From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 3E3441FF348 for ; Wed, 17 Apr 2024 16:04:15 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C41369A62; Wed, 17 Apr 2024 16:03:39 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 17 Apr 2024 15:53:44 +0200 Message-Id: <20240417135404.573490-20-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240417135404.573490-1-s.hanreich@proxmox.com> References: <20240417135404.573490-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.307 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [types.rs, lib.rs] Subject: [pve-devel] [PATCH proxmox-firewall v2 19/39] nftables: expression: add types X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Adds an enum containing most of the expressions defined in the nftables-json schema [1]. [1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#EXPRESSIONS Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-nftables/Cargo.toml | 2 +- proxmox-nftables/src/expression.rs | 268 +++++++++++++++++++++++++++++ proxmox-nftables/src/lib.rs | 4 + proxmox-nftables/src/types.rs | 53 ++++++ 4 files changed, 326 insertions(+), 1 deletion(-) create mode 100644 proxmox-nftables/src/expression.rs create mode 100644 proxmox-nftables/src/types.rs diff --git a/proxmox-nftables/Cargo.toml b/proxmox-nftables/Cargo.toml index ebece9d..909869b 100644 --- a/proxmox-nftables/Cargo.toml +++ b/proxmox-nftables/Cargo.toml @@ -17,4 +17,4 @@ serde = { version = "1", features = [ "derive" ] } serde_json = "1" serde_plain = "1" -proxmox-ve-config = { path = "../proxmox-ve-config", optional = true } +proxmox-ve-config = { path = "../proxmox-ve-config" } diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs new file mode 100644 index 0000000..5478291 --- /dev/null +++ b/proxmox-nftables/src/expression.rs @@ -0,0 +1,268 @@ +use crate::types::{ElemConfig, Verdict}; +use serde::{Deserialize, Serialize}; +use std::net::{IpAddr, Ipv4Addr, Ipv6Addr}; + +use crate::helper::NfVec; + +#[derive(Clone, Debug, Deserialize, Serialize)] +#[serde(rename_all = "lowercase")] +pub enum Expression { + Concat(Vec), + Set(Vec), + Range(Box<(Expression, Expression)>), + Map(Box), + Prefix(Prefix), + Payload(Payload), + Meta(Meta), + Ct(Ct), + Elem(Box), + + #[serde(rename = "|")] + Or(Box<(Expression, Expression)>), + #[serde(rename = "&")] + And(Box<(Expression, Expression)>), + #[serde(rename = "^")] + Xor(Box<(Expression, Expression)>), + #[serde(rename = "<<")] + ShiftLeft(Box<(Expression, Expression)>), + #[serde(rename = ">>")] + ShiftRight(Box<(Expression, Expression)>), + + #[serde(untagged)] + List(Vec), + + #[serde(untagged)] + Verdict(Verdict), + + #[serde(untagged)] + Bool(bool), + #[serde(untagged)] + Number(i64), + #[serde(untagged)] + String(String), +} + +impl Expression { + pub fn set(expressions: impl IntoIterator) -> Self { + Expression::Set(Vec::from_iter(expressions)) + } + + pub fn concat(expressions: impl IntoIterator) -> Self { + Expression::Concat(Vec::from_iter(expressions)) + } +} + +impl From for Expression { + #[inline] + fn from(v: bool) -> Self { + Expression::Bool(v) + } +} + +impl From for Expression { + #[inline] + fn from(v: i64) -> Self { + Expression::Number(v) + } +} + +impl From for Expression { + #[inline] + fn from(v: u16) -> Self { + Expression::Number(v.into()) + } +} + +impl From for Expression { + #[inline] + fn from(v: u8) -> Self { + Expression::Number(v.into()) + } +} + +impl From<&str> for Expression { + #[inline] + fn from(v: &str) -> Self { + Expression::String(v.to_string()) + } +} + +impl From for Expression { + #[inline] + fn from(v: String) -> Self { + Expression::String(v) + } +} + +impl From for Expression { + #[inline] + fn from(meta: Meta) -> Self { + Expression::Meta(meta) + } +} + +impl From for Expression { + #[inline] + fn from(ct: Ct) -> Self { + Expression::Ct(ct) + } +} + +impl From for Expression { + #[inline] + fn from(payload: Payload) -> Self { + Expression::Payload(payload) + } +} + +impl From for Expression { + #[inline] + fn from(prefix: Prefix) -> Self { + Expression::Prefix(prefix) + } +} + +impl From for Expression { + #[inline] + fn from(value: Verdict) -> Self { + Expression::Verdict(value) + } +} + +impl From<&IpAddr> for Expression { + fn from(value: &IpAddr) -> Self { + Expression::String(value.to_string()) + } +} + +impl From<&Ipv6Addr> for Expression { + fn from(address: &Ipv6Addr) -> Self { + Expression::String(address.to_string()) + } +} + +impl From<&Ipv4Addr> for Expression { + fn from(address: &Ipv4Addr) -> Self { + Expression::String(address.to_string()) + } +} + +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] +#[serde(rename_all = "lowercase")] +pub enum IpFamily { + Ip, + Ip6, +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct Meta { + key: String, +} + +impl Meta { + pub fn new(key: impl Into) -> Self { + Self { key: key.into() } + } +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct Map { + key: Expression, + data: Expression, +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct Ct { + key: String, + #[serde(skip_serializing_if = "Option::is_none")] + family: Option, + #[serde(skip_serializing_if = "Option::is_none")] + dir: Option, +} + +impl Ct { + pub fn new(key: impl Into, family: impl Into>) -> Self { + Self { + key: key.into(), + family: family.into(), + dir: None, + } + } +} + +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] +#[serde(rename_all = "lowercase")] +pub enum CtDirection { + Original, + Reply, +} +serde_plain::derive_display_from_serialize!(CtDirection); +#[derive(Clone, Debug, Deserialize, Serialize)] +#[serde(untagged)] +pub enum Payload { + Raw(PayloadRaw), + Field(PayloadField), +} + +impl Payload { + pub fn field(protocol: impl Into, field: impl Into) -> Self { + Self::Field(PayloadField { + protocol: protocol.into(), + field: field.into(), + }) + } +} + +#[derive(Clone, Copy, Debug, Deserialize, Serialize)] +pub enum PayloadBase { + #[serde(rename = "ll")] + Link, + #[serde(rename = "nh")] + Network, + #[serde(rename = "th")] + Transport, +} + +#[derive(Clone, Copy, Debug, Deserialize, Serialize)] +pub struct PayloadRaw { + base: PayloadBase, + offset: i64, + len: i64, +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct PayloadField { + protocol: String, + field: String, +} + +impl PayloadField { + pub fn protocol_for_ip_family(family: IpFamily) -> String { + match family { + IpFamily::Ip => "ip".to_string(), + IpFamily::Ip6 => "ip6".to_string(), + } + } +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct Prefix { + addr: Box, + len: u8, +} + +impl Prefix { + pub fn new(addr: impl Into, len: u8) -> Self { + Self { + addr: Box::new(addr.into()), + len, + } + } +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct Element { + #[serde(flatten)] + config: ElemConfig, + val: Expression, +} diff --git a/proxmox-nftables/src/lib.rs b/proxmox-nftables/src/lib.rs index 485bb81..712858b 100644 --- a/proxmox-nftables/src/lib.rs +++ b/proxmox-nftables/src/lib.rs @@ -1 +1,5 @@ +pub mod expression; pub mod helper; +pub mod types; + +pub use expression::Expression; diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs new file mode 100644 index 0000000..942c866 --- /dev/null +++ b/proxmox-nftables/src/types.rs @@ -0,0 +1,53 @@ +use std::fmt::Display; + +use serde::{Deserialize, Serialize}; + +use crate::helper::Null; + +#[derive(Clone, Debug, Deserialize, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum Verdict { + Accept(Null), + Drop(Null), + Continue(Null), + Return(Null), + Goto { target: String }, + Jump { target: String }, +} + +impl Display for Verdict { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + let output = match self { + Verdict::Accept(_) => "ACCEPT", + Verdict::Drop(_) => "DROP", + Verdict::Continue(_) => "CONTINUE", + Verdict::Return(_) => "RETURN", + Verdict::Jump { .. } => "JUMP", + Verdict::Goto { .. } => "GOTO", + }; + + f.write_str(output) + } +} + +#[derive(Clone, Debug, Deserialize, Serialize)] +pub struct ElemConfig { + timeout: Option, + expires: Option, + comment: Option, +} + +impl ElemConfig { + pub fn new( + timeout: impl Into>, + expires: impl Into>, + comment: impl Into>, + ) -> Self { + Self { + timeout: timeout.into(), + expires: expires.into(), + comment: comment.into(), + } + } +} + -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel