From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 7C7F41FF166 for ; Wed, 11 Sep 2024 11:32:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 787A6A396; Wed, 11 Sep 2024 11:31:57 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 11 Sep 2024 11:31:03 +0200 Message-Id: <20240911093116.112960-3-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240911093116.112960-1-s.hanreich@proxmox.com> References: <20240911093116.112960-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.268 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-ve-rs 02/15] firewall: add forward direction X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This direction will be used for specifying rules on bridge-level firewalls as well as rules on the cluster / host level that are for forwarded network packets. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/cluster.rs | 10 ++++++++++ proxmox-ve-config/src/firewall/guest.rs | 15 +++++++++++++++ proxmox-ve-config/src/firewall/host.rs | 4 ++++ proxmox-ve-config/src/firewall/mod.rs | 1 + proxmox-ve-config/src/firewall/types/rule.rs | 10 ++++++++-- 5 files changed, 38 insertions(+), 2 deletions(-) diff --git a/proxmox-ve-config/src/firewall/cluster.rs b/proxmox-ve-config/src/firewall/cluster.rs index 223124b..b7bebae 100644 --- a/proxmox-ve-config/src/firewall/cluster.rs +++ b/proxmox-ve-config/src/firewall/cluster.rs @@ -25,6 +25,8 @@ pub const CLUSTER_EBTABLES_DEFAULT: bool = false; pub const CLUSTER_POLICY_IN_DEFAULT: Verdict = Verdict::Drop; /// default setting for [`Config::default_policy()`] pub const CLUSTER_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept; +/// default setting for [`Config::default_policy()`] +pub const CLUSTER_POLICY_FORWARD_DEFAULT: Verdict = Verdict::Accept; impl Config { pub fn parse(input: R) -> Result { @@ -86,6 +88,11 @@ impl Config { .options .policy_out .unwrap_or(CLUSTER_POLICY_OUT_DEFAULT), + Direction::Forward => self + .config + .options + .policy_forward + .unwrap_or(CLUSTER_POLICY_FORWARD_DEFAULT), } } @@ -121,6 +128,7 @@ pub struct Options { policy_in: Option, policy_out: Option, + policy_forward: Option, } #[cfg(test)] @@ -148,6 +156,7 @@ log_ratelimit: 1,rate=10/second,burst=20 ebtables: 0 policy_in: REJECT policy_out: REJECT +policy_forward: DROP [ALIASES] @@ -191,6 +200,7 @@ IN BGP(REJECT) -log crit -source 1.2.3.4 )), policy_in: Some(Verdict::Reject), policy_out: Some(Verdict::Reject), + policy_forward: Some(Verdict::Drop), } ); diff --git a/proxmox-ve-config/src/firewall/guest.rs b/proxmox-ve-config/src/firewall/guest.rs index c7e282f..b097f56 100644 --- a/proxmox-ve-config/src/firewall/guest.rs +++ b/proxmox-ve-config/src/firewall/guest.rs @@ -31,6 +31,8 @@ pub const GUEST_IPFILTER_DEFAULT: bool = false; pub const GUEST_POLICY_IN_DEFAULT: Verdict = Verdict::Drop; /// default return value for [`Config::default_policy()`] pub const GUEST_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept; +/// default return value for [`Config::default_policy()`] +pub const GUEST_POLICY_FORWARD_DEFAULT: Verdict = Verdict::Accept; #[derive(Debug, Default, Deserialize)] #[cfg_attr(test, derive(Eq, PartialEq))] @@ -52,6 +54,7 @@ pub struct Options { log_level_in: Option, log_level_out: Option, + log_level_forward: Option, #[serde(default, with = "serde_option_bool")] macfilter: Option, @@ -61,6 +64,8 @@ pub struct Options { #[serde(rename = "policy_out")] policy_out: Option, + + policy_forward: Option, } #[derive(Debug)] @@ -131,6 +136,7 @@ impl Config { match dir { Direction::In => self.config.options.log_level_in.unwrap_or_default(), Direction::Out => self.config.options.log_level_out.unwrap_or_default(), + Direction::Forward => self.config.options.log_level_forward.unwrap_or_default(), } } @@ -179,6 +185,11 @@ impl Config { .options .policy_out .unwrap_or(GUEST_POLICY_OUT_DEFAULT), + Direction::Forward => self + .config + .options + .policy_forward + .unwrap_or(GUEST_POLICY_FORWARD_DEFAULT), } } @@ -206,11 +217,13 @@ dhcp: 1 ipfilter: 0 log_level_in: emerg log_level_out: crit +log_level_forward: warn macfilter: 0 ndp:1 radv:1 policy_in: REJECT policy_out: REJECT +policy_forward: DROP "#; let config = CONFIG.as_bytes(); @@ -228,9 +241,11 @@ policy_out: REJECT radv: Some(true), log_level_in: Some(LogLevel::Emergency), log_level_out: Some(LogLevel::Critical), + log_level_forward: Some(LogLevel::Warning), macfilter: Some(false), policy_in: Some(Verdict::Reject), policy_out: Some(Verdict::Reject), + policy_forward: Some(Verdict::Drop), } ); } diff --git a/proxmox-ve-config/src/firewall/host.rs b/proxmox-ve-config/src/firewall/host.rs index 3de6fad..56ed46d 100644 --- a/proxmox-ve-config/src/firewall/host.rs +++ b/proxmox-ve-config/src/firewall/host.rs @@ -44,6 +44,7 @@ pub struct Options { log_level_in: Option, log_level_out: Option, + log_level_forward: Option, #[serde(default, with = "parse::serde_option_bool")] log_nf_conntrack: Option, @@ -262,6 +263,7 @@ impl Config { match dir { Direction::In => self.config.options.log_level_in.unwrap_or_default(), Direction::Out => self.config.options.log_level_out.unwrap_or_default(), + Direction::Forward => self.config.options.log_level_forward.unwrap_or_default(), } } } @@ -284,6 +286,7 @@ enable: 1 nftables: 1 log_level_in: debug log_level_out: emerg +log_level_forward: warn log_nf_conntrack: 0 ndp: 1 nf_conntrack_allow_invalid: yes @@ -316,6 +319,7 @@ IN ACCEPT -p udp -dport 33 -sport 22 -log warning nftables: Some(true), log_level_in: Some(LogLevel::Debug), log_level_out: Some(LogLevel::Emergency), + log_level_forward: Some(LogLevel::Warning), log_nf_conntrack: Some(false), ndp: Some(true), nf_conntrack_allow_invalid: Some(true), diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs index 2cf57e2..6ee3c31 100644 --- a/proxmox-ve-config/src/firewall/mod.rs +++ b/proxmox-ve-config/src/firewall/mod.rs @@ -1,3 +1,4 @@ +pub mod bridge; pub mod cluster; pub mod common; pub mod ct_helper; diff --git a/proxmox-ve-config/src/firewall/types/rule.rs b/proxmox-ve-config/src/firewall/types/rule.rs index 5374bb0..2c8f49c 100644 --- a/proxmox-ve-config/src/firewall/types/rule.rs +++ b/proxmox-ve-config/src/firewall/types/rule.rs @@ -13,19 +13,24 @@ pub enum Direction { #[default] In, Out, + Forward, } impl std::str::FromStr for Direction { type Err = Error; fn from_str(s: &str) -> Result { - for (name, dir) in [("IN", Direction::In), ("OUT", Direction::Out)] { + for (name, dir) in [ + ("IN", Direction::In), + ("OUT", Direction::Out), + ("FORWARD", Direction::Forward), + ] { if s.eq_ignore_ascii_case(name) { return Ok(dir); } } - bail!("invalid direction: {s:?}, expect 'IN' or 'OUT'"); + bail!("invalid direction: {s:?}, expect 'IN', 'OUT' or 'FORWARD'"); } } @@ -36,6 +41,7 @@ impl fmt::Display for Direction { match self { Direction::In => f.write_str("in"), Direction::Out => f.write_str("out"), + Direction::Forward => f.write_str("forward"), } } } -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel