From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 30AAA1FF15F for ; Mon, 18 Nov 2024 12:42:10 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D30F5E84D; Mon, 18 Nov 2024 12:42:12 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Mon, 18 Nov 2024 12:41:29 +0100 Message-Id: <20241118114134.83882-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.240 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH docs/firewall/manager v5 0/5] autogenerate ipsets for sdn objects X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This patch series adds support for autogenerating ipsets for SDN objects. It autogenerates ipsets for every VNet as follows: * ipset containing all IP ranges of the VNet * ipset containing all gateways of the VNet * ipset containing all IP ranges of the subnet - except gateways * ipset containing all dhcp ranges of the vnet Additionally it generates an IPSet for every guest that has one or more IPAM entries in the pve IPAM. Those can then be used in the cluster / host / guest firewalls. Firewall rules automatically update on changes of the SDN / IPAM configuration. This patch series works for the old firewall as well as the new firewall. The ipsets in nftables currently get generated as named ipsets in every table, this means that the `nft list ruleset` output can get quite crowded for large SDN configurations or large IPAM databases. Another option would be to only include them as anonymous IPsets in the rules, which would make the nft output far less crowded but this way would use more memory when making extensive use of the sdn ipsets, since everytime it is used in a rule we create an entirely new ipset. Dependencies: * proxmox-perl-rs and proxmox-firewall depend on proxmox-ve-rs * pve-firewall depends on proxmox-perl-rs * pve-manager depends on pve-firewall Changes from v4 to v5: * extracted the API changes setting protected into a separate commit and put them up front * fixed perl style issues - thanks @Thomas Changes from v3 to v4: * omitted proxmox-ve-rs since it is merged * always load SDN configuration now when loading cluster config * adapt is_nftables to check the flag file instead of reading the config * gracefully fail when RPCEnvironment is not available Changes from v2: * rename end in IpRange to last to avoid confusion - thanks @Wolfgang * bump Rust to 1.82 - thanks @Wolfgang * improvements to the code generating IPSets - thanks @Wolfgang * implement AsRef for SDN name types - thanks @Wolfgang * improve docstrings (proper capitalization and punctuation) - thanks @Wolfgang * included a patch that removes proxmox-ve-config from proxmox-firewall Changes from RFC: * added documentation * added separate SDN scope for IPSets * rustfmt fixes pve-firewall: Stefan Hanreich (3): api: add protected flag to endpoints add support for loading sdn firewall configuration ipsets: return sdn ipsets from api src/PVE/API2/Firewall/Aliases.pm | 2 + src/PVE/API2/Firewall/Cluster.pm | 7 +++- src/PVE/API2/Firewall/Groups.pm | 1 + src/PVE/API2/Firewall/Host.pm | 1 + src/PVE/API2/Firewall/IPSet.pm | 2 + src/PVE/API2/Firewall/Rules.pm | 2 + src/PVE/API2/Firewall/VM.pm | 5 ++- src/PVE/Firewall.pm | 64 ++++++++++++++++++++++++++++---- src/PVE/Service/pve_firewall.pm | 4 +- 9 files changed, 76 insertions(+), 12 deletions(-) pve-manager: Stefan Hanreich (1): firewall: add sdn scope to IPRefSelector www/manager6/form/IPRefSelector.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) pve-docs: Stefan Hanreich (1): sdn: add documentation for firewall integration pvesdn.adoc | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) Summary over all repositories: 11 files changed, 175 insertions(+), 13 deletions(-) -- Generated by git-murpp 0.6.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel