From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id F02851FF168 for ; Tue, 12 Nov 2024 13:28:12 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 313EB1F8F1; Tue, 12 Nov 2024 13:26:30 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Tue, 12 Nov 2024 13:26:09 +0100 Message-Id: <20241112122615.88854-13-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241112122615.88854-1-s.hanreich@proxmox.com> References: <20241112122615.88854-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.243 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-manager v3 12/18] firewall: add forward direction to rule panel X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Enables us to use the new forward direction as an option when creating or editing firewall rules. By introducing firewall_type we can switch between the available directions depending on which ruleset is being edited. Signed-off-by: Stefan Hanreich --- www/manager6/dc/Config.js | 1 + www/manager6/dc/SecurityGroups.js | 1 + www/manager6/grid/FirewallRules.js | 81 +++++++++++++++++++++++++----- www/manager6/lxc/Config.js | 1 + www/manager6/node/Config.js | 1 + www/manager6/qemu/Config.js | 1 + 6 files changed, 73 insertions(+), 13 deletions(-) diff --git a/www/manager6/dc/Config.js b/www/manager6/dc/Config.js index ddbb58b12..720edefc6 100644 --- a/www/manager6/dc/Config.js +++ b/www/manager6/dc/Config.js @@ -241,6 +241,7 @@ Ext.define('PVE.dc.Config', { list_refs_url: '/cluster/firewall/refs', iconCls: 'fa fa-shield', itemId: 'firewall', + firewall_type: 'dc', }, { xtype: 'pveFirewallOptions', diff --git a/www/manager6/dc/SecurityGroups.js b/www/manager6/dc/SecurityGroups.js index 9e26b84c9..e7aa8081c 100644 --- a/www/manager6/dc/SecurityGroups.js +++ b/www/manager6/dc/SecurityGroups.js @@ -214,6 +214,7 @@ Ext.define('PVE.SecurityGroups', { list_refs_url: '/cluster/firewall/refs', tbar_prefix: '' + gettext('Rules') + ':', border: false, + firewall_type: 'group', }, { xtype: 'pveSecurityGroupList', diff --git a/www/manager6/grid/FirewallRules.js b/www/manager6/grid/FirewallRules.js index 11881bf79..e2809f02b 100644 --- a/www/manager6/grid/FirewallRules.js +++ b/www/manager6/grid/FirewallRules.js @@ -147,6 +147,24 @@ let ICMPV6_TYPE_NAMES_STORE = Ext.create('Ext.data.Store', { ], }); +let DEFAULT_ALLOWED_DIRECTIONS = ['in', 'out']; + +let ALLOWED_DIRECTIONS = { + 'dc': ['in', 'out', 'forward'], + 'node': ['in', 'out', 'forward'], + 'group': ['in', 'out', 'forward'], + 'vm': ['in', 'out'], + 'vnet': ['forward'], +}; + +let DEFAULT_ALLOWED_ACTIONS = ['ACCEPT', 'REJECT', 'DROP']; + +let ALLOWED_ACTIONS = { + 'in': ['ACCEPT', 'REJECT', 'DROP'], + 'out': ['ACCEPT', 'REJECT', 'DROP'], + 'forward': ['ACCEPT', 'DROP'], +}; + Ext.define('PVE.FirewallRulePanel', { extend: 'Proxmox.panel.InputPanel', @@ -154,6 +172,9 @@ Ext.define('PVE.FirewallRulePanel', { list_refs_url: undefined, + firewall_type: undefined, + action_selector: undefined, + onGetValues: function(values) { var me = this; @@ -171,6 +192,23 @@ Ext.define('PVE.FirewallRulePanel', { return values; }, + setValidActions: function(type) { + let me = this; + + let allowed_actions = ALLOWED_ACTIONS[type] ?? DEFAULT_ALLOWED_ACTIONS; + me.action_selector.setComboItems(allowed_actions.map((action) => [action, action])); + }, + + onSetValues: function(values) { + let me = this; + + if (values.type) { + me.setValidActions(values.type); + } + + return values; + }, + initComponent: function() { var me = this; @@ -178,6 +216,17 @@ Ext.define('PVE.FirewallRulePanel', { throw "no list_refs_url specified"; } + let allowed_directions = ALLOWED_DIRECTIONS[me.firewall_type] ?? DEFAULT_ALLOWED_DIRECTIONS; + + me.action_selector = Ext.create('Proxmox.form.KVComboBox', { + xtype: 'proxmoxKVComboBox', + name: 'action', + value: 'ACCEPT', + comboItems: DEFAULT_ALLOWED_ACTIONS.map((action) => [action, action]), + fieldLabel: gettext('Action'), + allowBlank: false, + }); + me.column1 = [ { // hack: we use this field to mark the form 'dirty' when the @@ -190,19 +239,17 @@ Ext.define('PVE.FirewallRulePanel', { { xtype: 'proxmoxKVComboBox', name: 'type', - value: 'in', - comboItems: [['in', 'in'], ['out', 'out']], + value: allowed_directions[0], + comboItems: allowed_directions.map((dir) => [dir, dir]), fieldLabel: gettext('Direction'), allowBlank: false, + listeners: { + change: function(f, value) { + me.setValidActions(value); + }, + }, }, - { - xtype: 'proxmoxKVComboBox', - name: 'action', - value: 'ACCEPT', - comboItems: [['ACCEPT', 'ACCEPT'], ['DROP', 'DROP'], ['REJECT', 'REJECT']], - fieldLabel: gettext('Action'), - allowBlank: false, - }, + me.action_selector, ]; if (me.allow_iface) { @@ -387,6 +434,8 @@ Ext.define('PVE.FirewallRuleEdit', { allow_iface: false, + firewall_type: undefined, + initComponent: function() { var me = this; @@ -412,6 +461,7 @@ Ext.define('PVE.FirewallRuleEdit', { list_refs_url: me.list_refs_url, allow_iface: me.allow_iface, rule_pos: me.rule_pos, + firewall_type: me.firewall_type, }); Ext.apply(me, { @@ -555,6 +605,8 @@ Ext.define('PVE.FirewallRules', { allow_groups: true, allow_iface: false, + firewall_type: undefined, + setBaseUrl: function(url) { var me = this; @@ -661,7 +713,7 @@ Ext.define('PVE.FirewallRules', { var type = rec.data.type; var editor; - if (type === 'in' || type === 'out') { + if (type === 'in' || type === 'out' || type === 'forward') { editor = 'PVE.FirewallRuleEdit'; } else if (type === 'group') { editor = 'PVE.FirewallGroupRuleEdit'; @@ -670,6 +722,7 @@ Ext.define('PVE.FirewallRules', { } var win = Ext.create(editor, { + firewall_type: me.firewall_type, digest: rec.data.digest, allow_iface: me.allow_iface, base_url: me.base_url, @@ -694,6 +747,7 @@ Ext.define('PVE.FirewallRules', { disabled: true, handler: function() { var win = Ext.create('PVE.FirewallRuleEdit', { + firewall_type: me.firewall_type, allow_iface: me.allow_iface, base_url: me.base_url, list_refs_url: me.list_refs_url, @@ -709,11 +763,12 @@ Ext.define('PVE.FirewallRules', { return; } let type = rec.data.type; - if (!(type === 'in' || type === 'out')) { + if (!(type === 'in' || type === 'out' || type === 'forward')) { return; } let win = Ext.create('PVE.FirewallRuleEdit', { + firewall_type: me.firewall_type, allow_iface: me.allow_iface, base_url: me.base_url, list_refs_url: me.list_refs_url, @@ -726,7 +781,7 @@ Ext.define('PVE.FirewallRules', { me.copyBtn = Ext.create('Proxmox.button.Button', { text: gettext('Copy'), selModel: sm, - enableFn: ({ data }) => (data.type === 'in' || data.type === 'out') && me.canEdit, + enableFn: ({ data }) => (data.type === 'in' || data.type === 'out' || data.type === 'forward') && me.canEdit, disabled: true, handler: run_copy_editor, }); diff --git a/www/manager6/lxc/Config.js b/www/manager6/lxc/Config.js index 16494172f..a7191fa29 100644 --- a/www/manager6/lxc/Config.js +++ b/www/manager6/lxc/Config.js @@ -316,6 +316,7 @@ Ext.define('PVE.lxc.Config', { base_url: base_url + '/firewall/rules', list_refs_url: base_url + '/firewall/refs', itemId: 'firewall', + firewall_type: 'vm', }, { xtype: 'pveFirewallOptions', diff --git a/www/manager6/node/Config.js b/www/manager6/node/Config.js index d27592ce1..c242ba461 100644 --- a/www/manager6/node/Config.js +++ b/www/manager6/node/Config.js @@ -293,6 +293,7 @@ Ext.define('PVE.node.Config', { base_url: '/nodes/' + nodename + '/firewall/rules', list_refs_url: '/cluster/firewall/refs', itemId: 'firewall', + firewall_type: 'node', }, { xtype: 'pveFirewallOptions', diff --git a/www/manager6/qemu/Config.js b/www/manager6/qemu/Config.js index 42e7f0dbd..48eb753e6 100644 --- a/www/manager6/qemu/Config.js +++ b/www/manager6/qemu/Config.js @@ -351,6 +351,7 @@ Ext.define('PVE.qemu.Config', { base_url: base_url + '/firewall/rules', list_refs_url: base_url + '/firewall/refs', itemId: 'firewall', + firewall_type: 'vm', }, { xtype: 'pveFirewallOptions', -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel