From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH proxmox-firewall v3 21/39] nftables: statement: add types
Date: Thu, 18 Apr 2024 18:14:16 +0200 [thread overview]
Message-ID: <20240418161434.709473-22-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240418161434.709473-1-s.hanreich@proxmox.com>
Adds an enum containing most of the statements defined in the
nftables-json schema [1].
[1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#STATEMENTS
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-nftables/Cargo.toml | 2 +
proxmox-nftables/src/lib.rs | 2 +
proxmox-nftables/src/statement.rs | 321 ++++++++++++++++++++++++++++++
proxmox-nftables/src/types.rs | 18 +-
4 files changed, 342 insertions(+), 1 deletion(-)
create mode 100644 proxmox-nftables/src/statement.rs
diff --git a/proxmox-nftables/Cargo.toml b/proxmox-nftables/Cargo.toml
index 7e607e8..e84509d 100644
--- a/proxmox-nftables/Cargo.toml
+++ b/proxmox-nftables/Cargo.toml
@@ -15,6 +15,8 @@ config-ext = ["dep:proxmox-ve-config"]
[dependencies]
log = "0.4"
+anyhow = "1"
+thiserror = "1"
serde = { version = "1", features = [ "derive" ] }
serde_json = "1"
diff --git a/proxmox-nftables/src/lib.rs b/proxmox-nftables/src/lib.rs
index 712858b..40f6bab 100644
--- a/proxmox-nftables/src/lib.rs
+++ b/proxmox-nftables/src/lib.rs
@@ -1,5 +1,7 @@
pub mod expression;
pub mod helper;
+pub mod statement;
pub mod types;
pub use expression::Expression;
+pub use statement::Statement;
diff --git a/proxmox-nftables/src/statement.rs b/proxmox-nftables/src/statement.rs
new file mode 100644
index 0000000..e6371f6
--- /dev/null
+++ b/proxmox-nftables/src/statement.rs
@@ -0,0 +1,321 @@
+use anyhow::{bail, Error};
+use serde::{Deserialize, Serialize};
+
+use crate::expression::Meta;
+use crate::helper::{NfVec, Null};
+use crate::types::{RateTimescale, RateUnit, Verdict};
+use crate::Expression;
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum Statement {
+ Match(Match),
+ Mangle(Mangle),
+ Limit(Limit),
+ Notrack(Null),
+ Reject(Reject),
+ Set(Set),
+ Log(Log),
+ #[serde(rename = "ct helper")]
+ CtHelper(String),
+ Vmap(Vmap),
+ Comment(String),
+
+ #[serde(untagged)]
+ Verdict(Verdict),
+}
+
+impl Statement {
+ pub const fn make_accept() -> Self {
+ Statement::Verdict(Verdict::Accept(Null))
+ }
+
+ pub const fn make_drop() -> Self {
+ Statement::Verdict(Verdict::Drop(Null))
+ }
+
+ pub const fn make_return() -> Self {
+ Statement::Verdict(Verdict::Return(Null))
+ }
+
+ pub const fn make_continue() -> Self {
+ Statement::Verdict(Verdict::Continue(Null))
+ }
+
+ pub fn jump(target: impl Into<String>) -> Self {
+ Statement::Verdict(Verdict::Jump {
+ target: target.into(),
+ })
+ }
+
+ pub fn goto(target: impl Into<String>) -> Self {
+ Statement::Verdict(Verdict::Goto {
+ target: target.into(),
+ })
+ }
+}
+
+impl From<Match> for Statement {
+ #[inline]
+ fn from(m: Match) -> Statement {
+ Statement::Match(m)
+ }
+}
+
+impl From<Mangle> for Statement {
+ #[inline]
+ fn from(m: Mangle) -> Statement {
+ Statement::Mangle(m)
+ }
+}
+
+impl From<Reject> for Statement {
+ #[inline]
+ fn from(m: Reject) -> Statement {
+ Statement::Reject(m)
+ }
+}
+
+impl From<Set> for Statement {
+ #[inline]
+ fn from(m: Set) -> Statement {
+ Statement::Set(m)
+ }
+}
+
+impl From<Vmap> for Statement {
+ #[inline]
+ fn from(m: Vmap) -> Statement {
+ Statement::Vmap(m)
+ }
+}
+
+impl From<Log> for Statement {
+ #[inline]
+ fn from(log: Log) -> Statement {
+ Statement::Log(log)
+ }
+}
+
+impl<T: Into<Limit>> From<T> for Statement {
+ #[inline]
+ fn from(limit: T) -> Statement {
+ Statement::Limit(limit.into())
+ }
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum RejectType {
+ #[serde(rename = "tcp reset")]
+ TcpRst,
+ IcmpX,
+ Icmp,
+ IcmpV6,
+}
+
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+pub struct Reject {
+ #[serde(rename = "type", skip_serializing_if = "Option::is_none")]
+ ty: Option<RejectType>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ expr: Option<Expression>,
+}
+
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct Log {
+ #[serde(skip_serializing_if = "Option::is_none")]
+ prefix: Option<String>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ group: Option<i64>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ snaplen: Option<i64>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ queue_threshold: Option<i64>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ level: Option<LogLevel>,
+
+ #[serde(default, skip_serializing_if = "Vec::is_empty")]
+ flags: NfVec<LogFlag>,
+}
+
+impl Log {
+ pub fn new_nflog(prefix: String, group: i64) -> Self {
+ Self {
+ prefix: Some(prefix),
+ group: Some(group),
+ ..Default::default()
+ }
+ }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum LogLevel {
+ Emerg,
+ Alert,
+ Crit,
+ Err,
+ Warn,
+ Notice,
+ Info,
+ Debug,
+ Audit,
+}
+
+impl LogLevel {
+ pub fn nflog_level(&self) -> u8 {
+ match self {
+ LogLevel::Emerg => 0,
+ LogLevel::Alert => 1,
+ LogLevel::Crit => 2,
+ LogLevel::Err => 3,
+ LogLevel::Warn => 4,
+ LogLevel::Notice => 5,
+ LogLevel::Info => 6,
+ LogLevel::Debug => 7,
+ LogLevel::Audit => 7,
+ }
+ }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum LogFlag {
+ #[serde(rename = "tcp sequence")]
+ TcpSequence,
+ #[serde(rename = "tcp options")]
+ TcpOptions,
+ #[serde(rename = "ip options")]
+ IpOptions,
+
+ Skuid,
+ Ether,
+ All,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+#[serde(untagged)]
+pub enum Limit {
+ Named(String),
+ Anonymous(AnonymousLimit),
+}
+
+impl<T: Into<AnonymousLimit>> From<T> for Limit {
+ fn from(value: T) -> Self {
+ Limit::Anonymous(value.into())
+ }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize, Default)]
+pub struct AnonymousLimit {
+ pub rate: i64,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub rate_unit: Option<RateUnit>,
+
+ pub per: RateTimescale,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub burst: Option<i64>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub burst_unit: Option<RateUnit>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub inv: Option<bool>,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct Vmap {
+ key: Expression,
+ data: Expression,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct Match {
+ op: Operator,
+ left: Expression,
+ right: Expression,
+}
+
+impl Match {
+ pub fn new(op: Operator, left: impl Into<Expression>, right: impl Into<Expression>) -> Self {
+ Self {
+ op,
+ left: left.into(),
+ right: right.into(),
+ }
+ }
+
+ pub fn new_eq(left: impl Into<Expression>, right: impl Into<Expression>) -> Self {
+ Self::new(Operator::Eq, left, right)
+ }
+
+ pub fn new_ne(left: impl Into<Expression>, right: impl Into<Expression>) -> Self {
+ Self::new(Operator::Ne, left, right)
+ }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+pub enum Operator {
+ #[serde(rename = "&")]
+ And,
+ #[serde(rename = "|")]
+ Or,
+ #[serde(rename = "^")]
+ Xor,
+ #[serde(rename = "<<")]
+ ShiftLeft,
+ #[serde(rename = ">>")]
+ ShiftRight,
+ #[serde(rename = "==")]
+ Eq,
+ #[serde(rename = "!=")]
+ Ne,
+ #[serde(rename = "<")]
+ Lt,
+ #[serde(rename = ">")]
+ Gt,
+ #[serde(rename = "<=")]
+ Le,
+ #[serde(rename = ">=")]
+ Ge,
+ #[serde(rename = "in")]
+ In,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct Mangle {
+ pub key: Expression,
+ pub value: Expression,
+}
+
+impl Mangle {
+ pub fn set_mark(value: impl Into<Expression>) -> Self {
+ Self {
+ key: Meta::new("mark").into(),
+ value: value.into(),
+ }
+ }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum SetOperation {
+ Add,
+ Update,
+}
+
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct Set {
+ pub op: SetOperation,
+ pub elem: Expression,
+ pub set: String,
+ pub stmt: Option<NfVec<Statement>>,
+}
diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs
index 942c866..a8ec599 100644
--- a/proxmox-nftables/src/types.rs
+++ b/proxmox-nftables/src/types.rs
@@ -30,6 +30,23 @@ impl Display for Verdict {
}
}
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+pub enum RateUnit {
+ Packets,
+ Bytes,
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize, Default)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+#[serde(rename_all = "lowercase")]
+pub enum RateTimescale {
+ #[default]
+ Second,
+ Minute,
+ Hour,
+ Day,
+}
+
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct ElemConfig {
timeout: Option<i64>,
@@ -50,4 +67,3 @@ impl ElemConfig {
}
}
}
-
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-04-18 16:17 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 16:13 [pve-devel] [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v3 00/39] proxmox firewall nftables implementation Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 01/39] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 02/39] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 03/39] config: firewall: add types for ports Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 04/39] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 05/39] config: firewall: add types for aliases Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 06/39] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 07/39] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 08/39] config: firewall: add types for ipsets Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 09/39] config: firewall: add types for rules Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 10/39] config: firewall: add types for security groups Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 11/39] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 12/39] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 13/39] config: firewall: add host specific " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 14/39] config: firewall: add guest-specific " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 15/39] config: firewall: add firewall macros Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 16/39] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 17/39] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 18/39] nftables: add helpers Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 19/39] nftables: expression: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 20/39] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-18 16:14 ` Stefan Hanreich [this message]
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 22/39] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 23/39] nftables: commands: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 24/39] nftables: types: add conversion traits Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 25/39] nftables: add nft client Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 26/39] firewall: add firewall crate Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 27/39] firewall: add base ruleset Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 28/39] firewall: add config loader Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 29/39] firewall: add rule generation logic Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 30/39] firewall: add object " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 31/39] firewall: add ruleset " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 32/39] firewall: add proxmox-firewall binary and move existing code into lib Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 33/39] firewall: add files for debian packaging Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 34/39] firewall: add integration test Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH qemu-server v3 35/39] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-18 21:08 ` Thomas Lamprecht
2024-04-18 16:14 ` [pve-devel] [PATCH pve-container v3 36/39] " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-firewall v3 37/39] add configuration option for new nftables firewall Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-manager v3 38/39] firewall: expose " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-docs v3 39/39] firewall: add documentation for proxmox-firewall Stefan Hanreich
2024-04-18 20:05 ` [pve-devel] partially-applied-series: [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v3 00/39] proxmox firewall nftables implementation Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240418161434.709473-22-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox