From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <shanreich@lana.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 1207F90BB1
for <pve-devel@lists.proxmox.com>; Tue, 2 Apr 2024 19:17:16 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 3B490A813
for <pve-devel@lists.proxmox.com>; Tue, 2 Apr 2024 19:16:42 +0200 (CEST)
Received: from lana.proxmox.com (unknown [94.136.29.99])
by firstgate.proxmox.com (Proxmox) with ESMTP
for <pve-devel@lists.proxmox.com>; Tue, 2 Apr 2024 19:16:38 +0200 (CEST)
Received: by lana.proxmox.com (Postfix, from userid 10043)
id 6BFBA2C36C3; Tue, 2 Apr 2024 19:16:31 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Stefan Hanreich <s.hanreich@proxmox.com>,
Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 2 Apr 2024 19:16:12 +0200
Message-Id: <20240402171629.536804-21-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240402171629.536804-1-s.hanreich@proxmox.com>
References: <20240402171629.536804-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.324 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
methods
RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_NONE 0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [PATCH proxmox-firewall 20/37] nftables: expression:
implement conversion traits for firewall config
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 17:17:16 -0000
Some types from the firewall configuration map directly onto nftables
expressions. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.
Those are guarded behind a feature so the nftables crate can be used
standalone without having to pull in the proxmox-ve-config crate.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-nftables/Cargo.toml | 5 +-
proxmox-nftables/src/expression.rs | 124 +++++++++++++++++++++++++++--
2 files changed, 123 insertions(+), 6 deletions(-)
diff --git a/proxmox-nftables/Cargo.toml b/proxmox-nftables/Cargo.toml
index 909869b..7e607e8 100644
--- a/proxmox-nftables/Cargo.toml
+++ b/proxmox-nftables/Cargo.toml
@@ -10,6 +10,9 @@ authors = [
description = "Proxmox VE nftables"
license = "AGPL-3"
+[features]
+config-ext = ["dep:proxmox-ve-config"]
+
[dependencies]
log = "0.4"
@@ -17,4 +20,4 @@ serde = { version = "1", features = [ "derive" ] }
serde_json = "1"
serde_plain = "1"
-proxmox-ve-config = { path = "../proxmox-ve-config" }
+proxmox-ve-config = { path = "../proxmox-ve-config", optional = true }
diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs
index da6e40f..067eccc 100644
--- a/proxmox-nftables/src/expression.rs
+++ b/proxmox-nftables/src/expression.rs
@@ -4,6 +4,15 @@ use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
use crate::helper::NfVec;
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::address::{Family, IpEntry, IpList};
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::port::{PortEntry, PortList};
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::rule_match::{IcmpCode, IcmpType, Icmpv6Code, Icmpv6Type};
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::Cidr;
+
#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
pub enum Expression {
@@ -147,11 +156,88 @@ impl From<&Ipv4Addr> for Expression {
}
}
-#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)]
-#[serde(rename_all = "lowercase")]
-pub enum IpFamily {
- Ip,
- Ip6,
+#[cfg(feature = "config-ext")]
+impl From<&IpList> for Expression {
+ fn from(value: &IpList) -> Self {
+ if value.len() == 1 {
+ return Expression::from(value.first().unwrap());
+ }
+
+ Expression::set(value.iter().map(Expression::from))
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&IpEntry> for Expression {
+ fn from(value: &IpEntry) -> Self {
+ match value {
+ IpEntry::Cidr(cidr) => Expression::from(Prefix::from(cidr)),
+ IpEntry::Range(beg, end) => Expression::Range(Box::new((beg.into(), end.into()))),
+ }
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&IcmpType> for Expression {
+ fn from(value: &IcmpType) -> Self {
+ match value {
+ IcmpType::Numeric(id) => Expression::from(*id),
+ IcmpType::Named(name) => Expression::from(*name),
+ }
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&IcmpCode> for Expression {
+ fn from(value: &IcmpCode) -> Self {
+ match value {
+ IcmpCode::Numeric(id) => Expression::from(*id),
+ IcmpCode::Named(name) => Expression::from(*name),
+ }
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&Icmpv6Type> for Expression {
+ fn from(value: &Icmpv6Type) -> Self {
+ match value {
+ Icmpv6Type::Numeric(id) => Expression::from(*id),
+ Icmpv6Type::Named(name) => Expression::from(*name),
+ }
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&Icmpv6Code> for Expression {
+ fn from(value: &Icmpv6Code) -> Self {
+ match value {
+ Icmpv6Code::Numeric(id) => Expression::from(*id),
+ Icmpv6Code::Named(name) => Expression::from(*name),
+ }
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&PortEntry> for Expression {
+ fn from(value: &PortEntry) -> Self {
+ match value {
+ PortEntry::Port(port) => Expression::from(*port),
+ PortEntry::Range(beg, end) => {
+ Expression::Range(Box::new(((*beg).into(), (*end).into())))
+ }
+ }
+ }
+}
+
+#[cfg(feature = "config-ext")]
+impl From<&PortList> for Expression {
+ fn from(value: &PortList) -> Self {
+ if value.len() == 1 {
+ return Expression::from(value.first().unwrap());
+ }
+
+ Expression::set(value.iter().map(Expression::from))
+ }
}
#[derive(Clone, Debug, Deserialize, Serialize)]
@@ -197,6 +283,24 @@ pub enum CtDirection {
Reply,
}
serde_plain::derive_display_from_serialize!(CtDirection);
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum IpFamily {
+ Ip,
+ Ip6,
+}
+
+#[cfg(feature = "config-ext")]
+impl From<Family> for IpFamily {
+ fn from(value: Family) -> Self {
+ match value {
+ Family::V4 => IpFamily::Ip,
+ Family::V6 => IpFamily::Ip6,
+ }
+ }
+}
+
#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(untagged)]
pub enum Payload {
@@ -260,6 +364,16 @@ impl Prefix {
}
}
+#[cfg(feature = "config-ext")]
+impl From<&Cidr> for Prefix {
+ fn from(value: &Cidr) -> Self {
+ match value {
+ Cidr::Ipv4(cidr) => Self::new(cidr.address(), cidr.mask()),
+ Cidr::Ipv6(cidr) => Self::new(cidr.address(), cidr.mask()),
+ }
+ }
+}
+
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct Element {
#[serde(flatten)]
--
2.39.2