From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 604E31FF37F for ; Thu, 18 Apr 2024 18:15:25 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 001E830EF6; Thu, 18 Apr 2024 18:14:50 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 18 Apr 2024 18:14:06 +0200 Message-Id: <20240418161434.709473-12-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418161434.709473-1-s.hanreich@proxmox.com> References: <20240418161434.709473-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.293 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall v3 11/39] config: firewall: add generic parser for firewall configs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Since the basic format of cluster, host and guest firewall configurations is the same, we create a generic parser that can handle the common config format. The main difference is in the available options, which can be passed via a generic parameter. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/common.rs | 184 ++++++++++++++++++++ proxmox-ve-config/src/firewall/mod.rs | 1 + proxmox-ve-config/src/firewall/parse.rs | 210 +++++++++++++++++++++++ 3 files changed, 395 insertions(+) create mode 100644 proxmox-ve-config/src/firewall/common.rs diff --git a/proxmox-ve-config/src/firewall/common.rs b/proxmox-ve-config/src/firewall/common.rs new file mode 100644 index 0000000..a08f19c --- /dev/null +++ b/proxmox-ve-config/src/firewall/common.rs @@ -0,0 +1,184 @@ +use std::collections::{BTreeMap, HashMap}; +use std::io; + +use anyhow::{bail, format_err, Error}; +use serde::de::IntoDeserializer; + +use crate::firewall::parse::{parse_named_section_tail, split_key_value, SomeString}; +use crate::firewall::types::ipset::{IpsetName, IpsetScope}; +use crate::firewall::types::{Alias, Group, Ipset, Rule}; + +#[derive(Debug, Default)] +pub struct Config +where + O: Default + std::fmt::Debug + serde::de::DeserializeOwned, +{ + pub(crate) options: O, + pub(crate) rules: Vec, + pub(crate) aliases: BTreeMap, + pub(crate) ipsets: BTreeMap, + pub(crate) groups: BTreeMap, +} + +enum Sec { + None, + Options, + Aliases, + Rules, + Ipset(String, Ipset), + Group(String, Group), +} + +#[derive(Default)] +pub struct ParserConfig { + /// Network interfaces must be of the form `netX`. + pub guest_iface_names: bool, + pub ipset_scope: Option, +} + +impl Config +where + O: Default + std::fmt::Debug + serde::de::DeserializeOwned, +{ + pub fn new() -> Self { + Self::default() + } + + pub fn parse(input: R, parser_cfg: &ParserConfig) -> Result { + let mut section = Sec::None; + + let mut this = Self::new(); + let mut options = HashMap::new(); + + for line in input.lines() { + let line = line?; + let line = line.trim(); + + if line.is_empty() || line.starts_with('#') { + continue; + } + + log::trace!("parsing config line {line}"); + + if line.eq_ignore_ascii_case("[OPTIONS]") { + this.set_section(&mut section, Sec::Options)?; + } else if line.eq_ignore_ascii_case("[ALIASES]") { + this.set_section(&mut section, Sec::Aliases)?; + } else if line.eq_ignore_ascii_case("[RULES]") { + this.set_section(&mut section, Sec::Rules)?; + } else if let Some(line) = line.strip_prefix("[IPSET") { + let (name, comment) = parse_named_section_tail("ipset", line)?; + + let scope = parser_cfg.ipset_scope.ok_or_else(|| { + format_err!("IPSET in config, but no scope set in parser config") + })?; + + let ipset_name = IpsetName::new(scope, name.to_string()); + let mut ipset = Ipset::new(ipset_name); + ipset.comment = comment.map(str::to_owned); + + this.set_section(&mut section, Sec::Ipset(name.to_string(), ipset))?; + } else if let Some(line) = line.strip_prefix("[group") { + let (name, comment) = parse_named_section_tail("group", line)?; + let mut group = Group::new(); + + group.set_comment(comment.map(str::to_owned)); + + this.set_section(&mut section, Sec::Group(name.to_owned(), group))?; + } else if line.starts_with('[') { + bail!("invalid section {line:?}"); + } else { + match &mut section { + Sec::None => bail!("config line with no section: {line:?}"), + Sec::Options => Self::parse_option(line, &mut options)?, + Sec::Aliases => this.parse_alias(line)?, + Sec::Rules => this.parse_rule(line, parser_cfg)?, + Sec::Ipset(_name, ipset) => ipset.parse_entry(line)?, + Sec::Group(_name, group) => group.parse_entry(line)?, + } + } + } + this.set_section(&mut section, Sec::None)?; + + this.options = O::deserialize(IntoDeserializer::< + '_, + crate::firewall::parse::SerdeStringError, + >::into_deserializer(options))?; + + Ok(this) + } + + fn parse_option(line: &str, options: &mut HashMap) -> Result<(), Error> { + let (key, value) = split_key_value(line) + .ok_or_else(|| format_err!("expected colon separated key and value, found {line:?}"))?; + + if options.insert(key.to_string(), value.into()).is_some() { + bail!("duplicate option {key:?}"); + } + + Ok(()) + } + + fn parse_alias(&mut self, line: &str) -> Result<(), Error> { + let alias: Alias = line.parse()?; + + if self + .aliases + .insert(alias.name().to_string(), alias) + .is_some() + { + bail!("duplicate alias: {line}"); + } + + Ok(()) + } + + fn parse_rule(&mut self, line: &str, parser_cfg: &ParserConfig) -> Result<(), Error> { + let rule: Rule = line.parse()?; + + if parser_cfg.guest_iface_names { + if let Some(iface) = rule.iface() { + let _ = iface + .strip_prefix("net") + .ok_or_else(|| { + format_err!("interface name must be of the form \"net\"") + })? + .parse::() + .map_err(|_| { + format_err!("interface name must be of the form \"net\"") + })?; + } + } + + self.rules.push(rule); + Ok(()) + } + + fn set_section(&mut self, sec: &mut Sec, to: Sec) -> Result<(), Error> { + let prev = std::mem::replace(sec, to); + + match prev { + Sec::Ipset(name, ipset) => { + if self.ipsets.insert(name.clone(), ipset).is_some() { + bail!("duplicate ipset: {name:?}"); + } + } + Sec::Group(name, group) => { + if self.groups.insert(name.clone(), group).is_some() { + bail!("duplicate group: {name:?}"); + } + } + _ => (), + } + + Ok(()) + } + + pub fn ipsets(&self) -> &BTreeMap { + &self.ipsets + } + + pub fn alias(&self, name: &str) -> Option<&Alias> { + self.aliases.get(name) + } +} diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs index 2e0f31e..591ee52 100644 --- a/proxmox-ve-config/src/firewall/mod.rs +++ b/proxmox-ve-config/src/firewall/mod.rs @@ -1,3 +1,4 @@ +pub mod common; pub mod ports; pub mod types; diff --git a/proxmox-ve-config/src/firewall/parse.rs b/proxmox-ve-config/src/firewall/parse.rs index e2ce463..93cf014 100644 --- a/proxmox-ve-config/src/firewall/parse.rs +++ b/proxmox-ve-config/src/firewall/parse.rs @@ -74,6 +74,26 @@ pub fn match_digits(line: &str) -> Option<(&str, &str)> { None } + +/// Separate a `key: value` line, trimming whitespace. +/// +/// Returns `None` if the `key` would be empty. +pub fn split_key_value(line: &str) -> Option<(&str, &str)> { + line.split_once(':') + .map(|(key, value)| (key.trim(), value.trim())) +} + +/// Parse a boolean. +/// +/// values that parse as [`false`]: 0, false, off, no +/// values that parse as [`true`]: 1, true, on, yes +/// +/// # Examples +/// ```ignore +/// assert_eq!(parse_bool("false"), Ok(false)); +/// assert_eq!(parse_bool("on"), Ok(true)); +/// assert!(parse_bool("proxmox").is_err()); +/// ``` pub fn parse_bool(value: &str) -> Result { Ok( if value == "0" @@ -94,6 +114,196 @@ pub fn parse_bool(value: &str) -> Result { ) } +/// Parse the *remainder* of a section line, that is `NAME] #optional comment`. +/// The `kind` parameter is used for error messages and should be the section type. +/// +/// Return the name and the optional comment. +pub fn parse_named_section_tail<'a>( + kind: &'static str, + line: &'a str, +) -> Result<(&'a str, Option<&'a str>), Error> { + if line.is_empty() || !line.as_bytes()[0].is_ascii_whitespace() { + bail!("incomplete {kind} section"); + } + + let line = line.trim_start(); + let (name, line) = match_name(line) + .ok_or_else(|| format_err!("expected a name for the {kind} at {line:?}"))?; + + let line = line + .strip_prefix(']') + .ok_or_else(|| format_err!("expected closing ']' in {kind} section header"))? + .trim_start(); + + Ok(match line.strip_prefix('#') { + Some(comment) => (name, Some(comment.trim())), + None if !line.is_empty() => bail!("trailing characters after {kind} section: {line:?}"), + None => (name, None), + }) +} + +// parses a number from a string OR number +pub mod serde_option_number { + use std::fmt; + + use serde::de::{Deserializer, Error, Visitor}; + + pub fn deserialize<'de, D: Deserializer<'de>>( + deserializer: D, + ) -> Result, D::Error> { + struct V; + + impl<'de> Visitor<'de> for V { + type Value = Option; + + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.write_str("a numerical value") + } + + fn visit_str(self, v: &str) -> Result { + v.parse().map_err(E::custom).map(Some) + } + + fn visit_none(self) -> Result { + Ok(None) + } + + fn visit_some(self, deserializer: D) -> Result + where + D: Deserializer<'de>, + { + deserializer.deserialize_any(self) + } + } + + deserializer.deserialize_any(V) + } +} + +// parses a bool from a string OR bool +pub mod serde_option_bool { + use std::fmt; + + use serde::de::{Deserializer, Error, Visitor}; + + pub fn deserialize<'de, D: Deserializer<'de>>( + deserializer: D, + ) -> Result, D::Error> { + struct V; + + impl<'de> Visitor<'de> for V { + type Value = Option; + + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.write_str("a boolean-like value") + } + + fn visit_bool(self, v: bool) -> Result { + Ok(Some(v)) + } + + fn visit_str(self, v: &str) -> Result { + super::parse_bool(v).map_err(E::custom).map(Some) + } + + fn visit_none(self) -> Result { + Ok(None) + } + + fn visit_some(self, deserializer: D) -> Result + where + D: Deserializer<'de>, + { + deserializer.deserialize_any(self) + } + } + + deserializer.deserialize_any(V) + } +} + +// parses a comma_separated list of strings +pub mod serde_option_conntrack_helpers { + use std::fmt; + + use serde::de::{Deserializer, Error, Visitor}; + + pub fn deserialize<'de, D: Deserializer<'de>>( + deserializer: D, + ) -> Result>, D::Error> { + struct V; + + impl<'de> Visitor<'de> for V { + type Value = Option>; + + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.write_str("A list of conntrack helpers") + } + + fn visit_str(self, v: &str) -> Result { + if v.is_empty() { + return Ok(None); + } + + Ok(Some(v.split(',').map(String::from).collect())) + } + + fn visit_none(self) -> Result { + Ok(None) + } + + fn visit_some(self, deserializer: D) -> Result + where + D: Deserializer<'de>, + { + deserializer.deserialize_any(self) + } + } + + deserializer.deserialize_any(V) + } +} + +// parses a log_ratelimit string: '[enable=]<1|0> [,burst=] [,rate=]' +pub mod serde_option_log_ratelimit { + use std::fmt; + + use serde::de::{Deserializer, Error, Visitor}; + + use crate::firewall::types::log::LogRateLimit; + + pub fn deserialize<'de, D: Deserializer<'de>>( + deserializer: D, + ) -> Result, D::Error> { + struct V; + + impl<'de> Visitor<'de> for V { + type Value = Option; + + fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.write_str("a boolean-like value") + } + + fn visit_str(self, v: &str) -> Result { + v.parse().map_err(E::custom).map(Some) + } + + fn visit_none(self) -> Result { + Ok(None) + } + + fn visit_some(self, deserializer: D) -> Result + where + D: Deserializer<'de>, + { + deserializer.deserialize_any(self) + } + } + + deserializer.deserialize_any(V) + } +} + /// `&str` deserializer which also accepts an `Option`. /// /// Serde's `StringDeserializer` does not. -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel