From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH proxmox-firewall v3 29/39] firewall: add rule generation logic
Date: Thu, 18 Apr 2024 18:14:24 +0200 [thread overview]
Message-ID: <20240418161434.709473-30-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240418161434.709473-1-s.hanreich@proxmox.com>
ToNftRules is basically a conversion trait for firewall config structs
to convert them into the respective nftables statements.
We are passing a list of rules to the method, which then modifies the
list of rules such that all relevant rules in the list have statements
appended that apply the configured constraints from the firewall
config.
This is particularly relevant for the rule generation logic for
ipsets. Due to how sets work in nftables we need to generate two rules
for every ipset: a rule for the v4 ipset and a rule for the v6 ipset.
This is because sets can only contain either v4 or v6 addresses. By
passing a list of all generated rules we can duplicate all rules and
then add a statement for the v4 or v6 set respectively.
This also enables us to start with multiple rules, which is required
for using log statements in conjunction with limit statements.
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/main.rs | 1 +
proxmox-firewall/src/rule.rs | 761 +++++++++++++++++++++++++++++
proxmox-nftables/src/expression.rs | 4 +
3 files changed, 766 insertions(+)
create mode 100644 proxmox-firewall/src/rule.rs
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index 656ac15..ae832e3 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -1,6 +1,7 @@
use anyhow::Error;
mod config;
+mod rule;
fn main() -> Result<(), Error> {
env_logger::init();
diff --git a/proxmox-firewall/src/rule.rs b/proxmox-firewall/src/rule.rs
new file mode 100644
index 0000000..c8099d0
--- /dev/null
+++ b/proxmox-firewall/src/rule.rs
@@ -0,0 +1,761 @@
+use std::ops::{Deref, DerefMut};
+
+use anyhow::{format_err, Error};
+use proxmox_nftables::{
+ expression::{Ct, IpFamily, Meta, Payload, Prefix},
+ statement::{Log, LogLevel, Match, Operator},
+ types::{AddRule, ChainPart, SetName},
+ Expression, Statement,
+};
+use proxmox_ve_config::{
+ firewall::{
+ ct_helper::CtHelperMacro,
+ fw_macros::{get_macro, FwMacro},
+ types::{
+ address::Family,
+ alias::AliasName,
+ ipset::{Ipfilter, IpsetName},
+ log::LogRateLimit,
+ rule::{Direction, Kind, RuleGroup},
+ rule_match::{
+ Icmp, Icmpv6, IpAddrMatch, IpMatch, Ports, Protocol, RuleMatch, Sctp, Tcp, Udp,
+ },
+ Alias, Rule,
+ },
+ },
+ guest::types::Vmid,
+};
+
+use crate::config::FirewallConfig;
+
+#[derive(Debug, Clone)]
+pub(crate) struct NftRule {
+ family: Option<Family>,
+ statements: Vec<Statement>,
+ terminal_statements: Vec<Statement>,
+}
+
+impl NftRule {
+ pub fn from_terminal_statements(terminal_statements: Vec<Statement>) -> Self {
+ Self {
+ family: None,
+ statements: Vec::new(),
+ terminal_statements,
+ }
+ }
+
+ pub fn new(terminal_statement: Statement) -> Self {
+ Self {
+ family: None,
+ statements: Vec::new(),
+ terminal_statements: vec![terminal_statement],
+ }
+ }
+
+ pub fn from_config_rule(rule: &Rule, env: &NftRuleEnv) -> Result<Vec<NftRule>, Error> {
+ let mut rules = Vec::new();
+
+ if rule.disabled() {
+ return Ok(rules);
+ }
+
+ rule.to_nft_rules(&mut rules, env)?;
+
+ Ok(rules)
+ }
+
+ pub fn from_ct_helper(
+ ct_helper: &CtHelperMacro,
+ env: &NftRuleEnv,
+ ) -> Result<Vec<NftRule>, Error> {
+ let mut rules = Vec::new();
+ ct_helper.to_nft_rules(&mut rules, env)?;
+ Ok(rules)
+ }
+
+ pub fn from_ipfilter(ipfilter: &Ipfilter, env: &NftRuleEnv) -> Result<Vec<NftRule>, Error> {
+ let mut rules = Vec::new();
+ ipfilter.to_nft_rules(&mut rules, env)?;
+ Ok(rules)
+ }
+}
+
+impl Deref for NftRule {
+ type Target = Vec<Statement>;
+
+ fn deref(&self) -> &Self::Target {
+ &self.statements
+ }
+}
+
+impl DerefMut for NftRule {
+ fn deref_mut(&mut self) -> &mut Self::Target {
+ &mut self.statements
+ }
+}
+
+impl NftRule {
+ pub fn into_add_rule(self, chain: ChainPart) -> AddRule {
+ let statements = self.statements.into_iter().chain(self.terminal_statements);
+
+ AddRule::from_statements(chain, statements)
+ }
+
+ pub fn family(&self) -> Option<Family> {
+ self.family
+ }
+
+ pub fn set_family(&mut self, family: Family) {
+ self.family = Some(family);
+ }
+}
+
+pub(crate) struct NftRuleEnv<'a> {
+ pub(crate) chain: ChainPart,
+ pub(crate) direction: Direction,
+ pub(crate) firewall_config: &'a FirewallConfig,
+ pub(crate) vmid: Option<Vmid>,
+}
+
+impl NftRuleEnv<'_> {
+ fn alias(&self, name: &AliasName) -> Option<&Alias> {
+ self.firewall_config.alias(name, self.vmid)
+ }
+
+ fn iface_name(&self, rule_iface: &str) -> String {
+ match &self.vmid {
+ Some(vmid) => {
+ if let Some(config) = self.firewall_config.guests().get(vmid) {
+ if let Ok(name) = config.iface_name_by_key(rule_iface) {
+ return name;
+ }
+ }
+
+ log::warn!("Unable to resolve interface name {rule_iface} for VM #{vmid}");
+
+ rule_iface.to_string()
+ }
+ None => rule_iface.to_string(),
+ }
+ }
+
+ fn default_log_limit(&self) -> Option<LogRateLimit> {
+ self.firewall_config.cluster().log_ratelimit()
+ }
+
+ fn contains_family(&self, family: Family) -> bool {
+ self.chain.table().family().families().contains(&family)
+ }
+}
+
+pub(crate) trait ToNftRules {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error>;
+}
+
+impl ToNftRules for Rule {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("generating nft rules for config rule {self:?}");
+
+ match self.kind() {
+ Kind::Match(rule) => rule.to_nft_rules(rules, env)?,
+ Kind::Group(group) => group.to_nft_rules(rules, env)?,
+ };
+
+ Ok(())
+ }
+}
+
+fn handle_iface(rules: &mut [NftRule], env: &NftRuleEnv, name: &str) -> Result<(), Error> {
+ let iface_key = match (env.vmid, env.direction) {
+ (Some(_), Direction::In) => "oifname",
+ (Some(_), Direction::Out) => "iifname",
+ (None, Direction::In) => "iifname",
+ (None, Direction::Out) => "oifname",
+ };
+
+ let iface_name = env.iface_name(name);
+
+ log::trace!("adding interface: {iface_name}");
+
+ for rule in rules.iter_mut() {
+ rule.push(
+ Match::new_eq(
+ Expression::from(Meta::new(iface_key.to_string())),
+ Expression::from(iface_name.clone()),
+ )
+ .into(),
+ )
+ }
+
+ Ok(())
+}
+
+impl ToNftRules for RuleGroup {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ let chain_name = format!("group-{}-{}", self.group(), env.direction);
+
+ rules.push(NftRule::new(Statement::jump(chain_name)));
+
+ if let Some(name) = &self.iface() {
+ handle_iface(rules, env, name)?;
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for RuleMatch {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ if env.direction != self.direction() {
+ return Ok(());
+ }
+
+ if let Some(log) = self.log() {
+ if let Ok(log_level) = LogLevel::try_from(log) {
+ let mut terminal_statements = Vec::new();
+
+ if let Some(limit) = env.default_log_limit() {
+ terminal_statements.push(Statement::from(limit));
+ }
+
+ terminal_statements.push(
+ Log::new_nflog(
+ Log::generate_prefix(env.vmid, log_level, env.chain.name(), self.verdict()),
+ 0,
+ )
+ .into(),
+ );
+
+ rules.push(NftRule::from_terminal_statements(terminal_statements));
+ }
+ }
+
+ rules.push(NftRule::new(Statement::from(self.verdict())));
+
+ if let Some(name) = &self.iface() {
+ handle_iface(rules, env, name)?;
+ }
+
+ if let Some(protocol) = self.proto() {
+ protocol.to_nft_rules(rules, env)?;
+ }
+
+ if let Some(name) = self.fw_macro() {
+ let fw_macro =
+ get_macro(name).ok_or_else(|| format_err!("cannot find macro {name}"))?;
+
+ fw_macro.to_nft_rules(rules, env)?;
+ }
+
+ if let Some(ip) = self.ip() {
+ ip.to_nft_rules(rules, env)?;
+ }
+
+ Ok(())
+ }
+}
+
+fn handle_set(
+ rules: &mut Vec<NftRule>,
+ name: &IpsetName,
+ field_name: &str,
+ env: &NftRuleEnv,
+ contains: bool,
+) -> Result<(), Error> {
+ let mut new_rules = rules
+ .drain(..)
+ .flat_map(|rule| {
+ let mut new_rules = Vec::new();
+
+ if matches!(rule.family(), Some(Family::V4) | None) && env.contains_family(Family::V4) {
+ let field = Payload::field("ip", field_name);
+
+ let mut rule = rule.clone();
+ rule.set_family(Family::V4);
+
+ rule.append(&mut vec![
+ Match::new(
+ if contains { Operator::Eq } else { Operator::Ne },
+ field.clone(),
+ Expression::set_name(&SetName::ipset_name(
+ Family::V4,
+ name,
+ env.vmid,
+ false,
+ )),
+ )
+ .into(),
+ Match::new(
+ if contains { Operator::Ne } else { Operator::Eq },
+ field,
+ Expression::set_name(&SetName::ipset_name(
+ Family::V4,
+ name,
+ env.vmid,
+ true,
+ )),
+ )
+ .into(),
+ ]);
+
+ new_rules.push(rule);
+ }
+
+ if matches!(rule.family(), Some(Family::V6) | None) && env.contains_family(Family::V6) {
+ let field = Payload::field("ip6", field_name);
+
+ let mut rule = rule;
+ rule.set_family(Family::V6);
+
+ rule.append(&mut vec![
+ Match::new(
+ if contains { Operator::Eq } else { Operator::Ne },
+ field.clone(),
+ Expression::set_name(&SetName::ipset_name(
+ Family::V6,
+ name,
+ env.vmid,
+ false,
+ )),
+ )
+ .into(),
+ Match::new(
+ if contains { Operator::Ne } else { Operator::Eq },
+ field,
+ Expression::set_name(&SetName::ipset_name(
+ Family::V6,
+ name,
+ env.vmid,
+ true,
+ )),
+ )
+ .into(),
+ ]);
+
+ new_rules.push(rule);
+ }
+
+ new_rules
+ })
+ .collect::<Vec<NftRule>>();
+
+ rules.append(&mut new_rules);
+
+ Ok(())
+}
+
+fn handle_match(
+ rules: &mut Vec<NftRule>,
+ ip: &IpAddrMatch,
+ field_name: &str,
+ env: &NftRuleEnv,
+) -> Result<(), Error> {
+ match ip {
+ IpAddrMatch::Ip(list) => {
+ if !env.contains_family(list.family()) {
+ return Ok(());
+ }
+
+ let field = match list.family() {
+ Family::V4 => Payload::field("ip", field_name),
+ Family::V6 => Payload::field("ip6", field_name),
+ };
+
+ for rule in rules {
+ match rule.family() {
+ None => {
+ rule.push(Match::new_eq(field.clone(), Expression::from(list)).into());
+
+ rule.set_family(list.family());
+ }
+ Some(rule_family) if rule_family == list.family() => {
+ rule.push(Match::new_eq(field.clone(), Expression::from(list)).into());
+ }
+ _ => (),
+ };
+ }
+
+ Ok(())
+ }
+ IpAddrMatch::Alias(alias_name) => {
+ let alias = env
+ .alias(alias_name)
+ .ok_or_else(|| format_err!("could not find alias {alias_name}"))?;
+
+ if !env.contains_family(alias.address().family()) {
+ return Ok(());
+ }
+
+ let field = match alias.address().family() {
+ Family::V4 => Payload::field("ip", field_name),
+ Family::V6 => Payload::field("ip6", field_name),
+ };
+
+ for rule in rules {
+ match rule.family() {
+ None => {
+ rule.push(
+ Match::new_eq(
+ field.clone(),
+ Expression::from(Prefix::from(alias.address())),
+ )
+ .into(),
+ );
+
+ rule.set_family(alias.address().family());
+ }
+ Some(rule_family) if rule_family == alias.address().family() => {
+ rule.push(
+ Match::new_eq(
+ field.clone(),
+ Expression::from(Prefix::from(alias.address())),
+ )
+ .into(),
+ );
+ }
+ _ => (),
+ }
+ }
+
+ Ok(())
+ }
+ IpAddrMatch::Set(name) => handle_set(rules, name, field_name, env, true),
+ }
+}
+
+impl ToNftRules for IpMatch {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("adding ip match: {self:?}");
+
+ if let Some(src) = self.src() {
+ log::trace!("adding src: {src:?}");
+ handle_match(rules, src, "saddr", env)?;
+ }
+
+ if let Some(dst) = self.dst() {
+ log::trace!("adding dst: {dst:?}");
+ handle_match(rules, dst, "daddr", env)?;
+ }
+
+ Ok(())
+ }
+}
+
+fn handle_protocol(rules: &mut [NftRule], _env: &NftRuleEnv, name: &str) -> Result<(), Error> {
+ for rule in rules.iter_mut() {
+ rule.push(Match::new_eq(Meta::new("l4proto"), Expression::from(name)).into());
+ }
+
+ Ok(())
+}
+
+impl ToNftRules for Protocol {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("adding protocol: {self:?}");
+
+ match self {
+ Protocol::Tcp(tcp) => tcp.to_nft_rules(rules, env),
+ Protocol::Udp(udp) => udp.to_nft_rules(rules, env),
+ Protocol::Dccp(ports) => {
+ handle_protocol(rules, env, "dccp")?;
+ ports.to_nft_rules(rules, env)
+ }
+ Protocol::UdpLite(ports) => {
+ handle_protocol(rules, env, "udplite")?;
+ ports.to_nft_rules(rules, env)
+ }
+ Protocol::Sctp(sctp) => sctp.to_nft_rules(rules, env),
+ Protocol::Icmp(icmp) => icmp.to_nft_rules(rules, env),
+ Protocol::Icmpv6(icmpv6) => icmpv6.to_nft_rules(rules, env),
+ Protocol::Named(name) => handle_protocol(rules, env, name),
+ Protocol::Numeric(id) => {
+ for rule in rules.iter_mut() {
+ rule.push(Match::new_eq(Meta::new("l4proto"), Expression::from(*id)).into());
+ }
+
+ Ok(())
+ }
+ }
+ }
+}
+
+impl ToNftRules for Tcp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ handle_protocol(rules, env, "tcp")?;
+ self.ports().to_nft_rules(rules, env)
+ }
+}
+
+impl ToNftRules for Udp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ handle_protocol(rules, env, "udp")?;
+ self.ports().to_nft_rules(rules, env)
+ }
+}
+
+impl ToNftRules for Sctp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ handle_protocol(rules, env, "sctp")?;
+ self.ports().to_nft_rules(rules, env)
+ }
+}
+
+impl ToNftRules for Icmp {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, _env: &NftRuleEnv) -> Result<(), Error> {
+ for rule in rules.iter_mut() {
+ if matches!(rule.family(), Some(Family::V4) | None) {
+ if let Some(icmp_code) = self.code() {
+ rule.push(
+ Match::new_eq(Payload::field("icmp", "code"), Expression::from(icmp_code))
+ .into(),
+ );
+ } else if let Some(icmp_type) = self.ty() {
+ rule.push(
+ Match::new_eq(Payload::field("icmp", "type"), Expression::from(icmp_type))
+ .into(),
+ );
+ } else {
+ rule.push(Match::new_eq(Meta::new("l4proto"), Expression::from("icmp")).into());
+ }
+
+ rule.set_family(Family::V4);
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for Icmpv6 {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, _env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("applying icmpv6: {self:?}");
+
+ for rule in rules.iter_mut() {
+ if matches!(rule.family(), Some(Family::V6) | None) {
+ if let Some(icmp_code) = self.code() {
+ rule.push(
+ Match::new_eq(
+ Payload::field("icmpv6", "code"),
+ Expression::from(icmp_code),
+ )
+ .into(),
+ );
+ } else if let Some(icmp_type) = self.ty() {
+ rule.push(
+ Match::new_eq(
+ Payload::field("icmpv6", "type"),
+ Expression::from(icmp_type),
+ )
+ .into(),
+ );
+ } else {
+ rule.push(
+ Match::new_eq(Meta::new("l4proto"), Expression::from("icmpv6")).into(),
+ );
+ }
+
+ rule.set_family(Family::V6);
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for Ports {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, _env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("applying ports: {self:?}");
+
+ for rule in rules {
+ if let Some(sport) = self.sport() {
+ log::trace!("applying sport: {sport:?}");
+
+ rule.push(
+ Match::new_eq(
+ Expression::from(Payload::field("th", "sport")),
+ Expression::from(sport),
+ )
+ .into(),
+ )
+ }
+
+ if let Some(dport) = self.dport() {
+ log::trace!("applying dport: {dport:?}");
+
+ rule.push(
+ Match::new_eq(
+ Expression::from(Payload::field("th", "dport")),
+ Expression::from(dport),
+ )
+ .into(),
+ )
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for Ipfilter<'_> {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ let vmid = env
+ .vmid
+ .ok_or_else(|| format_err!("can only create ipfilter for guests"))?;
+
+ let guest_config = env
+ .firewall_config
+ .guests()
+ .get(&vmid)
+ .ok_or_else(|| format_err!("no guest config found!"))?;
+
+ if !guest_config.ipfilter() {
+ return Ok(());
+ }
+
+ match env.direction {
+ Direction::In => {
+ if env.contains_family(Family::V4) {
+ let mut rule = NftRule::new(Statement::make_drop());
+ rule.set_family(Family::V4);
+
+ rule.append(&mut vec![
+ Match::new_eq(
+ Expression::from(Meta::new("oifname")),
+ guest_config.iface_name_by_index(self.index()),
+ )
+ .into(),
+ Match::new_ne(
+ Payload::field("arp", "daddr ip"),
+ Expression::set_name(&SetName::ipset_name(
+ Family::V4,
+ self.ipset().name(),
+ env.vmid,
+ false,
+ )),
+ )
+ .into(),
+ ]);
+
+ rules.push(rule);
+ }
+ }
+ Direction::Out => {
+ let mut base_rule = NftRule::new(Statement::make_drop());
+
+ base_rule.push(
+ Match::new_eq(
+ Expression::from(Meta::new("iifname")),
+ guest_config.iface_name_by_index(self.index()),
+ )
+ .into(),
+ );
+
+ let mut ipfilter_rules = vec![base_rule.clone()];
+ handle_set(
+ &mut ipfilter_rules,
+ self.ipset().name(),
+ "saddr",
+ env,
+ false,
+ )?;
+ rules.append(&mut ipfilter_rules);
+
+ if env.contains_family(Family::V4) {
+ base_rule.set_family(Family::V4);
+
+ base_rule.append(&mut vec![Match::new_ne(
+ Payload::field("arp", "saddr ip"),
+ Expression::set_name(&SetName::ipset_name(
+ Family::V4,
+ self.ipset().name(),
+ env.vmid,
+ false,
+ )),
+ )
+ .into()]);
+
+ rules.push(base_rule);
+ }
+ }
+ }
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for CtHelperMacro {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ if let Some(family) = self.family() {
+ if !env.contains_family(family) {
+ return Ok(());
+ }
+ }
+
+ if self.tcp().is_none() && self.udp().is_none() {
+ return Ok(());
+ }
+
+ log::trace!("applying ct helper: {self:?}");
+
+ let ip_family = self.family().map(IpFamily::from);
+
+ if let Some(protocol) = self.tcp() {
+ let base_rule = NftRule::from_terminal_statements(vec![
+ Match::new_eq(
+ Ct::new("state", None),
+ Expression::List(vec!["new".into(), "established".into()]),
+ )
+ .into(),
+ Statement::make_accept(),
+ ]);
+
+ let helper_rule = NftRule::new(Statement::CtHelper(self.tcp_helper_name()));
+
+ let mut ct_rules = vec![base_rule, helper_rule];
+ protocol.to_nft_rules(&mut ct_rules, env)?;
+ rules.append(&mut ct_rules);
+ }
+
+ if let Some(protocol) = self.udp() {
+ let base_rule = NftRule::from_terminal_statements(vec![
+ Match::new_eq(
+ Ct::new("state", None),
+ Expression::List(vec!["new".into(), "established".into()]),
+ )
+ .into(),
+ Statement::make_accept(),
+ ]);
+
+ let helper_rule = NftRule::new(Statement::CtHelper(self.udp_helper_name()));
+
+ let mut ct_rules = vec![base_rule, helper_rule];
+ protocol.to_nft_rules(&mut ct_rules, env)?;
+ rules.append(&mut ct_rules);
+ }
+
+ let mut ct_helper_rule = NftRule::new(Statement::make_accept());
+
+ ct_helper_rule.push(Match::new_eq(Ct::new("helper", ip_family), self.name()).into());
+
+ rules.push(ct_helper_rule);
+
+ Ok(())
+ }
+}
+
+impl ToNftRules for FwMacro {
+ fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
+ log::trace!("applying macro: {self:?}");
+
+ let initial_rules: Vec<NftRule> = rules.drain(..).collect();
+
+ for protocol in &self.code {
+ let mut new_rules = initial_rules.to_vec();
+ protocol.to_nft_rules(&mut new_rules, env)?;
+
+ rules.append(&mut new_rules);
+ }
+
+ Ok(())
+ }
+}
diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs
index 3b8ade0..20559e8 100644
--- a/proxmox-nftables/src/expression.rs
+++ b/proxmox-nftables/src/expression.rs
@@ -57,6 +57,10 @@ impl Expression {
pub fn concat(expressions: impl IntoIterator<Item = Expression>) -> Self {
Expression::Concat(Vec::from_iter(expressions))
}
+
+ pub fn set_name(name: &str) -> Self {
+ Expression::String(format!("@{name}"))
+ }
}
impl From<bool> for Expression {
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-04-18 16:16 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 16:13 [pve-devel] [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v3 00/39] proxmox firewall nftables implementation Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 01/39] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 02/39] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 03/39] config: firewall: add types for ports Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 04/39] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 05/39] config: firewall: add types for aliases Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 06/39] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 07/39] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 08/39] config: firewall: add types for ipsets Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 09/39] config: firewall: add types for rules Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 10/39] config: firewall: add types for security groups Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 11/39] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 12/39] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 13/39] config: firewall: add host specific " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 14/39] config: firewall: add guest-specific " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 15/39] config: firewall: add firewall macros Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 16/39] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 17/39] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 18/39] nftables: add helpers Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 19/39] nftables: expression: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 20/39] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 21/39] nftables: statement: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 22/39] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 23/39] nftables: commands: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 24/39] nftables: types: add conversion traits Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 25/39] nftables: add nft client Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 26/39] firewall: add firewall crate Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 27/39] firewall: add base ruleset Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 28/39] firewall: add config loader Stefan Hanreich
2024-04-18 16:14 ` Stefan Hanreich [this message]
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 30/39] firewall: add object generation logic Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 31/39] firewall: add ruleset " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 32/39] firewall: add proxmox-firewall binary and move existing code into lib Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 33/39] firewall: add files for debian packaging Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 34/39] firewall: add integration test Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH qemu-server v3 35/39] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-18 21:08 ` Thomas Lamprecht
2024-04-18 16:14 ` [pve-devel] [PATCH pve-container v3 36/39] " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-firewall v3 37/39] add configuration option for new nftables firewall Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-manager v3 38/39] firewall: expose " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-docs v3 39/39] firewall: add documentation for proxmox-firewall Stefan Hanreich
2024-04-18 20:05 ` [pve-devel] partially-applied-series: [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v3 00/39] proxmox firewall nftables implementation Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240418161434.709473-30-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox