public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Stefan Hanreich <s.hanreich@proxmox.com>,
	Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH proxmox-firewall 31/37] firewall: add ruleset generation logic
Date: Tue,  2 Apr 2024 19:16:23 +0200	[thread overview]
Message-ID: <20240402171629.536804-32-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240402171629.536804-1-s.hanreich@proxmox.com>

We create the rules from the firewall config by utilizing the
ToNftRules and ToNftObjects traits to convert the firewall config
structs to nftables objects/chains/rules.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-firewall/Cargo.toml      |   3 +
 proxmox-firewall/src/firewall.rs | 726 +++++++++++++++++++++++++++++++
 proxmox-firewall/src/main.rs     |   1 +
 3 files changed, 730 insertions(+)
 create mode 100644 proxmox-firewall/src/firewall.rs

diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml
index 431e71a..1e6a4b8 100644
--- a/proxmox-firewall/Cargo.toml
+++ b/proxmox-firewall/Cargo.toml
@@ -15,5 +15,8 @@ log = "0.4"
 env_logger = "0.10"
 anyhow = "1"
 
+serde = { version = "1", features = [ "derive" ] }
+serde_json = "1"
+
 proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] }
 proxmox-ve-config = { path = "../proxmox-ve-config" }
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
new file mode 100644
index 0000000..9947bee
--- /dev/null
+++ b/proxmox-firewall/src/firewall.rs
@@ -0,0 +1,726 @@
+use std::collections::HashMap;
+use std::fs;
+
+use anyhow::Error;
+
+use proxmox_nftables::command::{Add, Commands, Delete, Flush};
+use proxmox_nftables::expression::{Meta, Payload};
+use proxmox_nftables::helper::NfVec;
+use proxmox_nftables::statement::{AnonymousLimit, Log, LogLevel, Match, Set, SetOperation};
+use proxmox_nftables::types::{
+    AddElement, AddRule, ChainPart, MapValue, RateTimescale, SetName, TableFamily, TablePart,
+    Verdict,
+};
+use proxmox_nftables::{Expression, Statement};
+
+use proxmox_ve_config::firewall::ct_helper::get_cthelper;
+use proxmox_ve_config::firewall::guest::Config as GuestConfig;
+use proxmox_ve_config::firewall::host::Config as HostConfig;
+
+use proxmox_ve_config::firewall::types::ipset::{Ipset, IpsetEntry, IpsetScope};
+use proxmox_ve_config::firewall::types::log::{LogLevel as ConfigLogLevel, LogRateLimit};
+use proxmox_ve_config::firewall::types::rule::{Direction, Verdict as ConfigVerdict};
+use proxmox_ve_config::firewall::types::Group;
+use proxmox_ve_config::guest::types::Vmid;
+
+use crate::config::FirewallConfig;
+use crate::object::{NftObjectEnv, ToNftObjects};
+use crate::rule::{NftRule, NftRuleEnv};
+
+static CLUSTER_TABLE_NAME: &str = "proxmox-firewall";
+static HOST_TABLE_NAME: &str = "proxmox-firewall";
+static GUEST_TABLE_NAME: &str = "proxmox-firewall-guests";
+
+static NF_CONNTRACK_MAX_FILE: &str = "/proc/sys/net/netfilter/nf_conntrack_max";
+static NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED: &str =
+    "/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established";
+static NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV: &str =
+    "/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv";
+static LOG_CONNTRACK_FILE: &str = "/var/lib/pve-firewall/log_nf_conntrack";
+
+#[derive(Debug)]
+pub struct Firewall {
+    config: FirewallConfig,
+}
+
+impl Firewall {
+    pub fn new() -> Result<Self, Error> {
+        Ok(Self {
+            config: FirewallConfig::load()?,
+        })
+    }
+
+    pub fn is_enabled(&self) -> bool {
+        self.config.is_enabled()
+    }
+
+    fn cluster_table(&self) -> TablePart {
+        TablePart::new(TableFamily::Inet, CLUSTER_TABLE_NAME)
+    }
+
+    fn host_table(&self) -> TablePart {
+        TablePart::new(TableFamily::Inet, HOST_TABLE_NAME)
+    }
+
+    fn guest_table(&self) -> TablePart {
+        TablePart::new(TableFamily::Bridge, GUEST_TABLE_NAME)
+    }
+
+    fn guest_vmap(&self, dir: Direction) -> SetName {
+        SetName::new(self.guest_table(), format!("vm-map-{dir}"))
+    }
+
+    fn cluster_chain(&self, dir: Direction) -> ChainPart {
+        ChainPart::new(self.cluster_table(), format!("cluster-{dir}"))
+    }
+
+    fn host_chain(&self, dir: Direction) -> ChainPart {
+        ChainPart::new(self.host_table(), format!("host-{dir}"))
+    }
+
+    fn guest_chain(&self, dir: Direction, vmid: Vmid) -> ChainPart {
+        ChainPart::new(self.guest_table(), format!("guest-{vmid}-{dir}"))
+    }
+
+    fn group_chain(&self, table: TablePart, name: &str, dir: Direction) -> ChainPart {
+        ChainPart::new(table, format!("group-{name}-{dir}"))
+    }
+
+    fn host_conntrack_chain(&self) -> ChainPart {
+        ChainPart::new(self.host_table(), "ct-in".to_string())
+    }
+
+    fn host_option_chain(&self, dir: Direction) -> ChainPart {
+        ChainPart::new(self.host_table(), format!("option-{dir}"))
+    }
+
+    fn synflood_limit_chain(&self) -> ChainPart {
+        ChainPart::new(self.host_table(), "ratelimit-synflood")
+    }
+
+    fn log_invalid_tcp_chain(&self) -> ChainPart {
+        ChainPart::new(self.host_table(), "log-invalid-tcp")
+    }
+
+    fn log_smurfs_chain(&self) -> ChainPart {
+        ChainPart::new(self.host_table(), "log-smurfs")
+    }
+
+    fn default_log_limit(&self) -> Option<LogRateLimit> {
+        self.config.cluster().log_ratelimit()
+    }
+
+    fn reset_firewall(&self, commands: &mut Commands) {
+        commands.append(&mut vec![
+            Flush::chain(self.cluster_chain(Direction::In)),
+            Flush::chain(self.cluster_chain(Direction::Out)),
+            Add::chain(self.host_chain(Direction::In)),
+            Flush::chain(self.host_chain(Direction::In)),
+            Flush::chain(self.host_option_chain(Direction::In)),
+            Add::chain(self.host_chain(Direction::Out)),
+            Flush::chain(self.host_chain(Direction::Out)),
+            Flush::chain(self.host_option_chain(Direction::Out)),
+            Flush::map(self.guest_vmap(Direction::In)),
+            Flush::map(self.guest_vmap(Direction::Out)),
+            Flush::chain(self.host_conntrack_chain()),
+            Flush::chain(self.synflood_limit_chain()),
+            Flush::chain(self.log_invalid_tcp_chain()),
+            Flush::chain(self.log_smurfs_chain()),
+        ]);
+
+        // we need to remove guest chains before group chains
+        for prefix in ["guest-", "group-"] {
+            for (name, chain) in &self.config.nft().chains {
+                if name.starts_with(prefix) {
+                    commands.push(Delete::chain(chain.clone()))
+                }
+            }
+        }
+    }
+
+    pub fn remove_firewall(&self) -> Commands {
+        Commands::new(vec![
+            Delete::table(self.cluster_table()),
+            Delete::table(self.guest_table()),
+        ])
+    }
+
+    fn create_management_ipset(&self, commands: &mut Commands) -> Result<(), Error> {
+        if self.config.cluster().ipsets().get("management").is_none() {
+            let management_ips = HostConfig::management_ips()?;
+
+            let mut ipset = Ipset::from_parts(IpsetScope::Datacenter, "management");
+            ipset.reserve(management_ips.len());
+
+            let entries = management_ips.into_iter().map(IpsetEntry::from);
+
+            ipset.extend(entries);
+
+            let env = NftObjectEnv {
+                table: &self.cluster_table(),
+                firewall_config: &self.config,
+                vmid: None,
+            };
+
+            commands.append(&mut ipset.to_nft_objects(&env)?);
+        }
+
+        Ok(())
+    }
+
+    pub fn full_host_fw(&self) -> Result<Commands, Error> {
+        let mut commands = Commands::default();
+
+        if !self.config.is_enabled() {
+            return Ok(commands);
+        }
+
+        self.reset_firewall(&mut commands);
+
+        let cluster_host_table = self.cluster_table();
+        let guest_table = self.guest_table();
+
+        self.create_management_ipset(&mut commands)?;
+
+        for table in [&cluster_host_table, &guest_table] {
+            self.create_ipsets(&mut commands, self.config.cluster().ipsets(), table, None)?;
+
+            for (name, group) in self.config.cluster().groups() {
+                self.create_group_chain(&mut commands, table, group, name, Direction::In)?;
+                self.create_group_chain(&mut commands, table, group, name, Direction::Out)?;
+            }
+        }
+
+        self.create_cluster_rules(&mut commands, Direction::In)?;
+        self.create_cluster_rules(&mut commands, Direction::Out)?;
+
+        if self.config.host().is_enabled() {
+            log::debug!("Generating host firewall config");
+
+            self.setup_ct_helper(&mut commands)?;
+
+            self.handle_host_options(&mut commands)?;
+
+            self.create_host_rules(&mut commands, Direction::In)?;
+            self.create_host_rules(&mut commands, Direction::Out)?;
+        }
+
+        for (vmid, config) in self.config.guests() {
+            if !config.is_enabled() {
+                log::debug!("Firewall disabled for VM #{vmid} - not generating config");
+                continue;
+            }
+
+            log::debug!("Generating firewall config for VM #{vmid}");
+
+            self.create_ipsets(&mut commands, config.ipsets(), &guest_table, *vmid)?;
+
+            self.create_guest_chain(&mut commands, *vmid, Direction::In)?;
+            self.create_guest_chain(&mut commands, *vmid, Direction::Out)?;
+
+            self.handle_guest_options(&mut commands, *vmid, config)?;
+
+            self.create_guest_rules(&mut commands, *vmid, config, Direction::In)?;
+            self.create_guest_rules(&mut commands, *vmid, config, Direction::Out)?;
+        }
+
+        Ok(commands)
+    }
+
+    fn handle_host_options(&self, commands: &mut Commands) -> Result<(), Error> {
+        log::debug!("setting host options");
+
+        let chain_in = self.host_option_chain(Direction::In);
+        let chain_out = self.host_option_chain(Direction::Out);
+
+        if self.config.host().allow_ndp() {
+            log::debug!("set allow_ndp");
+            let statement = Statement::jump("allow-ndp");
+
+            commands.append(&mut vec![
+                Add::rule(AddRule::from_statement(chain_in.clone(), statement.clone())),
+                Add::rule(AddRule::from_statement(chain_out, statement)),
+            ]);
+        }
+
+        if self.config.host().block_synflood() {
+            log::debug!("set block_synflood");
+
+            let rate_limit = Statement::from(AnonymousLimit {
+                rate: self.config.host().synflood_rate(),
+                per: RateTimescale::Second,
+                burst: Some(self.config.host().synflood_burst()),
+                inv: Some(true),
+                ..Default::default()
+            });
+
+            let synflood_limit_chain = self.synflood_limit_chain();
+
+            let v4_rule = AddRule::from_statements(
+                synflood_limit_chain.clone(),
+                [
+                    Statement::Set(Set {
+                        op: SetOperation::Update,
+                        elem: Expression::from(Payload::field("ip", "saddr")),
+                        stmt: Some(NfVec::one(rate_limit.clone())),
+                        set: "@v4-synflood-limit".to_string(),
+                    }),
+                    Statement::make_drop(),
+                ],
+            );
+
+            let v6_rule = AddRule::from_statements(
+                synflood_limit_chain,
+                [
+                    Statement::Set(Set {
+                        op: SetOperation::Update,
+                        elem: Expression::from(Payload::field("ip6", "saddr")),
+                        stmt: Some(NfVec::one(rate_limit)),
+                        set: "@v6-synflood-limit".to_string(),
+                    }),
+                    Statement::make_drop(),
+                ],
+            );
+
+            commands.append(&mut vec![
+                Add::rule(AddRule::from_statement(
+                    chain_in.clone(),
+                    Statement::jump("block-synflood"),
+                )),
+                Add::rule(v4_rule),
+                Add::rule(v6_rule),
+            ])
+        }
+
+        if self.config.host().block_invalid_tcp() {
+            log::debug!("set block_invalid_tcp");
+
+            commands.push(Add::rule(AddRule::from_statement(
+                chain_in.clone(),
+                Statement::jump("block-invalid-tcp"),
+            )));
+
+            self.create_log_rule(
+                commands,
+                self.config.host().block_invalid_tcp_log_level(),
+                self.log_invalid_tcp_chain(),
+                ConfigVerdict::Drop,
+                None,
+            )?;
+        }
+
+        if self.config.host().block_smurfs() {
+            log::debug!("set block_smurfs");
+
+            commands.push(Add::rule(AddRule::from_statement(
+                chain_in.clone(),
+                Statement::jump("block-smurfs"),
+            )));
+
+            self.create_log_rule(
+                commands,
+                self.config.host().block_smurfs_log_level(),
+                self.log_smurfs_chain(),
+                ConfigVerdict::Drop,
+                None,
+            )?;
+        }
+
+        if self.config.host().block_invalid_conntrack() {
+            log::debug!("set block_invalid_conntrack");
+
+            commands.push(Add::rule(AddRule::from_statement(
+                chain_in,
+                Statement::jump("block-conntrack-invalid"),
+            )));
+        }
+
+        if let Some(value) = self.config.host().nf_conntrack_max() {
+            log::debug!("set nf_conntrack_max");
+            fs::write(NF_CONNTRACK_MAX_FILE, value.to_string()).map_err(anyhow::Error::msg)?;
+        }
+
+        if let Some(value) = self.config.host().nf_conntrack_tcp_timeout_established() {
+            log::debug!("set nf_conntrack_tcp_timeout_established");
+            fs::write(NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED, value.to_string())
+                .map_err(anyhow::Error::msg)?;
+        }
+
+        if let Some(value) = self.config.host().nf_conntrack_tcp_timeout_syn_recv() {
+            log::debug!("set nf_conntrack_tcp_timeout_syn_recv");
+            fs::write(NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV, value.to_string())
+                .map_err(anyhow::Error::msg)?;
+        }
+
+        let value = (self.config.host().log_nf_conntrack() as u8).to_string();
+        fs::write(LOG_CONNTRACK_FILE, value).map_err(anyhow::Error::msg)?;
+
+        /*
+        CliCommand::new("systemctl")
+            .args(["try-reload-or-restart", "pvefw-logger.service"])
+            .output()
+            .map_err(anyhow::Error::msg)?;
+        */
+
+        Ok(())
+    }
+
+    fn handle_guest_options(
+        &self,
+        commands: &mut Commands,
+        vmid: Vmid,
+        config: &GuestConfig,
+    ) -> Result<(), Error> {
+        let chain_in = self.guest_chain(Direction::In, vmid);
+        let chain_out = self.guest_chain(Direction::Out, vmid);
+
+        if config.macfilter() {
+            let mac_address_set =
+                config
+                    .network_config()
+                    .network_devices()
+                    .iter()
+                    .map(|(index, device)| {
+                        Expression::concat([
+                            Expression::from(config.iface_name_by_index(*index)),
+                            Expression::from(device.mac_address().to_string()),
+                        ])
+                    });
+
+            let macfilter_rule = AddRule::from_statements(
+                chain_out.clone(),
+                [
+                    Match::new_ne(
+                        Expression::concat([
+                            Expression::from(Meta::new("iifname")),
+                            Expression::from(Payload::field("ether", "saddr")),
+                        ]),
+                        Expression::set(mac_address_set),
+                    )
+                    .into(),
+                    Statement::make_drop(),
+                ],
+            );
+
+            commands.push(Add::rule(macfilter_rule));
+        }
+
+        if config.allow_dhcp() {
+            commands.append(&mut vec![
+                Add::rule(AddRule::from_statement(
+                    chain_in.clone(),
+                    Statement::jump("allow-dhcp-in"),
+                )),
+                Add::rule(AddRule::from_statement(
+                    chain_out.clone(),
+                    Statement::jump("allow-dhcp-out"),
+                )),
+            ]);
+        }
+
+        if config.allow_ndp() {
+            let statement = Statement::jump("allow-ndp");
+
+            commands.append(&mut vec![
+                Add::rule(AddRule::from_statement(chain_in.clone(), statement.clone())),
+                Add::rule(AddRule::from_statement(chain_out.clone(), statement)),
+            ]);
+        }
+
+        if config.allow_ra() {
+            let statement = Statement::jump("allow-ra");
+
+            commands.append(&mut vec![
+                Add::rule(AddRule::from_statement(chain_in, statement.clone())),
+                Add::rule(AddRule::from_statement(chain_out, statement)),
+            ]);
+        }
+
+        Ok(())
+    }
+
+    fn setup_ct_helper(&self, commands: &mut Commands) -> Result<(), Error> {
+        let chain_in = self.host_conntrack_chain();
+
+        if let Some(helpers) = self.config.host().conntrack_helpers() {
+            log::trace!("adding conntrack helpers: {helpers:?}");
+
+            let object_env = NftObjectEnv {
+                table: chain_in.table(),
+                firewall_config: &self.config,
+                vmid: None,
+            };
+
+            let rule_env = NftRuleEnv {
+                chain: chain_in.clone(),
+                direction: Direction::In,
+                firewall_config: &self.config,
+                vmid: None,
+            };
+
+            for helper in helpers {
+                let helper_macro = get_cthelper(&helper.to_string());
+
+                if let Some(helper_macro) = helper_macro {
+                    commands.append(&mut helper_macro.to_nft_objects(&object_env)?);
+
+                    // todo: use vmap
+                    for rule in NftRule::from_ct_helper(helper_macro, &rule_env)? {
+                        commands.push(Add::rule(rule.into_add_rule(chain_in.clone())));
+                    }
+                } else {
+                    log::warn!("provided invalid helper macro name: {:?}", helper);
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    fn create_ipsets(
+        &self,
+        commands: &mut Commands,
+        ipsets: &HashMap<String, Ipset>,
+        table: &TablePart,
+        vmid: impl Into<Option<Vmid>>,
+    ) -> Result<(), Error> {
+        let env = NftObjectEnv {
+            table,
+            vmid: vmid.into(),
+            firewall_config: &self.config,
+        };
+
+        for (name, ipset) in ipsets {
+            log::debug!("Creating ipset {name} in table {table:?}");
+
+            commands.append(&mut ipset.to_nft_objects(&env)?);
+
+            if let (Some(vmid), Some(ipfilter)) = (env.vmid, ipset.ipfilter()) {
+                log::debug!("Creating IP filter rules for VM {vmid}");
+
+                let chain = self.guest_chain(Direction::Out, vmid);
+
+                let rule_env = NftRuleEnv {
+                    chain: chain.clone(),
+                    direction: Direction::Out,
+                    firewall_config: &self.config,
+                    vmid: Some(vmid),
+                };
+
+                for rule in NftRule::from_ipfilter(&ipfilter, &rule_env)? {
+                    commands.push(Add::rule(rule.into_add_rule(chain.clone())));
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    fn create_cluster_rules(
+        &self,
+        commands: &mut Commands,
+        direction: Direction,
+    ) -> Result<(), Error> {
+        log::info!("Creating cluster chain {direction} family");
+
+        let chain = self.cluster_chain(direction);
+
+        let env = NftRuleEnv {
+            chain: chain.clone(),
+            direction,
+            firewall_config: &self.config,
+            vmid: None,
+        };
+
+        let rules = self.config.cluster().rules();
+
+        commands.reserve(rules.len());
+
+        for config_rule in rules {
+            for rule in NftRule::from_config_rule(config_rule, &env)? {
+                commands.push(Add::rule(rule.into_add_rule(chain.clone())));
+            }
+        }
+
+        let default_policy = self.config.cluster().default_policy(direction);
+
+        self.create_log_rule(
+            commands,
+            self.config.host().log_level(direction),
+            chain.clone(),
+            default_policy,
+            None,
+        )?;
+
+        commands.push(Add::rule(AddRule::from_statement(chain, default_policy)));
+
+        Ok(())
+    }
+
+    fn create_host_rules(
+        &self,
+        commands: &mut Commands,
+        direction: Direction,
+    ) -> Result<(), Error> {
+        log::info!("Creating host chain {direction} family");
+
+        let chain = self.host_chain(direction);
+
+        let env = NftRuleEnv {
+            chain: chain.clone(),
+            direction,
+            firewall_config: &self.config,
+            vmid: None,
+        };
+
+        let rules = self.config.host().rules();
+        commands.reserve(rules.len());
+
+        for config_rule in rules {
+            for rule in NftRule::from_config_rule(config_rule, &env)? {
+                commands.push(Add::rule(rule.into_add_rule(chain.clone())));
+            }
+        }
+
+        Ok(())
+    }
+
+    fn create_guest_chain(
+        &self,
+        commands: &mut Commands,
+        vmid: Vmid,
+        direction: Direction,
+    ) -> Result<(), Error> {
+        log::info!("Creating guest chain (vmid {vmid}) {direction}");
+
+        let chain = self.guest_chain(direction, vmid);
+
+        commands.append(&mut vec![Add::chain(chain.clone()), Flush::chain(chain)]);
+
+        Ok(())
+    }
+
+    fn create_guest_rules(
+        &self,
+        commands: &mut Commands,
+        vmid: Vmid,
+        config: &GuestConfig,
+        direction: Direction,
+    ) -> Result<(), Error> {
+        log::info!("Creating guest rules (vmid {vmid}) {direction}");
+
+        let chain = self.guest_chain(direction, vmid);
+
+        let env = NftRuleEnv {
+            chain: chain.clone(),
+            direction,
+            firewall_config: &self.config,
+            vmid: Some(vmid),
+        };
+
+        commands.reserve(config.rules().len());
+
+        for config_rule in config.rules() {
+            for rule in NftRule::from_config_rule(config_rule, &env)? {
+                commands.push(Add::rule(rule.into_add_rule(chain.clone())))
+            }
+        }
+
+        let network_devices = config.network_config().network_devices();
+
+        if !network_devices.is_empty() {
+            let map_elements = network_devices
+                .iter()
+                .filter(|(_, device)| device.has_firewall())
+                .map(|(index, _)| {
+                    (
+                        Expression::from(config.iface_name_by_index(*index)),
+                        MapValue::from(Verdict::Goto {
+                            target: chain.name().to_string(),
+                        }),
+                    )
+                });
+
+            commands.push(Add::element(AddElement::map_from_expressions(
+                self.guest_vmap(direction),
+                map_elements,
+            )));
+        }
+
+        self.create_log_rule(
+            commands,
+            config.log_level(direction),
+            chain.clone(),
+            config.default_policy(direction),
+            vmid,
+        )?;
+
+        commands.push(Add::rule(AddRule::from_statement(
+            chain,
+            config.default_policy(direction),
+        )));
+
+        Ok(())
+    }
+
+    fn create_group_chain(
+        &self,
+        commands: &mut Commands,
+        table: &TablePart,
+        group: &Group,
+        name: &str,
+        direction: Direction,
+    ) -> Result<(), Error> {
+        log::info!("Creating group chain (table {table:?}) {direction}");
+
+        let chain = self.group_chain(table.clone(), name, direction);
+
+        let env = NftRuleEnv {
+            chain: chain.clone(),
+            direction,
+            firewall_config: &self.config,
+            vmid: None,
+        };
+
+        commands.append(&mut vec![
+            Add::chain(chain.clone()),
+            Flush::chain(chain.clone()),
+        ]);
+
+        for rule in group.rules() {
+            for firewall_rule in NftRule::from_config_rule(rule, &env)? {
+                commands.push(Add::rule(firewall_rule.into_add_rule(chain.clone())))
+            }
+        }
+
+        Ok(())
+    }
+
+    fn create_log_rule(
+        &self,
+        commands: &mut Commands,
+        log_level: ConfigLogLevel,
+        chain: ChainPart,
+        verdict: ConfigVerdict,
+        vmid: impl Into<Option<Vmid>>,
+    ) -> Result<(), Error> {
+        if let Ok(log_level) = LogLevel::try_from(log_level) {
+            let mut log_rule = AddRule::new(chain.clone());
+
+            if let Some(limit) = self.default_log_limit() {
+                log_rule.push(Statement::from(limit));
+            }
+
+            let log_statement = Log::new_nflog(
+                Log::generate_prefix(vmid, log_level, chain.name(), verdict),
+                0,
+            );
+
+            log_rule.push(Statement::from(log_statement));
+
+            commands.push(Add::rule(log_rule));
+        }
+
+        Ok(())
+    }
+}
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index a4979a7..53c1289 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -1,6 +1,7 @@
 use anyhow::Error;
 
 mod config;
+mod firewall;
 mod object;
 mod rule;
 
-- 
2.39.2




  parent reply	other threads:[~2024-04-02 17:26 UTC|newest]

Thread overview: 67+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-02 17:15 [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 01/37] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 02/37] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-03 10:46   ` Max Carrara
2024-04-09  8:26     ` Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 03/37] config: firewall: add types for ports Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 04/37] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 05/37] config: firewall: add types for aliases Stefan Hanreich
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 06/37] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-03 10:46   ` Max Carrara
2024-04-09  8:32     ` Stefan Hanreich
2024-04-09 14:20   ` Lukas Wagner
2024-04-02 17:15 ` [pve-devel] [PATCH proxmox-firewall 07/37] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 08/37] config: firewall: add types for ipsets Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 09/37] config: firewall: add types for rules Stefan Hanreich
2024-04-03 10:46   ` Max Carrara
2024-04-09  8:36     ` Stefan Hanreich
2024-04-09 14:55     ` Lukas Wagner
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 10/37] config: firewall: add types for security groups Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 11/37] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-03 10:47   ` Max Carrara
2024-04-09  8:38     ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 12/37] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 13/37] config: firewall: add host specific " Stefan Hanreich
2024-04-03 10:47   ` Max Carrara
2024-04-09  8:55     ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 14/37] config: firewall: add guest-specific " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 15/37] config: firewall: add firewall macros Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 16/37] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 17/37] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 18/37] nftables: add helpers Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 19/37] nftables: expression: add types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 20/37] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 21/37] nftables: statement: add types Stefan Hanreich
2024-04-03 10:47   ` Max Carrara
2024-04-09  8:58     ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 22/37] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 23/37] nftables: commands: add types Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 24/37] nftables: types: add conversion traits Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 25/37] nftables: add libnftables bindings Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 26/37] firewall: add firewall crate Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 27/37] firewall: add base ruleset Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 28/37] firewall: add config loader Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 29/37] firewall: add rule generation logic Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 30/37] firewall: add object " Stefan Hanreich
2024-04-02 17:16 ` Stefan Hanreich [this message]
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 32/37] firewall: add proxmox-firewall binary Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH proxmox-firewall 33/37] firewall: add files for debian packaging Stefan Hanreich
2024-04-03 13:14   ` Fabian Grünbichler
2024-04-09  8:56     ` Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH qemu-server 34/37] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-container 35/37] " Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-firewall 36/37] add configuration option for new nftables firewall Stefan Hanreich
2024-04-02 17:16 ` [pve-devel] [PATCH pve-manager 37/37] firewall: expose " Stefan Hanreich
2024-04-02 20:47 ` [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation Laurent GUERBY
2024-04-03  7:33   ` Stefan Hanreich
     [not found] ` <mailman.54.1712122640.450.pve-devel@lists.proxmox.com>
2024-04-03  7:52   ` Stefan Hanreich
2024-04-03 12:26   ` Stefan Hanreich
     [not found] ` <mailman.56.1712124362.450.pve-devel@lists.proxmox.com>
2024-04-03  8:15   ` Stefan Hanreich
     [not found]     ` <mailman.77.1712145853.450.pve-devel@lists.proxmox.com>
2024-04-03 12:25       ` Stefan Hanreich
     [not found]         ` <mailman.78.1712149473.450.pve-devel@lists.proxmox.com>
2024-04-03 13:08           ` Stefan Hanreich
2024-04-03 10:46 ` Max Carrara
2024-04-09  9:21   ` Stefan Hanreich
2024-04-10 10:25 ` Lukas Wagner
2024-04-11  5:21   ` Stefan Hanreich
2024-04-11  7:34     ` Thomas Lamprecht
2024-04-11  7:55       ` Stefan Hanreich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240402171629.536804-32-s.hanreich@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=w.bumiller@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal