From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 70F1B1FF348 for ; Wed, 17 Apr 2024 15:56:50 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D24E191D9; Wed, 17 Apr 2024 15:55:16 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 17 Apr 2024 15:53:45 +0200 Message-Id: <20240417135404.573490-21-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240417135404.573490-1-s.hanreich@proxmox.com> References: <20240417135404.573490-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.320 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall v2 20/39] nftables: expression: implement conversion traits for firewall config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Some types from the firewall configuration map directly onto nftables expressions. For those we implement conversion traits so we can conveniently convert between the configuration types and the respective nftables types. Those are guarded behind a feature so the nftables crate can be used standalone without having to pull in the proxmox-ve-config crate. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-nftables/Cargo.toml | 5 +- proxmox-nftables/src/expression.rs | 124 +++++++++++++++++++++++++++-- 2 files changed, 122 insertions(+), 7 deletions(-) diff --git a/proxmox-nftables/Cargo.toml b/proxmox-nftables/Cargo.toml index 909869b..7e607e8 100644 --- a/proxmox-nftables/Cargo.toml +++ b/proxmox-nftables/Cargo.toml @@ -10,6 +10,9 @@ authors = [ description = "Proxmox VE nftables" license = "AGPL-3" +[features] +config-ext = ["dep:proxmox-ve-config"] + [dependencies] log = "0.4" @@ -17,4 +20,4 @@ serde = { version = "1", features = [ "derive" ] } serde_json = "1" serde_plain = "1" -proxmox-ve-config = { path = "../proxmox-ve-config" } +proxmox-ve-config = { path = "../proxmox-ve-config", optional = true } diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs index 5478291..3b8ade0 100644 --- a/proxmox-nftables/src/expression.rs +++ b/proxmox-nftables/src/expression.rs @@ -2,7 +2,14 @@ use crate::types::{ElemConfig, Verdict}; use serde::{Deserialize, Serialize}; use std::net::{IpAddr, Ipv4Addr, Ipv6Addr}; -use crate::helper::NfVec; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::address::{Family, IpEntry, IpList}; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::port::{PortEntry, PortList}; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::rule_match::{IcmpCode, IcmpType, Icmpv6Code, Icmpv6Type}; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::Cidr; #[derive(Clone, Debug, Deserialize, Serialize)] #[serde(rename_all = "lowercase")] @@ -147,11 +154,88 @@ impl From<&Ipv4Addr> for Expression { } } -#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] -#[serde(rename_all = "lowercase")] -pub enum IpFamily { - Ip, - Ip6, +#[cfg(feature = "config-ext")] +impl From<&IpList> for Expression { + fn from(value: &IpList) -> Self { + if value.len() == 1 { + return Expression::from(value.first().unwrap()); + } + + Expression::set(value.iter().map(Expression::from)) + } +} + +#[cfg(feature = "config-ext")] +impl From<&IpEntry> for Expression { + fn from(value: &IpEntry) -> Self { + match value { + IpEntry::Cidr(cidr) => Expression::from(Prefix::from(cidr)), + IpEntry::Range(beg, end) => Expression::Range(Box::new((beg.into(), end.into()))), + } + } +} + +#[cfg(feature = "config-ext")] +impl From<&IcmpType> for Expression { + fn from(value: &IcmpType) -> Self { + match value { + IcmpType::Numeric(id) => Expression::from(*id), + IcmpType::Named(name) => Expression::from(*name), + } + } +} + +#[cfg(feature = "config-ext")] +impl From<&IcmpCode> for Expression { + fn from(value: &IcmpCode) -> Self { + match value { + IcmpCode::Numeric(id) => Expression::from(*id), + IcmpCode::Named(name) => Expression::from(*name), + } + } +} + +#[cfg(feature = "config-ext")] +impl From<&Icmpv6Type> for Expression { + fn from(value: &Icmpv6Type) -> Self { + match value { + Icmpv6Type::Numeric(id) => Expression::from(*id), + Icmpv6Type::Named(name) => Expression::from(*name), + } + } +} + +#[cfg(feature = "config-ext")] +impl From<&Icmpv6Code> for Expression { + fn from(value: &Icmpv6Code) -> Self { + match value { + Icmpv6Code::Numeric(id) => Expression::from(*id), + Icmpv6Code::Named(name) => Expression::from(*name), + } + } +} + +#[cfg(feature = "config-ext")] +impl From<&PortEntry> for Expression { + fn from(value: &PortEntry) -> Self { + match value { + PortEntry::Port(port) => Expression::from(*port), + PortEntry::Range(beg, end) => { + Expression::Range(Box::new(((*beg).into(), (*end).into()))) + } + } + } +} + +#[cfg(feature = "config-ext")] +impl From<&PortList> for Expression { + fn from(value: &PortList) -> Self { + if value.len() == 1 { + return Expression::from(value.first().unwrap()); + } + + Expression::set(value.iter().map(Expression::from)) + } } #[derive(Clone, Debug, Deserialize, Serialize)] @@ -197,6 +281,24 @@ pub enum CtDirection { Reply, } serde_plain::derive_display_from_serialize!(CtDirection); + +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] +#[serde(rename_all = "lowercase")] +pub enum IpFamily { + Ip, + Ip6, +} + +#[cfg(feature = "config-ext")] +impl From for IpFamily { + fn from(value: Family) -> Self { + match value { + Family::V4 => IpFamily::Ip, + Family::V6 => IpFamily::Ip6, + } + } +} + #[derive(Clone, Debug, Deserialize, Serialize)] #[serde(untagged)] pub enum Payload { @@ -260,6 +362,16 @@ impl Prefix { } } +#[cfg(feature = "config-ext")] +impl From<&Cidr> for Prefix { + fn from(value: &Cidr) -> Self { + match value { + Cidr::Ipv4(cidr) => Self::new(cidr.address(), cidr.mask()), + Cidr::Ipv6(cidr) => Self::new(cidr.address(), cidr.mask()), + } + } +} + #[derive(Clone, Debug, Deserialize, Serialize)] pub struct Element { #[serde(flatten)] -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel