From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id A79061FF163
for <inbox@lore.proxmox.com>; Thu, 10 Oct 2024 18:00:07 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 5E24F1E949;
Thu, 10 Oct 2024 17:57:37 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 10 Oct 2024 17:56:32 +0200
Message-Id: <20241010155637.255451-21-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20241010155637.255451-1-s.hanreich@proxmox.com>
References: <20241010155637.255451-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.253 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
methods
RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_NONE 0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [PATCH proxmox-firewall v2 20/25] ipsets: autogenerate
ipsets for vnets and ipam
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
They act like virtual ipsets, similar to ipfilter-net, that can be
used for defining firewall rules for sdn objects dynamically.
The changes in proxmox-ve-config also introduced a dedicated struct
for representing ip ranges, so we update the existing code, so that it
uses that struct as well.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/firewall.rs | 22 +-
proxmox-firewall/src/object.rs | 41 +-
.../integration_tests__firewall.snap | 1288 +++++++++++++++++
proxmox-nftables/src/expression.rs | 17 +-
4 files changed, 1354 insertions(+), 14 deletions(-)
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index 941aa20..347f3af 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -197,6 +197,27 @@ impl Firewall {
self.reset_firewall(&mut commands);
let cluster_host_table = Self::cluster_table();
+ let guest_table = Self::guest_table();
+
+ if let Some(sdn_config) = self.config.sdn() {
+ let ipsets = sdn_config
+ .ipsets(None)
+ .map(|ipset| (ipset.name().to_string(), ipset))
+ .collect();
+
+ self.create_ipsets(&mut commands, &ipsets, &cluster_host_table, None)?;
+ self.create_ipsets(&mut commands, &ipsets, &guest_table, None)?;
+ }
+
+ if let Some(ipam_config) = self.config.ipam() {
+ let ipsets = ipam_config
+ .ipsets(None)
+ .map(|ipset| (ipset.name().to_string(), ipset))
+ .collect();
+
+ self.create_ipsets(&mut commands, &ipsets, &cluster_host_table, None)?;
+ self.create_ipsets(&mut commands, &ipsets, &guest_table, None)?;
+ }
if self.config.host().is_enabled() {
log::info!("creating cluster / host configuration");
@@ -242,7 +263,6 @@ impl Firewall {
commands.push(Delete::table(TableName::from(Self::cluster_table())));
}
- let guest_table = Self::guest_table();
let enabled_guests: BTreeMap<&Vmid, &GuestConfig> = self
.config
.guests()
diff --git a/proxmox-firewall/src/object.rs b/proxmox-firewall/src/object.rs
index 32c4ddb..cf7e773 100644
--- a/proxmox-firewall/src/object.rs
+++ b/proxmox-firewall/src/object.rs
@@ -72,20 +72,37 @@ impl ToNftObjects for Ipset {
let mut nomatch_elements = Vec::new();
for element in self.iter() {
- let cidr = match &element.address {
- IpsetAddress::Cidr(cidr) => cidr,
- IpsetAddress::Alias(alias) => env
- .alias(alias)
- .ok_or(format_err!("could not find alias {alias} in environment"))?
- .address(),
+ let expression = match &element.address {
+ IpsetAddress::Range(range) => {
+ if family != range.family() {
+ continue;
+ }
+
+ Expression::from(range)
+ }
+ IpsetAddress::Cidr(cidr) => {
+ if family != cidr.family() {
+ continue;
+ }
+
+ Expression::from(Prefix::from(cidr))
+ }
+ IpsetAddress::Alias(alias) => {
+ let cidr = env
+ .alias(alias)
+ .ok_or_else(|| {
+ format_err!("could not find alias {alias} in environment")
+ })?
+ .address();
+
+ if family != cidr.family() {
+ continue;
+ }
+
+ Expression::from(Prefix::from(cidr))
+ }
};
- if family != cidr.family() {
- continue;
- }
-
- let expression = Expression::from(Prefix::from(cidr));
-
if element.nomatch {
nomatch_elements.push(expression);
} else {
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 40d4405..e1b599c 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -202,6 +202,1294 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
}
}
},
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-all",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-all"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-all-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-all-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-all",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.0.0",
+ "len": 16
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-all",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-all"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-all-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-all-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-all",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::",
+ "len": 64
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-dhcp",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-dhcp"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-dhcp-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-dhcp-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-dhcp",
+ "elem": [
+ {
+ "range": [
+ "10.101.99.100",
+ "10.101.99.200"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-dhcp",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-dhcp"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-dhcp-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-dhcp-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-dhcp",
+ "elem": [
+ {
+ "range": [
+ "fd80::1000",
+ "fd80::ffff"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-gateway",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-gateway-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.1.1",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-gateway",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-gateway-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::1",
+ "len": 128
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-no-gateway",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-no-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-no-gateway-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-no-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-no-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.0.0",
+ "len": 16
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/public-no-gateway-nomatch",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.1.1",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-no-gateway",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-no-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-no-gateway-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-no-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-no-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::",
+ "len": 64
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/public-no-gateway-nomatch",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::1",
+ "len": 128
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-all",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-all"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-all-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-all-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-all",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.0.0",
+ "len": 16
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-all",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-all"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-all-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-all-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-all",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::",
+ "len": 64
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-dhcp",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-dhcp"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-dhcp-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-dhcp-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-dhcp",
+ "elem": [
+ {
+ "range": [
+ "10.101.99.100",
+ "10.101.99.200"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-dhcp",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-dhcp"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-dhcp-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-dhcp-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-dhcp",
+ "elem": [
+ {
+ "range": [
+ "fd80::1000",
+ "fd80::ffff"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-gateway",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-gateway-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.1.1",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-gateway",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-gateway-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::1",
+ "len": 128
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-no-gateway",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-no-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-no-gateway-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-no-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-no-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.0.0",
+ "len": 16
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/public-no-gateway-nomatch",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.1.1",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-no-gateway",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-no-gateway"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-no-gateway-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-no-gateway-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-no-gateway",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::",
+ "len": 64
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/public-no-gateway-nomatch",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::1",
+ "len": 128
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/guest-ipam-101",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/guest-ipam-101"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/guest-ipam-101-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/guest-ipam-101-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-sdn/guest-ipam-101",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.1.100",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/guest-ipam-101",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/guest-ipam-101"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/guest-ipam-101-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/guest-ipam-101-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-sdn/guest-ipam-101",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::1000",
+ "len": 128
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/guest-ipam-101",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/guest-ipam-101"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/guest-ipam-101-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/guest-ipam-101-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-sdn/guest-ipam-101",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "10.101.1.100",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/guest-ipam-101",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/guest-ipam-101"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/guest-ipam-101-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/guest-ipam-101-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-sdn/guest-ipam-101",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "fd80::1000",
+ "len": 128
+ }
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"set": {
diff --git a/proxmox-nftables/src/expression.rs b/proxmox-nftables/src/expression.rs
index 18b92d4..71a90eb 100644
--- a/proxmox-nftables/src/expression.rs
+++ b/proxmox-nftables/src/expression.rs
@@ -1,4 +1,5 @@
use crate::types::{ElemConfig, Verdict};
+use proxmox_ve_config::firewall::types::address::IpRange;
use serde::{Deserialize, Serialize};
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
@@ -50,6 +51,10 @@ pub enum Expression {
}
impl Expression {
+ pub fn range(start: impl Into<Expression>, end: impl Into<Expression>) -> Self {
+ Expression::Range(Box::new((start.into(), end.into())))
+ }
+
pub fn set(expressions: impl IntoIterator<Item = Expression>) -> Self {
Expression::Set(Vec::from_iter(expressions))
}
@@ -169,12 +174,22 @@ impl From<&IpList> for Expression {
}
}
+#[cfg(feature = "config-ext")]
+impl From<&IpRange> for Expression {
+ fn from(value: &IpRange) -> Self {
+ match value {
+ IpRange::V4(range) => Expression::range(range.start(), range.end()),
+ IpRange::V6(range) => Expression::range(range.start(), range.end()),
+ }
+ }
+}
+
#[cfg(feature = "config-ext")]
impl From<&IpEntry> for Expression {
fn from(value: &IpEntry) -> Self {
match value {
IpEntry::Cidr(cidr) => Expression::from(Prefix::from(cidr)),
- IpEntry::Range(beg, end) => Expression::Range(Box::new((beg.into(), end.into()))),
+ IpEntry::Range(range) => Expression::from(range),
}
}
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel