From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH proxmox-firewall v2 28/39] firewall: add config loader
Date: Wed, 17 Apr 2024 15:53:53 +0200 [thread overview]
Message-ID: <20240417135404.573490-29-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240417135404.573490-1-s.hanreich@proxmox.com>
We load the firewall configuration from the default paths, as well as
only the guest configurations that are local to the node itself. In
the future we could change this to use pmxcfs directly instead.
We also load information from nftables directly about dynamically
created chains (mostly chains for the guest firewall).
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/Cargo.toml | 2 +
proxmox-firewall/src/config.rs | 281 +++++++++++++++++++++++++++++++++
proxmox-firewall/src/main.rs | 3 +
3 files changed, 286 insertions(+)
create mode 100644 proxmox-firewall/src/config.rs
diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml
index b59d973..431e71a 100644
--- a/proxmox-firewall/Cargo.toml
+++ b/proxmox-firewall/Cargo.toml
@@ -11,6 +11,8 @@ description = "Proxmox VE nftables firewall implementation"
license = "AGPL-3"
[dependencies]
+log = "0.4"
+env_logger = "0.10"
anyhow = "1"
proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] }
diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs
new file mode 100644
index 0000000..f5df20f
--- /dev/null
+++ b/proxmox-firewall/src/config.rs
@@ -0,0 +1,281 @@
+use std::collections::BTreeMap;
+use std::default::Default;
+use std::fs::File;
+use std::io::{self, BufReader};
+use std::sync::OnceLock;
+
+use anyhow::Error;
+
+use proxmox_ve_config::firewall::cluster::Config as ClusterConfig;
+use proxmox_ve_config::firewall::guest::Config as GuestConfig;
+use proxmox_ve_config::firewall::host::Config as HostConfig;
+use proxmox_ve_config::firewall::types::alias::{Alias, AliasName, AliasScope};
+
+use proxmox_ve_config::guest::types::Vmid;
+use proxmox_ve_config::guest::{GuestEntry, GuestMap};
+
+use proxmox_nftables::command::{CommandOutput, Commands, List, ListOutput};
+use proxmox_nftables::types::ListChain;
+use proxmox_nftables::NftCtx;
+
+pub trait FirewallConfigLoader {
+ fn cluster(&self) -> Option<Box<dyn io::BufRead>>;
+ fn host(&self) -> Option<Box<dyn io::BufRead>>;
+ fn guest_list(&self) -> GuestMap;
+ fn guest_config(&self, vmid: &Vmid, guest: &GuestEntry) -> Option<Box<dyn io::BufRead>>;
+ fn guest_firewall_config(&self, vmid: &Vmid) -> Option<Box<dyn io::BufRead>>;
+}
+
+#[derive(Default)]
+struct PveFirewallConfigLoader {}
+
+impl PveFirewallConfigLoader {
+ pub fn new() -> Self {
+ Default::default()
+ }
+}
+
+/// opens a configuration file
+///
+/// It returns a file handle to the file or [`None`] if it doesn't exist.
+fn open_config_file(path: &str) -> Result<Option<File>, Error> {
+ match File::open(path) {
+ Ok(data) => Ok(Some(data)),
+ Err(err) if err.kind() == io::ErrorKind::NotFound => {
+ log::info!("config file does not exist: {path}");
+ Ok(None)
+ }
+ Err(err) => {
+ let context = format!("unable to open configuration file at {path}");
+ Err(anyhow::Error::new(err).context(context))
+ }
+ }
+}
+
+const CLUSTER_CONFIG_PATH: &str = "/etc/pve/firewall/cluster.fw";
+const HOST_CONFIG_PATH: &str = "/etc/pve/local/host.fw";
+
+impl FirewallConfigLoader for PveFirewallConfigLoader {
+ fn cluster(&self) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading cluster config");
+
+ let fd =
+ open_config_file(CLUSTER_CONFIG_PATH).expect("able to read cluster firewall config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+
+ fn host(&self) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading host config");
+
+ let fd = open_config_file(HOST_CONFIG_PATH).expect("able to read host firewall config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+
+ fn guest_list(&self) -> GuestMap {
+ log::info!("loading vmlist");
+ GuestMap::new().expect("able to read vmlist")
+ }
+
+ fn guest_config(&self, vmid: &Vmid, entry: &GuestEntry) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading guest #{vmid} config");
+
+ let fd = open_config_file(&GuestMap::config_path(vmid, entry))
+ .expect("able to read guest config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+
+ fn guest_firewall_config(&self, vmid: &Vmid) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading guest #{vmid} firewall config");
+
+ let fd = open_config_file(&GuestMap::firewall_config_path(vmid))
+ .expect("able to read guest firewall config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+}
+
+pub trait NftConfigLoader {
+ fn chains(&self) -> CommandOutput;
+}
+
+#[derive(Debug, Default)]
+pub struct PveNftConfigLoader {}
+
+impl PveNftConfigLoader {
+ pub fn new() -> Self {
+ Default::default()
+ }
+}
+
+impl NftConfigLoader for PveNftConfigLoader {
+ fn chains(&self) -> CommandOutput {
+ log::info!("querying nftables config for chains");
+
+ let mut nft = NftCtx::new().expect("can create new nft context");
+
+ let commands = Commands::new(vec![List::chains()]);
+
+ nft.run_commands(&commands)
+ .expect("can query chains in nftables")
+ .expect("nft returned output")
+ }
+}
+
+pub struct FirewallConfig {
+ firewall_loader: Box<dyn FirewallConfigLoader>,
+ nft_loader: Box<dyn NftConfigLoader>,
+}
+
+impl Default for FirewallConfig {
+ fn default() -> Self {
+ Self {
+ firewall_loader: Box::new(PveFirewallConfigLoader::new()),
+ nft_loader: Box::new(PveNftConfigLoader::new()),
+ }
+ }
+}
+
+impl FirewallConfig {
+ pub fn new(
+ firewall_loader: Box<dyn FirewallConfigLoader>,
+ nft_loader: Box<dyn NftConfigLoader>,
+ ) -> Self {
+ Self {
+ firewall_loader,
+ nft_loader,
+ }
+ }
+
+ pub fn cluster(&self) -> &ClusterConfig {
+ static CLUSTER_CONFIG: OnceLock<ClusterConfig> = OnceLock::new();
+
+ CLUSTER_CONFIG.get_or_init(|| {
+ let raw_config = self.firewall_loader.cluster();
+
+ match raw_config {
+ Some(data) => ClusterConfig::parse(data).expect("cluster firewall config is valid"),
+ None => {
+ log::info!("no cluster config found, falling back to default");
+ ClusterConfig::default()
+ }
+ }
+ })
+ }
+
+ pub fn host(&self) -> &HostConfig {
+ static HOST_CONFIG: OnceLock<HostConfig> = OnceLock::new();
+
+ HOST_CONFIG.get_or_init(|| {
+ let raw_config = self.firewall_loader.host();
+
+ match raw_config {
+ Some(data) => HostConfig::parse(data).expect("host firewall config is valid"),
+ None => {
+ log::info!("no host config found, falling back to default");
+ HostConfig::default()
+ }
+ }
+ })
+ }
+
+ pub fn guests(&self) -> &BTreeMap<Vmid, GuestConfig> {
+ static GUEST_CONFIG: OnceLock<BTreeMap<Vmid, GuestConfig>> = OnceLock::new();
+
+ GUEST_CONFIG.get_or_init(|| {
+ let mut guests = BTreeMap::new();
+
+ for (vmid, entry) in self.firewall_loader.guest_list().iter() {
+ if !entry.is_local() {
+ log::debug!("guest #{vmid} is not local, skipping");
+ continue;
+ }
+
+ let raw_firewall_config = self.firewall_loader.guest_firewall_config(vmid);
+
+ if let Some(raw_firewall_config) = raw_firewall_config {
+ log::debug!("found firewall config for #{vmid}, loading guest config");
+
+ let raw_config = self
+ .firewall_loader
+ .guest_config(vmid, entry)
+ .expect("guest config exists if firewall config exists");
+
+ let config = GuestConfig::parse(
+ vmid,
+ entry.ty().iface_prefix(),
+ raw_firewall_config,
+ raw_config,
+ )
+ .expect("guest config is valid");
+
+ guests.insert(*vmid, config);
+ }
+ }
+
+ guests
+ })
+ }
+
+ pub fn nft_chains(&self) -> &BTreeMap<String, ListChain> {
+ static NFT_CHAINS: OnceLock<BTreeMap<String, ListChain>> = OnceLock::new();
+
+ NFT_CHAINS.get_or_init(|| {
+ let output = self.nft_loader.chains();
+ let mut chains = BTreeMap::new();
+
+ for element in &output.nftables {
+ if let ListOutput::Chain(chain) = element {
+ chains.insert(chain.name().to_owned(), chain.clone());
+ }
+ }
+
+ chains
+ })
+ }
+
+ pub fn is_enabled(&self) -> bool {
+ self.cluster().is_enabled() && self.host().nftables()
+ }
+
+ pub fn alias(&self, name: &AliasName, vmid: Option<Vmid>) -> Option<&Alias> {
+ log::trace!("getting alias {name:?}");
+
+ match name.scope() {
+ AliasScope::Datacenter => self.cluster().alias(name.name()),
+ AliasScope::Guest => {
+ if let Some(vmid) = vmid {
+ if let Some(entry) = self.guests().get(&vmid) {
+ return entry.alias(name);
+ }
+
+ log::warn!("trying to get alias {name} for non-existing guest: #{vmid}");
+ }
+
+ None
+ }
+ }
+ }
+}
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index 248ac39..656ac15 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -1,5 +1,8 @@
use anyhow::Error;
+mod config;
+
fn main() -> Result<(), Error> {
+ env_logger::init();
Ok(())
}
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-04-17 14:03 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-17 13:53 [pve-devel] [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v2 00/39] proxmox firewall nftables implementation Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 01/39] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 02/39] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 03/39] config: firewall: add types for ports Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 04/39] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 05/39] config: firewall: add types for aliases Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 06/39] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 07/39] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 08/39] config: firewall: add types for ipsets Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 09/39] config: firewall: add types for rules Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 10/39] config: firewall: add types for security groups Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 11/39] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 12/39] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 13/39] config: firewall: add host specific " Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 14/39] config: firewall: add guest-specific " Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 15/39] config: firewall: add firewall macros Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 16/39] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 17/39] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 18/39] nftables: add helpers Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 19/39] nftables: expression: add types Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 20/39] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 21/39] nftables: statement: add types Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 22/39] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 23/39] nftables: commands: add types Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 24/39] nftables: types: add conversion traits Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 25/39] nftables: add libnftables bindings Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 26/39] firewall: add firewall crate Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 27/39] firewall: add base ruleset Stefan Hanreich
2024-04-17 13:53 ` Stefan Hanreich [this message]
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 29/39] firewall: add rule generation logic Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 30/39] firewall: add object " Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 31/39] firewall: add ruleset " Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 32/39] firewall: add proxmox-firewall binary Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 33/39] firewall: add files for debian packaging Stefan Hanreich
2024-04-17 13:53 ` [pve-devel] [PATCH proxmox-firewall v2 34/39] firewall: add integration test Stefan Hanreich
2024-04-17 13:54 ` [pve-devel] [PATCH qemu-server v2 35/39] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-17 13:54 ` [pve-devel] [PATCH pve-container v2 36/39] " Stefan Hanreich
2024-04-17 13:54 ` [pve-devel] [PATCH pve-firewall v2 37/39] add configuration option for new nftables firewall Stefan Hanreich
2024-04-18 21:06 ` Thomas Lamprecht
2024-04-17 13:54 ` [pve-devel] [PATCH pve-manager v2 38/39] firewall: expose " Stefan Hanreich
2024-04-17 13:54 ` [pve-devel] [PATCH pve-docs v2 39/39] firewall: add documentation for proxmox-firewall Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240417135404.573490-29-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox