From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 943631FF348 for ; Wed, 17 Apr 2024 16:03:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 072349969; Wed, 17 Apr 2024 16:03:39 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 17 Apr 2024 15:53:53 +0200 Message-Id: <20240417135404.573490-29-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240417135404.573490-1-s.hanreich@proxmox.com> References: <20240417135404.573490-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.306 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall v2 28/39] firewall: add config loader X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" We load the firewall configuration from the default paths, as well as only the guest configurations that are local to the node itself. In the future we could change this to use pmxcfs directly instead. We also load information from nftables directly about dynamically created chains (mostly chains for the guest firewall). Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-firewall/Cargo.toml | 2 + proxmox-firewall/src/config.rs | 281 +++++++++++++++++++++++++++++++++ proxmox-firewall/src/main.rs | 3 + 3 files changed, 286 insertions(+) create mode 100644 proxmox-firewall/src/config.rs diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml index b59d973..431e71a 100644 --- a/proxmox-firewall/Cargo.toml +++ b/proxmox-firewall/Cargo.toml @@ -11,6 +11,8 @@ description = "Proxmox VE nftables firewall implementation" license = "AGPL-3" [dependencies] +log = "0.4" +env_logger = "0.10" anyhow = "1" proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] } diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs new file mode 100644 index 0000000..f5df20f --- /dev/null +++ b/proxmox-firewall/src/config.rs @@ -0,0 +1,281 @@ +use std::collections::BTreeMap; +use std::default::Default; +use std::fs::File; +use std::io::{self, BufReader}; +use std::sync::OnceLock; + +use anyhow::Error; + +use proxmox_ve_config::firewall::cluster::Config as ClusterConfig; +use proxmox_ve_config::firewall::guest::Config as GuestConfig; +use proxmox_ve_config::firewall::host::Config as HostConfig; +use proxmox_ve_config::firewall::types::alias::{Alias, AliasName, AliasScope}; + +use proxmox_ve_config::guest::types::Vmid; +use proxmox_ve_config::guest::{GuestEntry, GuestMap}; + +use proxmox_nftables::command::{CommandOutput, Commands, List, ListOutput}; +use proxmox_nftables::types::ListChain; +use proxmox_nftables::NftCtx; + +pub trait FirewallConfigLoader { + fn cluster(&self) -> Option>; + fn host(&self) -> Option>; + fn guest_list(&self) -> GuestMap; + fn guest_config(&self, vmid: &Vmid, guest: &GuestEntry) -> Option>; + fn guest_firewall_config(&self, vmid: &Vmid) -> Option>; +} + +#[derive(Default)] +struct PveFirewallConfigLoader {} + +impl PveFirewallConfigLoader { + pub fn new() -> Self { + Default::default() + } +} + +/// opens a configuration file +/// +/// It returns a file handle to the file or [`None`] if it doesn't exist. +fn open_config_file(path: &str) -> Result, Error> { + match File::open(path) { + Ok(data) => Ok(Some(data)), + Err(err) if err.kind() == io::ErrorKind::NotFound => { + log::info!("config file does not exist: {path}"); + Ok(None) + } + Err(err) => { + let context = format!("unable to open configuration file at {path}"); + Err(anyhow::Error::new(err).context(context)) + } + } +} + +const CLUSTER_CONFIG_PATH: &str = "/etc/pve/firewall/cluster.fw"; +const HOST_CONFIG_PATH: &str = "/etc/pve/local/host.fw"; + +impl FirewallConfigLoader for PveFirewallConfigLoader { + fn cluster(&self) -> Option> { + log::info!("loading cluster config"); + + let fd = + open_config_file(CLUSTER_CONFIG_PATH).expect("able to read cluster firewall config"); + + if let Some(file) = fd { + let buf_reader = Box::new(BufReader::new(file)) as Box; + return Some(buf_reader); + } + + None + } + + fn host(&self) -> Option> { + log::info!("loading host config"); + + let fd = open_config_file(HOST_CONFIG_PATH).expect("able to read host firewall config"); + + if let Some(file) = fd { + let buf_reader = Box::new(BufReader::new(file)) as Box; + return Some(buf_reader); + } + + None + } + + fn guest_list(&self) -> GuestMap { + log::info!("loading vmlist"); + GuestMap::new().expect("able to read vmlist") + } + + fn guest_config(&self, vmid: &Vmid, entry: &GuestEntry) -> Option> { + log::info!("loading guest #{vmid} config"); + + let fd = open_config_file(&GuestMap::config_path(vmid, entry)) + .expect("able to read guest config"); + + if let Some(file) = fd { + let buf_reader = Box::new(BufReader::new(file)) as Box; + return Some(buf_reader); + } + + None + } + + fn guest_firewall_config(&self, vmid: &Vmid) -> Option> { + log::info!("loading guest #{vmid} firewall config"); + + let fd = open_config_file(&GuestMap::firewall_config_path(vmid)) + .expect("able to read guest firewall config"); + + if let Some(file) = fd { + let buf_reader = Box::new(BufReader::new(file)) as Box; + return Some(buf_reader); + } + + None + } +} + +pub trait NftConfigLoader { + fn chains(&self) -> CommandOutput; +} + +#[derive(Debug, Default)] +pub struct PveNftConfigLoader {} + +impl PveNftConfigLoader { + pub fn new() -> Self { + Default::default() + } +} + +impl NftConfigLoader for PveNftConfigLoader { + fn chains(&self) -> CommandOutput { + log::info!("querying nftables config for chains"); + + let mut nft = NftCtx::new().expect("can create new nft context"); + + let commands = Commands::new(vec![List::chains()]); + + nft.run_commands(&commands) + .expect("can query chains in nftables") + .expect("nft returned output") + } +} + +pub struct FirewallConfig { + firewall_loader: Box, + nft_loader: Box, +} + +impl Default for FirewallConfig { + fn default() -> Self { + Self { + firewall_loader: Box::new(PveFirewallConfigLoader::new()), + nft_loader: Box::new(PveNftConfigLoader::new()), + } + } +} + +impl FirewallConfig { + pub fn new( + firewall_loader: Box, + nft_loader: Box, + ) -> Self { + Self { + firewall_loader, + nft_loader, + } + } + + pub fn cluster(&self) -> &ClusterConfig { + static CLUSTER_CONFIG: OnceLock = OnceLock::new(); + + CLUSTER_CONFIG.get_or_init(|| { + let raw_config = self.firewall_loader.cluster(); + + match raw_config { + Some(data) => ClusterConfig::parse(data).expect("cluster firewall config is valid"), + None => { + log::info!("no cluster config found, falling back to default"); + ClusterConfig::default() + } + } + }) + } + + pub fn host(&self) -> &HostConfig { + static HOST_CONFIG: OnceLock = OnceLock::new(); + + HOST_CONFIG.get_or_init(|| { + let raw_config = self.firewall_loader.host(); + + match raw_config { + Some(data) => HostConfig::parse(data).expect("host firewall config is valid"), + None => { + log::info!("no host config found, falling back to default"); + HostConfig::default() + } + } + }) + } + + pub fn guests(&self) -> &BTreeMap { + static GUEST_CONFIG: OnceLock> = OnceLock::new(); + + GUEST_CONFIG.get_or_init(|| { + let mut guests = BTreeMap::new(); + + for (vmid, entry) in self.firewall_loader.guest_list().iter() { + if !entry.is_local() { + log::debug!("guest #{vmid} is not local, skipping"); + continue; + } + + let raw_firewall_config = self.firewall_loader.guest_firewall_config(vmid); + + if let Some(raw_firewall_config) = raw_firewall_config { + log::debug!("found firewall config for #{vmid}, loading guest config"); + + let raw_config = self + .firewall_loader + .guest_config(vmid, entry) + .expect("guest config exists if firewall config exists"); + + let config = GuestConfig::parse( + vmid, + entry.ty().iface_prefix(), + raw_firewall_config, + raw_config, + ) + .expect("guest config is valid"); + + guests.insert(*vmid, config); + } + } + + guests + }) + } + + pub fn nft_chains(&self) -> &BTreeMap { + static NFT_CHAINS: OnceLock> = OnceLock::new(); + + NFT_CHAINS.get_or_init(|| { + let output = self.nft_loader.chains(); + let mut chains = BTreeMap::new(); + + for element in &output.nftables { + if let ListOutput::Chain(chain) = element { + chains.insert(chain.name().to_owned(), chain.clone()); + } + } + + chains + }) + } + + pub fn is_enabled(&self) -> bool { + self.cluster().is_enabled() && self.host().nftables() + } + + pub fn alias(&self, name: &AliasName, vmid: Option) -> Option<&Alias> { + log::trace!("getting alias {name:?}"); + + match name.scope() { + AliasScope::Datacenter => self.cluster().alias(name.name()), + AliasScope::Guest => { + if let Some(vmid) = vmid { + if let Some(entry) = self.guests().get(&vmid) { + return entry.alias(name); + } + + log::warn!("trying to get alias {name} for non-existing guest: #{vmid}"); + } + + None + } + } + } +} diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs index 248ac39..656ac15 100644 --- a/proxmox-firewall/src/main.rs +++ b/proxmox-firewall/src/main.rs @@ -1,5 +1,8 @@ use anyhow::Error; +mod config; + fn main() -> Result<(), Error> { + env_logger::init(); Ok(()) } -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel