From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Stefan Hanreich <s.hanreich@proxmox.com>,
Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH proxmox-firewall 29/37] firewall: add rule generation logic
Date: Tue, 2 Apr 2024 19:16:21 +0200 [thread overview]
Message-ID: <20240402171629.536804-30-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240402171629.536804-1-s.hanreich@proxmox.com>
ToNftRules is basically a conversion trait for firewall config structs
to convert them into the respective nftables statements.
We are passing a list of rules to the method, which then modifies the
list of rules such that all relevant rules in the list have statements
appended that apply the configured constraints from the firewall
config.
This is particularly relevant for the rule generation logic for
ipsets. Due to how sets work in nftables we need to generate two rules
for every ipset: a rule for the v4 ipset and a rule for the v6 ipset.
This is because sets can only contain either v4 or v6 addresses. By
passing a list of all generated rules we can duplicate all rules and
then add a statement for the v4 or v6 set respectively.
This also enables us to start with multiple rules, which is required
for using log statements in conjunction with limit statements.
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/main.rs | 1 +
proxmox-firewall/src/rule.rs | 659 +++++++++++++++++++++++++++++
proxmox-nftables/src/expression.rs | 4 +
3 files changed, 664 insertions(+)
create mode 100644 proxmox-firewall/src/rule.rs
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index 656ac15..ae832e3 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -1,6 +1,7 @@
use anyhow::Error;
mod config;
+mod rule;
fn main() -> Result<(), Error> {
env_logger::init();
diff --git a/proxmox-firewall/src/rule.rs b/proxmox-firewall/src/rule.rs
new file mode 100644
index 0000000..eea79e3
--- /dev/null
+++ b/proxmox-firewall/src/rule.rs
@@ -0,0 +1,659 @@
+use std::ops::{Deref, DerefMut};
+
+use anyhow::{format_err, Error};
+use proxmox_nftables::{
+ expression::{Ct, IpFamily, Meta, Payload, Prefix},
+ statement::{Log, LogLevel, Match},
+ types::{AddRule, ChainPart, SetName},
+ Expression, Statement,
+};
+use proxmox_ve_config::{
+ firewall::{
+ ct_helper::CtHelperMacro,
+ fw_macros::{get_macro, FwMacro},
+ types::{
+ address::Family,
+ alias::AliasName,
+ ipset::{Ipfilter, IpsetName},
+ log::LogRateLimit,
+ rule::{Direction, Kind, RuleGroup},
+ rule_match::{
+ Icmp, Icmpv6, IpAddrMatch, IpMatch, Ports, Protocol, RuleMatch, Sctp, Tcp, Udp,
+ },
+ Alias, Rule,
+ },
+ },
+ guest::types::Vmid,
+};
+
+use crate::config::FirewallConfig;
+
+#[derive(Debug, Clone)]
+pub(crate) struct NftRule {
+ family: Option<Family>,
+ statements: Vec<Statement>,
+ terminal_statements: Vec<Statement>,
+}
+
+impl NftRule {
+ pub fn from_terminal_statements(terminal_statements: Vec<Statement>) -> Self {
+ Self {
+ family: None,
+ statements: Vec::new(),
+ terminal_statements,
+ }
+ }
+
+ pub fn new(terminal_statement: Statement) -> Self {
+ Self {
+ family: None,
+ statements: Vec::new(),
+ terminal_statements: vec![terminal_statement],
+ }
+ }
+
+ pub fn from_config_rule(rule: &Rule, env: &NftRuleEnv) -> Result<Vec<NftRule>, Error> {
+ let mut rules = Vec::new();
+
+ if rule.disabled() {
+ return Ok(rules);
+ }
+
+ rule.to_nft_rules(&mut rules, env)?;
+
+ Ok(rules)
+ }
+
+ pub fn from_ct_helper(
+ ct_helper: &CtHelperMacro,
+ env: &NftRuleEnv,
+ ) -> Result<Vec<NftRule>, Error> {
+ let mut rules = Vec::new();
+ ct_helper.to_nft_rules(&mut rules, env)?;
+ Ok(rules)
+ }
+
+ pub fn from_ipfilter(ipfilter: &Ipfilter, env: &NftRuleEnv) -> Result<Vec<NftRule>, Error> {
+ let mut rules = Vec::new();
+ ipfilter.to_nft_rules(&mut rules, env)?;
+ Ok(rules)
+ }
+}
+
+impl Deref for NftRule {
+ type Target = Vec<Statement>;
+
+ fn deref(&self) -> &Self::Target {
+ &self.statements
+ }
+}
+
+impl DerefMut for NftRule {
+ fn deref_mut(&mut self) -> &mut Self::Target {
+ &mut self.statements
+ }
+}
+
+impl NftRule {
+ pub fn into_add_rule(self, chain: ChainPart) -> AddRule {
+ let statements = self.statements.into_iter().chain(self.terminal_statements);
+
+ AddRule::from_statements(chain, statements)
+ }
+
+ pub fn family(&self) -> Option<Family> {
+ self.family
+ }
+
+ pub fn set_family(&mut self, family: Family) {
+ self.family = Some(family);
+ }
+}
+
+pub(crate) struct NftRuleEnv<'a> {
+ pub(crate) chain: ChainPart,
+ pub(crate) direction: Direction,
+ pub(crate) firewall_config: &'a FirewallConfig,
+ pub(crate) vmid: Option<Vmid>,
+}
+
+impl NftRuleEnv<'_> {
+ fn alias(&self, name: &AliasName) -> Option<&Alias> {
+ self.firewall_config.alias(name, self.vmid)
+ }
+
+ fn iface_name(&self, rule_iface: &str) -> String {
+ match &self.vmid {
+ Some(vmid) => {
+ if let Some(config) = self.firewall_config.guests().get(vmid) {
+ if let Ok(name) = config.iface_name_by_key(rule_iface) {
+ return name;
+ }
+ }
+
+ log::warn!("Unable to resolve interface name {rule_iface} for VM #{vmid}");
+
+ rule_iface.to_string()
+ }
+ None => rule_iface.to_string(),
+ }
+ }
+
+ fn default_log_limit(&self) -> Option<LogRateLimit> {
+ self.firewall_config.cluster().log_ratelimit()
+ }
+
+ fn contains_family(&self, family: Family) -> bool {
+ self.chain.table().family().families().contains(&family)
+ }
+}
+
+pub(crate) trait ToNftRules {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error>;
+}
+
+impl ToNftRules for Rule {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ match self.kind() {
+ Kind::Match(rule) => rule.to_nft_rules(rules, env)?,
+ Kind::Group(group) => group.to_nft_rules(rules, env)?,
+ };
+
+ Ok(())
+ }
+}
+
+fn handle_iface(rules: &mut [NftRule], env: &NftRuleEnv, name: &str) -> Result<(), Error> {
+ let iface_key = match (env.vmid, env.direction) {
+ (Some(_), Direction::In) => "oifname",
+ (Some(_), Direction::Out) => "iifname",
+ (None, Direction::In) => "iifname",
+ (None, Direction::Out) => "oifname",
+ };
+
+ let iface_name = env.iface_name(name);
+
+ for rule in rules.iter_mut() {
+ rule.push(
+ Match::new_eq(
+ Expression::from(Meta::new(iface_key.to_string())),
+ Expression::from(iface_name.clone()),
+ )
+ .into(),
+ )
+ }
+
+ Ok(())
+}
+
+impl ToNftRules for RuleGroup {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ let chain_name = format!("group-{}-{}", self.group(), env.direction);
+
+ rules.push(NftRule::new(Statement::jump(chain_name)));
+
+ if let Some(name) = &self.iface() {
+ handle_iface(rules, env, name)?;
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for RuleMatch {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ if env.direction != self.direction() {
+ return Ok(());
+ }
+
+ if let Some(log) = self.log() {
+ if let Ok(log_level) = LogLevel::try_from(log) {
+ let mut terminal_statements = Vec::new();
+
+ if let Some(limit) = env.default_log_limit() {
+ terminal_statements.push(Statement::from(limit));
+ }
+
+ terminal_statements.push(
+ Log::new_nflog(
+ Log::generate_prefix(env.vmid, log_level, env.chain.name(), self.verdict()),
+ 0,
+ )
+ .into(),
+ );
+
+ rules.push(NftRule::from_terminal_statements(terminal_statements));
+ }
+ }
+
+ rules.push(NftRule::new(Statement::from(self.verdict())));
+
+ if let Some(name) = &self.iface() {
+ handle_iface(rules, env, name)?;
+ }
+
+ if let Some(protocol) = self.proto() {
+ protocol.to_nft_rules(rules, env)?;
+ }
+
+ if let Some(name) = self.fw_macro() {
+ let fw_macro =
+ get_macro(name).ok_or_else(|| format_err!("cannot find macro {name}"))?;
+
+ fw_macro.to_nft_rules(rules, env)?;
+ }
+
+ if let Some(ip) = self.ip() {
+ ip.to_nft_rules(rules, env)?;
+ }
+
+ Ok(())
+ }
+}
+
+fn handle_set(
+ rules: &mut Vec<NftRule>,
+ name: &IpsetName,
+ field_name: &str,
+ env: &NftRuleEnv,
+) -> Result<(), Error> {
+ let mut new_rules = rules
+ .drain(..)
+ .flat_map(|rule| {
+ let mut new_rules = Vec::new();
+
+ if matches!(rule.family(), Some(Family::V4) | None) && env.contains_family(Family::V4) {
+ let field = Payload::field("ip", field_name);
+
+ let mut rule = rule.clone();
+ rule.set_family(Family::V4);
+
+ rule.append(&mut vec![
+ Match::new_eq(
+ field.clone(),
+ Expression::set_name(&SetName::ipset_name(Family::V4, name, false)),
+ )
+ .into(),
+ Match::new_ne(
+ field,
+ Expression::set_name(&SetName::ipset_name(Family::V4, name, true)),
+ )
+ .into(),
+ ]);
+
+ new_rules.push(rule);
+ }
+
+ if matches!(rule.family(), Some(Family::V6) | None) && env.contains_family(Family::V6) {
+ let field = Payload::field("ip6", field_name);
+
+ let mut rule = rule;
+ rule.set_family(Family::V6);
+
+ rule.append(&mut vec![
+ Match::new_eq(
+ field.clone(),
+ Expression::set_name(&SetName::ipset_name(Family::V6, name, false)),
+ )
+ .into(),
+ Match::new_ne(
+ field,
+ Expression::set_name(&SetName::ipset_name(Family::V6, name, true)),
+ )
+ .into(),
+ ]);
+
+ new_rules.push(rule);
+ }
+
+ new_rules
+ })
+ .collect::<Vec<NftRule>>();
+
+ rules.append(&mut new_rules);
+
+ Ok(())
+}
+
+fn handle_match(
+ rules: &mut Vec<NftRule>,
+ ip: &IpAddrMatch,
+ field_name: &str,
+ env: &NftRuleEnv,
+) -> Result<(), Error> {
+ match ip {
+ IpAddrMatch::Ip(list) => {
+ if !env.contains_family(list.family()) {
+ return Ok(());
+ }
+
+ let field = match list.family() {
+ Family::V4 => Payload::field("ip", field_name),
+ Family::V6 => Payload::field("ip6", field_name),
+ };
+
+ for rule in rules {
+ match rule.family() {
+ None => {
+ rule.push(Match::new_eq(field.clone(), Expression::from(list)).into());
+
+ rule.set_family(list.family());
+ }
+ Some(rule_family) if rule_family == list.family() => {
+ rule.push(Match::new_eq(field.clone(), Expression::from(list)).into());
+ }
+ _ => (),
+ };
+ }
+
+ Ok(())
+ }
+ IpAddrMatch::Alias(alias_name) => {
+ let alias = env
+ .alias(alias_name)
+ .ok_or_else(|| format_err!("could not find alias {alias_name}"))?;
+
+ if !env.contains_family(alias.address().family()) {
+ return Ok(());
+ }
+
+ let field = match alias.address().family() {
+ Family::V4 => Payload::field("ip", field_name),
+ Family::V6 => Payload::field("ip6", field_name),
+ };
+
+ for rule in rules {
+ match rule.family() {
+ None => {
+ rule.push(
+ Match::new_eq(
+ field.clone(),
+ Expression::from(Prefix::from(alias.address())),
+ )
+ .into(),
+ );
+
+ rule.set_family(alias.address().family());
+ }
+ Some(rule_family) if rule_family == alias.address().family() => {
+ rule.push(
+ Match::new_eq(
+ field.clone(),
+ Expression::from(Prefix::from(alias.address())),
+ )
+ .into(),
+ );
+ }
+ _ => (),
+ }
+ }
+
+ Ok(())
+ }
+ IpAddrMatch::Set(name) => handle_set(rules, name, field_name, env),
+ }
+}
+
+impl ToNftRules for IpMatch {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ if let Some(src) = self.src() {
+ handle_match(rules, src, "saddr", env)?;
+ }
+
+ if let Some(dst) = self.dst() {
+ handle_match(rules, dst, "daddr", env)?;
+ }
+
+ Ok(())
+ }
+}
+
+fn handle_protocol(rules: &mut [NftRule], _env: &NftRuleEnv, name: &str) -> Result<(), Error> {
+ for rule in rules.iter_mut() {
+ rule.push(Match::new_eq(Meta::new("l4proto"), Expression::from(name)).into());
+ }
+
+ Ok(())
+}
+
+impl ToNftRules for Protocol {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ match self {
+ Protocol::Tcp(tcp) => tcp.to_nft_rules(rules, env),
+ Protocol::Udp(udp) => udp.to_nft_rules(rules, env),
+ Protocol::Dccp(ports) => {
+ handle_protocol(rules, env, "dccp")?;
+ ports.to_nft_rules(rules, env)
+ }
+ Protocol::UdpLite(ports) => {
+ handle_protocol(rules, env, "udplite")?;
+ ports.to_nft_rules(rules, env)
+ }
+ Protocol::Sctp(sctp) => sctp.to_nft_rules(rules, env),
+ Protocol::Icmp(icmp) => icmp.to_nft_rules(rules, env),
+ Protocol::Icmpv6(icmpv6) => icmpv6.to_nft_rules(rules, env),
+ Protocol::Named(name) => handle_protocol(rules, env, name),
+ Protocol::Numeric(id) => {
+ for rule in rules.iter_mut() {
+ rule.push(Match::new_eq(Meta::new("l4proto"), Expression::from(*id)).into());
+ }
+
+ Ok(())
+ }
+ }
+ }
+}
+
+impl ToNftRules for Tcp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ handle_protocol(rules, env, "tcp")?;
+ self.ports().to_nft_rules(rules, env)
+ }
+}
+
+impl ToNftRules for Udp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ handle_protocol(rules, env, "udp")?;
+ self.ports().to_nft_rules(rules, env)
+ }
+}
+
+impl ToNftRules for Sctp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ handle_protocol(rules, env, "sctp")?;
+ self.ports().to_nft_rules(rules, env)
+ }
+}
+
+impl ToNftRules for Icmp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, _env: &NftRuleEnv) -> Result<(), Error> {
+ for rule in rules.iter_mut() {
+ if matches!(rule.family(), Some(Family::V4) | None) {
+ if let Some(icmp_code) = self.code() {
+ rule.push(
+ Match::new_eq(Payload::field("icmp", "code"), Expression::from(icmp_code))
+ .into(),
+ );
+ } else if let Some(icmp_type) = self.ty() {
+ rule.push(
+ Match::new_eq(Payload::field("icmp", "type"), Expression::from(icmp_type))
+ .into(),
+ );
+ } else {
+ rule.push(Match::new_eq(Meta::new("l4proto"), Expression::from("icmp")).into());
+ }
+
+ rule.set_family(Family::V4);
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for Icmpv6 {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, _env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("applying icmpv6: {:?}", self);
+
+ for rule in rules.iter_mut() {
+ if matches!(rule.family(), Some(Family::V6) | None) {
+ if let Some(icmp_code) = self.code() {
+ rule.push(
+ Match::new_eq(
+ Payload::field("icmpv6", "code"),
+ Expression::from(icmp_code),
+ )
+ .into(),
+ );
+ } else if let Some(icmp_type) = self.ty() {
+ rule.push(
+ Match::new_eq(
+ Payload::field("icmpv6", "type"),
+ Expression::from(icmp_type),
+ )
+ .into(),
+ );
+ } else {
+ rule.push(
+ Match::new_eq(Meta::new("l4proto"), Expression::from("icmpv6")).into(),
+ );
+ }
+
+ rule.set_family(Family::V6);
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for Ports {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, _env: &NftRuleEnv) -> Result<(), Error> {
+ for rule in rules {
+ if let Some(sport) = self.sport() {
+ rule.push(
+ Match::new_eq(
+ Expression::from(Payload::field("th", "sport")),
+ Expression::from(sport),
+ )
+ .into(),
+ )
+ }
+
+ if let Some(dport) = self.dport() {
+ rule.push(
+ Match::new_eq(
+ Expression::from(Payload::field("th", "dport")),
+ Expression::from(dport),
+ )
+ .into(),
+ )
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for Ipfilter<'_> {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ let vmid = env
+ .vmid
+ .ok_or_else(|| format_err!("can only create ipfilter for guests"))?;
+
+ let guest_config = env
+ .firewall_config
+ .guests()
+ .get(&vmid)
+ .ok_or_else(|| format_err!("no guest config found!"))?;
+
+ if !guest_config.ipfilter() {
+ return Ok(());
+ }
+
+ let mut base_rule = NftRule::new(Statement::make_drop());
+
+ base_rule.push(
+ Match::new_eq(
+ Expression::from(Meta::new("iifname")),
+ guest_config.iface_name_by_index(self.index()),
+ )
+ .into(),
+ );
+
+ handle_set(rules, self.ipset().name(), "saddr", env)
+ }
+}
+
+impl ToNftRules for CtHelperMacro {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ if let Some(family) = self.family() {
+ if !env.contains_family(family) {
+ return Ok(());
+ }
+ }
+
+ if self.tcp().is_none() && self.udp().is_none() {
+ return Ok(());
+ }
+
+ let ip_family = self.family().map(IpFamily::from);
+
+ if let Some(protocol) = self.tcp() {
+ let base_rule = NftRule::from_terminal_statements(vec![
+ Match::new_eq(
+ Ct::new("state", None),
+ Expression::List(vec!["new".into(), "established".into()]),
+ )
+ .into(),
+ Statement::make_accept(),
+ ]);
+
+ let helper_rule = NftRule::new(Statement::CtHelper(self.tcp_helper_name()));
+
+ let mut ct_rules = vec![base_rule, helper_rule];
+ protocol.to_nft_rules(&mut ct_rules, env)?;
+ rules.append(&mut ct_rules);
+ }
+
+ if let Some(protocol) = self.udp() {
+ let base_rule = NftRule::from_terminal_statements(vec![
+ Match::new_eq(
+ Ct::new("state", None),
+ Expression::List(vec!["new".into(), "established".into()]),
+ )
+ .into(),
+ Statement::make_accept(),
+ ]);
+
+ let helper_rule = NftRule::new(Statement::CtHelper(self.udp_helper_name()));
+
+ let mut ct_rules = vec![base_rule, helper_rule];
+ protocol.to_nft_rules(&mut ct_rules, env)?;
+ rules.append(&mut ct_rules);
+ }
+
+ let mut ct_helper_rule = NftRule::new(Statement::make_accept());
+
+ ct_helper_rule.push(Match::new_eq(Ct::new("helper", ip_family), self.name()).into());
+
+ rules.push(ct_helper_rule);
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for FwMacro {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ let initial_rules: Vec<NftRule> = rules.drain(..).collect();
+
+ for protocol in &self.code {
+ let mut new_rules = initial_rules.to_vec();
+ protocol.to_nft_rules(&mut new_rules, env)?;
+
+ rules.append(&mut new_rules);
+ }
+
+ Ok(())
+ }
+}
diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs
index 067eccc..dadaf92 100644
--- a/proxmox-nftables/src/expression.rs
+++ b/proxmox-nftables/src/expression.rs
@@ -59,6 +59,10 @@ impl Expression {
pub fn concat(expressions: impl IntoIterator<Item = Expression>) -> Self {
Expression::Concat(NfVec::from_iter(expressions))
}
+
+ pub fn set_name(name: &str) -> Self {
+ Expression::String(format!("@{name}"))
+ }
}
impl From<bool> for Expression {
--
2.39.2
next prev parent reply other threads:[~2024-04-02 17:17 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-02 17:15 [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 01/37] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 02/37] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 8:26 ` Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 03/37] config: firewall: add types for ports Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 04/37] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 05/37] config: firewall: add types for aliases Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 06/37] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 8:32 ` Stefan Hanreich
2024-04-09 14:20 ` Lukas Wagner
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 07/37] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 08/37] config: firewall: add types for ipsets Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 09/37] config: firewall: add types for rules Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 8:36 ` Stefan Hanreich
2024-04-09 14:55 ` Lukas Wagner
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 10/37] config: firewall: add types for security groups Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 11/37] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-03 10:47 ` Max Carrara
2024-04-09 8:38 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 12/37] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 13/37] config: firewall: add host specific " Stefan Hanreich
2024-04-03 10:47 ` Max Carrara
2024-04-09 8:55 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 14/37] config: firewall: add guest-specific " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 15/37] config: firewall: add firewall macros Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 16/37] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 17/37] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 18/37] nftables: add helpers Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 19/37] nftables: expression: add types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 20/37] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 21/37] nftables: statement: add types Stefan Hanreich
2024-04-03 10:47 ` Max Carrara
2024-04-09 8:58 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 22/37] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 23/37] nftables: commands: add types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 24/37] nftables: types: add conversion traits Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 25/37] nftables: add libnftables bindings Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 26/37] firewall: add firewall crate Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 27/37] firewall: add base ruleset Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 28/37] firewall: add config loader Stefan Hanreich
2024-04-02 17:16 ` Stefan Hanreich [this message]
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 30/37] firewall: add object generation logic Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 31/37] firewall: add ruleset " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 32/37] firewall: add proxmox-firewall binary Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 33/37] firewall: add files for debian packaging Stefan Hanreich
2024-04-03 13:14 ` Fabian Grünbichler
2024-04-09 8:56 ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH qemu-server 34/37] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-container 35/37] " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-firewall 36/37] add configuration option for new nftables firewall Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-manager 37/37] firewall: expose " Stefan Hanreich
2024-04-02 20:47 ` [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation Laurent GUERBY
2024-04-03 7:33 ` Stefan Hanreich
[not found] ` <mailman.54.1712122640.450.pve-devel@lists.proxmox.com>
2024-04-03 7:52 ` Stefan Hanreich
2024-04-03 12:26 ` Stefan Hanreich
[not found] ` <mailman.56.1712124362.450.pve-devel@lists.proxmox.com>
2024-04-03 8:15 ` Stefan Hanreich
[not found] ` <mailman.77.1712145853.450.pve-devel@lists.proxmox.com>
2024-04-03 12:25 ` Stefan Hanreich
[not found] ` <mailman.78.1712149473.450.pve-devel@lists.proxmox.com>
2024-04-03 13:08 ` Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09 9:21 ` Stefan Hanreich
2024-04-10 10:25 ` Lukas Wagner
2024-04-11 5:21 ` Stefan Hanreich
2024-04-11 7:34 ` Thomas Lamprecht
2024-04-11 7:55 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240402171629.536804-30-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox