From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C4EE51FF380 for ; Fri, 19 Apr 2024 09:31:22 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EB343640; Fri, 19 Apr 2024 09:31:07 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 18 Apr 2024 18:14:17 +0200 Message-Id: <20240418161434.709473-23-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418161434.709473-1-s.hanreich@proxmox.com> References: <20240418161434.709473-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.277 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall v3 22/39] nftables: statement: add conversion traits for config types X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Some types from the firewall configuration map directly onto nftables statements. For those we implement conversion traits so we can conveniently convert between the configuration types and the respective nftables types. As with the expressions, those are guarded behind a feature so the nftables crate can be used standalone without having to pull in the proxmox-ve-config crate. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-nftables/src/statement.rs | 71 ++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/proxmox-nftables/src/statement.rs b/proxmox-nftables/src/statement.rs index e6371f6..e89f678 100644 --- a/proxmox-nftables/src/statement.rs +++ b/proxmox-nftables/src/statement.rs @@ -1,6 +1,15 @@ use anyhow::{bail, Error}; use serde::{Deserialize, Serialize}; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::log::LogLevel as ConfigLogLevel; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::log::LogRateLimit; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::firewall::types::rule::Verdict as ConfigVerdict; +#[cfg(feature = "config-ext")] +use proxmox_ve_config::guest::types::Vmid; + use crate::expression::Meta; use crate::helper::{NfVec, Null}; use crate::types::{RateTimescale, RateUnit, Verdict}; @@ -104,7 +113,18 @@ impl> From for Statement { } } -#[derive(Clone, Debug, Deserialize, Serialize)] +#[cfg(feature = "config-ext")] +impl From for Statement { + fn from(value: ConfigVerdict) -> Self { + match value { + ConfigVerdict::Accept => Statement::make_accept(), + ConfigVerdict::Reject => Statement::make_drop(), + ConfigVerdict::Drop => Statement::make_drop(), + } + } +} + +#[derive(Clone, Copy, Debug, Deserialize, Serialize)] #[serde(rename_all = "lowercase")] pub enum RejectType { #[serde(rename = "tcp reset")] @@ -145,6 +165,22 @@ pub struct Log { } impl Log { + #[cfg(feature = "config-ext")] + pub fn generate_prefix( + vmid: impl Into>, + log_level: LogLevel, + chain_name: &str, + verdict: ConfigVerdict, + ) -> String { + format!( + ":{}:{}:{}: {}: ", + vmid.into().unwrap_or(Vmid::new(0)), + log_level.nflog_level(), + chain_name, + verdict, + ) + } + pub fn new_nflog(prefix: String, group: i64) -> Self { Self { prefix: Some(prefix), @@ -168,6 +204,25 @@ pub enum LogLevel { Audit, } +#[cfg(feature = "config-ext")] +impl TryFrom for LogLevel { + type Error = Error; + + fn try_from(value: ConfigLogLevel) -> Result { + match value { + ConfigLogLevel::Emergency => Ok(LogLevel::Emerg), + ConfigLogLevel::Alert => Ok(LogLevel::Alert), + ConfigLogLevel::Critical => Ok(LogLevel::Crit), + ConfigLogLevel::Error => Ok(LogLevel::Err), + ConfigLogLevel::Warning => Ok(LogLevel::Warn), + ConfigLogLevel::Notice => Ok(LogLevel::Notice), + ConfigLogLevel::Info => Ok(LogLevel::Info), + ConfigLogLevel::Debug => Ok(LogLevel::Debug), + _ => bail!("cannot convert config log level to nftables"), + } + } +} + impl LogLevel { pub fn nflog_level(&self) -> u8 { match self { @@ -231,6 +286,20 @@ pub struct AnonymousLimit { pub inv: Option, } +#[cfg(feature = "config-ext")] +impl From for AnonymousLimit { + fn from(config: LogRateLimit) -> Self { + AnonymousLimit { + rate: config.rate(), + per: config.per().into(), + rate_unit: None, + burst: Some(config.burst()), + burst_unit: None, + inv: None, + } + } +} + #[derive(Clone, Debug, Deserialize, Serialize)] pub struct Vmap { key: Expression, -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel