From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 120701FF163 for ; Thu, 10 Oct 2024 18:03:10 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6261D1ED37; Thu, 10 Oct 2024 18:03:20 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 10 Oct 2024 17:56:28 +0200 Message-Id: <20241010155637.255451-17-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241010155637.255451-1-s.hanreich@proxmox.com> References: <20241010155637.255451-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.252 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-ve-rs v2 16/25] sdn: config: add method for generating ipsets X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" We generate the following ipsets for every vnet in the running sdn configuration: * {vnet}-all: contains all subnets of the vnet * {vnet}-no-gateway: contains all subnets of the vnet except for all gateways * {vnet}-gateway: contains all gateways in the vnet * {vnet}-dhcp: contains all dhcp ranges configured in the vnet All of them are in the new SDN scope, so the fully qualified name would look something like this: `+sdn/{vnet-all}`. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/sdn/config.rs | 72 +++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/proxmox-ve-config/src/sdn/config.rs b/proxmox-ve-config/src/sdn/config.rs index b71084b..f6fc8c2 100644 --- a/proxmox-ve-config/src/sdn/config.rs +++ b/proxmox-ve-config/src/sdn/config.rs @@ -529,6 +529,78 @@ impl SdnConfig { self.zones() .flat_map(|zone| zone.vnets().map(move |vnet| (zone, vnet))) } + + /// Generates multiple [`Ipset`] for all SDN VNets. + /// + /// # Arguments + /// * `filter` - A [`Allowlist`] of VNet names for which IPsets should get returned + /// + /// It generates the following [`Ipset`] for all VNets in the config: + /// * all: Contains all CIDRs of all subnets in the VNet + /// * gateway: Contains all gateways of all subnets in the VNet (if any gateway exists) + /// * no-gateway: Matches all CIDRs of all subnets, except for the gateways (if any gateway + /// exists) + /// * dhcp: Contains all DHCP ranges of all subnets in the VNet (if any dhcp range exists) + pub fn ipsets<'a>( + &'a self, + filter: impl Into>>, + ) -> impl Iterator + '_ { + let filter = filter.into(); + + self.zones + .values() + .flat_map(|zone| zone.vnets()) + .filter(move |vnet| { + filter + .map(|list| list.is_allowed(&vnet.name)) + .unwrap_or(true) + }) + .flat_map(|vnet| { + let mut ipset_all = Ipset::new(IpsetName::new( + IpsetScope::Sdn, + format!("{}-all", vnet.name), + )); + ipset_all.comment = Some(format!("All subnets of VNet {}", vnet.name)); + + let mut ipset_gateway = Ipset::new(IpsetName::new( + IpsetScope::Sdn, + format!("{}-gateway", vnet.name), + )); + ipset_gateway.comment = Some(format!("All gateways of VNet {}", vnet.name)); + + let mut ipset_all_wo_gateway = Ipset::new(IpsetName::new( + IpsetScope::Sdn, + format!("{}-no-gateway", vnet.name), + )); + ipset_all_wo_gateway.comment = Some(format!( + "All subnets of VNet {}, excluding gateways", + vnet.name + )); + + let mut ipset_dhcp = Ipset::new(IpsetName::new( + IpsetScope::Sdn, + format!("{}-dhcp", vnet.name), + )); + ipset_dhcp.comment = Some(format!("DHCP ranges of VNet {}", vnet.name)); + + for subnet in vnet.subnets.values() { + ipset_all.push((*subnet.cidr()).into()); + + ipset_all_wo_gateway.push((*subnet.cidr()).into()); + + if let Some(gateway) = subnet.gateway { + let gateway_nomatch = IpsetEntry::new(gateway, true, None); + ipset_all_wo_gateway.push(gateway_nomatch); + + ipset_gateway.push(gateway.into()); + } + + ipset_dhcp.extend(subnet.dhcp_range.iter().cloned().map(IpsetEntry::from)); + } + + [ipset_all, ipset_gateway, ipset_all_wo_gateway, ipset_dhcp] + }) + } } impl TryFrom for SdnConfig { -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel