&'a str, Option<&'a str>), Error> {
> + if line.is_empty() || !line.as_bytes()[0].is_ascii_whitespace() {
> + bail!("incomplete {kind} section");
> + }
> +
> + let line = line.trim_start();
> + let (name, line) = match_name(line)
> + .ok_or_else(|| format_err!("expected a name for the {kind} at {line:?}"))?;
> +
> + let line = line
> + .strip_prefix(']')
> + .ok_or_else(|| format_err!("expected closing ']' in {kind} section header"))?
> + .trim_start();
> +
> + Ok(match line.strip_prefix('#') {
> + Some(comment) => (name, Some(comment.trim())),
> + None if !line.is_empty() => bail!("trailing characters after {kind} section: {line:?}"),
> + None => (name, None),
> + })
> +}
> +
> +// parses a number from a string OR number
> +pub mod serde_option_number {
Since this is `pub`, I think a more complete docstring here would be
better instead of a comment. Though I haven't generated the docs for all
of this (yet) I have to admit, so I'm not sure if this actually shows
up.
> + use std::fmt;
> +
> + use serde::de::{Deserializer, Error, Visitor};
> +
> + pub fn deserialize<'de, D: Deserializer<'de>>(
> + deserializer: D,
> + ) -> Result<Option<i64>, D::Error> {
> + struct V;
> +
> + impl<'de> Visitor<'de> for V {
> + type Value = Option<i64>;
> +
> + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
> + f.write_str("a numerical value")
> + }
> +
> + fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
> + v.parse().map_err(E::custom).map(Some)
> + }
> +
> + fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
> + Ok(None)
> + }
> +
> + fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
> + where
> + D: Deserializer<'de>,
> + {
> + deserializer.deserialize_any(self)
> + }
> + }
> +
> + deserializer.deserialize_any(V)
> + }
> +}
> +
> +// parses a bool from a string OR bool
> +pub mod serde_option_bool {
^ Same as above.
> + use std::fmt;
> +
> + use serde::de::{Deserializer, Error, Visitor};
> +
> + pub fn deserialize<'de, D: Deserializer<'de>>(
> + deserializer: D,
> + ) -> Result<Option<bool>, D::Error> {
> + struct V;
> +
> + impl<'de> Visitor<'de> for V {
> + type Value = Option<bool>;
> +
> + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
> + f.write_str("a boolean-like value")
> + }
> +
> + fn visit_bool<E: Error>(self, v: bool) -> Result<Self::Value, E> {
> + Ok(Some(v))
> + }
> +
> + fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
> + super::parse_bool(v).map_err(E::custom).map(Some)
> + }
> +
> + fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
> + Ok(None)
> + }
> +
> + fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
> + where
> + D: Deserializer<'de>,
> + {
> + deserializer.deserialize_any(self)
> + }
> + }
> +
> + deserializer.deserialize_any(V)
> + }
> +}
> +
> +// parses a comma_separated list of strings
> +pub mod serde_option_conntrack_helpers {
^ Same as above here as well.
> + use std::fmt;
> +
> + use serde::de::{Deserializer, Error, Visitor};
> +
> + pub fn deserialize<'de, D: Deserializer<'de>>(
> + deserializer: D,
> + ) -> Result<Option<Vec<String>>, D::Error> {
> + struct V;
> +
> + impl<'de> Visitor<'de> for V {
> + type Value = Option<Vec<String>>;
> +
> + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
> + f.write_str("A list of conntrack helpers")
> + }
> +
> + fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
> + if v.is_empty() {
> + return Ok(None);
> + }
> +
> + Ok(Some(v.split(',').map(String::from).collect()))
> + }
> +
> + fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
> + Ok(None)
> + }
> +
> + fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
> + where
> + D: Deserializer<'de>,
> + {
> + deserializer.deserialize_any(self)
> + }
> + }
> +
> + deserializer.deserialize_any(V)
> + }
> +}
> +
> +// parses a log_ratelimit string: '[enable=]<1|0> [,burst=<integer>] [,rate=<rate>]'
> +pub mod serde_option_log_ratelimit {
^ And here.
> + use std::fmt;
> +
> + use serde::de::{Deserializer, Error, Visitor};
> +
> + use crate::firewall::types::log::LogRateLimit;
> +
> + pub fn deserialize<'de, D: Deserializer<'de>>(
> + deserializer: D,
> + ) -> Result<Option<LogRateLimit>, D::Error> {
> + struct V;
> +
> + impl<'de> Visitor<'de> for V {
> + type Value = Option<LogRateLimit>;
> +
> + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
> + f.write_str("a boolean-like value")
> + }
> +
> + fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
> + v.parse().map_err(E::custom).map(Some)
> + }
> +
> + fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
> + Ok(None)
> + }
> +
> + fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
> + where
> + D: Deserializer<'de>,
> + {
> + deserializer.deserialize_any(self)
> + }
> + }
> +
> + deserializer.deserialize_any(V)
> + }
> +}
> +
> /// `&str` deserializer which also accepts an `Option`.
> ///
> /// Serde's `StringDeserializer` does not.
next prev parent reply other threads:[~2024-04-03 10:47 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-02 17:15 [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 01/37] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 02/37] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 8:26 ` Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 03/37] config: firewall: add types for ports Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 04/37] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 05/37] config: firewall: add types for aliases Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 06/37] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 8:32 ` Stefan Hanreich
2024-04-09 14:20 ` Lukas Wagner
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 07/37] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 08/37] config: firewall: add types for ipsets Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 09/37] config: firewall: add types for rules Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 8:36 ` Stefan Hanreich
2024-04-09 14:55 ` Lukas Wagner
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 10/37] config: firewall: add types for security groups Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 11/37] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-03 10:47 ` Max Carrara [this message]
2024-04-09 8:38 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 12/37] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 13/37] config: firewall: add host specific " Stefan Hanreich
2024-04-03 10:47 ` Max Carrara
2024-04-09 8:55 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 14/37] config: firewall: add guest-specific " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 15/37] config: firewall: add firewall macros Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 16/37] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 17/37] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 18/37] nftables: add helpers Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 19/37] nftables: expression: add types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 20/37] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 21/37] nftables: statement: add types Stefan Hanreich
2024-04-03 10:47 ` Max Carrara
2024-04-09 8:58 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 22/37] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 23/37] nftables: commands: add types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 24/37] nftables: types: add conversion traits Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 25/37] nftables: add libnftables bindings Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 26/37] firewall: add firewall crate Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 27/37] firewall: add base ruleset Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 28/37] firewall: add config loader Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 29/37] firewall: add rule generation logic Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 30/37] firewall: add object " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 31/37] firewall: add ruleset " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 32/37] firewall: add proxmox-firewall binary Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 33/37] firewall: add files for debian packaging Stefan Hanreich
2024-04-03 13:14 ` Fabian Grünbichler
2024-04-09 8:56 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH qemu-server 34/37] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-container 35/37] " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-firewall 36/37] add configuration option for new nftables firewall Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-manager 37/37] firewall: expose " Stefan Hanreich
2024-04-02 20:47 ` [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation Laurent GUERBY
2024-04-03 7:33 ` Stefan Hanreich
[not found] ` <mailman.54.1712122640.450.pve-devel@lists.proxmox.com>
2024-04-03 7:52 ` Stefan Hanreich
2024-04-03 12:26 ` Stefan Hanreich
[not found] ` <mailman.56.1712124362.450.pve-devel@lists.proxmox.com>
2024-04-03 8:15 ` Stefan Hanreich
[not found] ` <mailman.77.1712145853.450.pve-devel@lists.proxmox.com>
2024-04-03 12:25 ` Stefan Hanreich
[not found] ` <mailman.78.1712149473.450.pve-devel@lists.proxmox.com>
2024-04-03 13:08 ` Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 9:21 ` Stefan Hanreich
2024-04-10 10:25 ` Lukas Wagner
2024-04-11 5:21 ` Stefan Hanreich
2024-04-11 7:34 ` Thomas Lamprecht
2024-04-11 7:55 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D0AFESIVEQ0B.SYXRTSNUE4BB@proxmox.com \
--to=m.carrara@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal