From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id EFDB01FF15F for ; Mon, 18 Nov 2024 12:41:40 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 341FAE5B6; Mon, 18 Nov 2024 12:41:43 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Mon, 18 Nov 2024 12:41:31 +0100 Message-Id: <20241118114134.83882-3-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241118114134.83882-1-s.hanreich@proxmox.com> References: <20241118114134.83882-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.240 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-firewall v5 2/5] add support for loading sdn firewall configuration X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" VGhpcyBhbHNvIGluY2x1ZGVzIHN1cHBvcnQgZm9yIHBhcnNpbmcgcnVsZXMgcmVmZXJlbmNpbmcg SVBTZXRzIGluIHRoZQpuZXcgU0ROIHNjb3BlIGFuZCBnZW5lcmF0aW5nIHRob3NlIElQU2V0cyBp biB0aGUgZmlyZXdhbGwuIFdlIGFsd2F5cwpsb2FkIHRoZSBuZXcgY29uZmlndXJhdGlvbiwgc2lu Y2UgbG9hZGluZyB0aGUgY29uZmlndXJhdGlvbiBhbHdheXMKaW5jbHVkZXMgdmFsaWRhdGluZyB0 aGUgbG9hZGVkIHJ1bGVzLiBWYWxpZGF0aW9uIGZhaWxzIHdpdGhvdXQKaW5jbHVkaW5nIHRoZSBT RE4gaXBzZXRzLCBsZWFkaW5nIHRvIHN5c2xvZyBlcnJvciBtZXNzYWdlcy4KClNpZ25lZC1vZmYt Ynk6IFN0ZWZhbiBIYW5yZWljaCA8cy5oYW5yZWljaEBwcm94bW94LmNvbT4KUmV2aWV3ZWQtYnk6 IFdvbGZnYW5nIEJ1bWlsbGVyIDx3LmJ1bWlsbGVyQHByb3htb3guY29tPgpUZXN0ZWQtQnk6IEdh YnJpZWwgR29sbGVyIDxnLmdvbGxlckBwcm94bW94LmNvbT4KVGVzdGVkLUJ5OiBIYW5uZXMgRMO8 cnIgPGguZHVlcnJAcHJveG1veC5jb20+Ci0tLQogc3JjL1BWRS9GaXJld2FsbC5wbSAgICAgICAg ICAgICB8IDY0ICsrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLQogc3JjL1BWRS9TZXJ2 aWNlL3B2ZV9maXJld2FsbC5wbSB8ICA0ICstLQogMiBmaWxlcyBjaGFuZ2VkLCA1OCBpbnNlcnRp b25zKCspLCAxMCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9zcmMvUFZFL0ZpcmV3YWxsLnBt IGIvc3JjL1BWRS9GaXJld2FsbC5wbQppbmRleCBhNjlkNWRkLi5kNWI3MTFkIDEwMDY0NAotLS0g YS9zcmMvUFZFL0ZpcmV3YWxsLnBtCisrKyBiL3NyYy9QVkUvRmlyZXdhbGwucG0KQEAgLTIwLDEx ICsyMCwxMyBAQCB1c2UgUFZFOjpJTm90aWZ5OwogdXNlIFBWRTo6SlNPTlNjaGVtYSBxdyhyZWdp c3Rlcl9zdGFuZGFyZF9vcHRpb24gZ2V0X3N0YW5kYXJkX29wdGlvbik7CiB1c2UgUFZFOjpOZXR3 b3JrOwogdXNlIFBWRTo6UHJvY0ZTVG9vbHM7Cit1c2UgUFZFOjpSUENFbnZpcm9ubWVudDsKIHVz ZSBQVkU6OlNhZmVTeXNsb2c7CiB1c2UgUFZFOjpUb29scyBxdygkSVBWNFJFICRJUFY2UkUpOwog dXNlIFBWRTo6VG9vbHMgcXcocnVuX2NvbW1hbmQgbG9ja19maWxlIGRpcl9nbG9iX2ZvcmVhY2gp OwogCiB1c2UgUFZFOjpGaXJld2FsbDo6SGVscGVyczsKK3VzZSBQVkU6OlJTOjpGaXJld2FsbDo6 U0ROOwogCiBteSAkcHZlZndfY29uZl9kaXIgPSAiL2V0Yy9wdmUvZmlyZXdhbGwiOwogbXkgJGNs dXN0ZXJmd19jb25mX2ZpbGVuYW1lID0gIiRwdmVmd19jb25mX2Rpci9jbHVzdGVyLmZ3IjsKQEAg LTE2ODksMTAgKzE2OTEsMTUgQEAgc3ViIHZlcmlmeV9ydWxlIHsKIAogCWlmIChteSAkdmFsdWUg PSAkcnVsZS0+eyRuYW1lfSkgewogCSAgICBpZiAoJHZhbHVlID1+IG0vXlwrLykgewotCQlpZiAo JHZhbHVlID1+IG1AXlwrKGd1ZXN0L3xkYy8pPygke2lwc2V0X25hbWVfcGF0dGVybn0pJEApIHsK LQkJICAgICYkYWRkX2Vycm9yKCRuYW1lLCAibm8gc3VjaCBpcHNldCAnJDInIikKLQkJCWlmICEo JGNsdXN0ZXJfY29uZi0+e2lwc2V0fS0+eyQyfSB8fCAoJGZ3X2NvbmYgJiYgJGZ3X2NvbmYtPntp cHNldH0tPnskMn0pKTsKLQorCQlpZiAoJHZhbHVlID1+IG1AXlwrKGd1ZXN0L3xkYy98c2RuLyk/ KCR7aXBzZXRfbmFtZV9wYXR0ZXJufSkkQCkgeworCQkgICAgaWYgKAorCQkJISgkY2x1c3Rlcl9j b25mLT57aXBzZXR9LT57JDJ9KQorCQkJJiYgISgkZndfY29uZiAmJiAkZndfY29uZi0+e2lwc2V0 fS0+eyQyfSkKKwkJCSYmICEoJGNsdXN0ZXJfY29uZi0+e3Nkbn0gJiYgJGNsdXN0ZXJfY29uZi0+ e3Nkbn0tPntpcHNldH0tPnskMn0pCisJCQkmJiAhKCRmd19jb25mLT57c2RufSAmJiAkZndfY29u Zi0+e3Nkbn0tPntpcHNldH0tPnskMn0pCisJCSAgICApIHsKKwkJCSRhZGRfZXJyb3ItPigkbmFt ZSwgIm5vIHN1Y2ggaXBzZXQgJyQyJyIpCisJCSAgICB9CiAJCX0gZWxzZSB7CiAJCSAgICAmJGFk ZF9lcnJvcigkbmFtZSwgImludmFsaWQgaXBzZXQgbmFtZSAnJHZhbHVlJyIpOwogCQl9CkBAIC0y MTA4LDEzICsyMTE1LDE4IEBAIHN1YiBpcHRfZ2VuX3NyY19vcl9kc3RfbWF0Y2ggewogCiAgICAg bXkgJG1hdGNoOwogICAgIGlmICgkYWRyID1+IG0vXlwrLykgewotCWlmICgkYWRyID1+IG1AXlwr KGd1ZXN0L3xkYy8pPygke2lwc2V0X25hbWVfcGF0dGVybn0pJEApIHsKKwlpZiAoJGFkciA9fiBt QF5cKyhndWVzdC98ZGMvfHNkbi8pPygke2lwc2V0X25hbWVfcGF0dGVybn0pJEApIHsKIAkgICAg bXkgJHNjb3BlID0gJDEgLy8gIiI7CiAJICAgIG15ICRuYW1lID0gJDI7CiAJICAgIG15ICRpcHNl dF9jaGFpbjsKLQkgICAgaWYgKCRzY29wZSBuZSAnZGMvJyAmJiAkZndfY29uZiAmJiAkZndfY29u Zi0+e2lwc2V0fS0+eyRuYW1lfSkgeworCisJICAgIG15ICRpc19zY29wZSA9IHN1YiB7IHJldHVy biAhJHNjb3BlIHx8ICRzY29wZSBlcSAiJF9bMF0vIiB9OworCisJICAgIGlmICgkaXNfc2NvcGUt PignZ3Vlc3QnKSAmJiAkZndfY29uZiAmJiAkZndfY29uZi0+e2lwc2V0fS0+eyRuYW1lfSkgewog CQkkaXBzZXRfY2hhaW4gPSBjb21wdXRlX2lwc2V0X2NoYWluX25hbWUoJGZ3X2NvbmYtPnt2bWlk fSwgJG5hbWUsICRpcHZlcnNpb24pOwotCSAgICB9IGVsc2lmICgkc2NvcGUgbmUgJ2d1ZXN0Lycg JiYgJGNsdXN0ZXJfY29uZiAmJiAkY2x1c3Rlcl9jb25mLT57aXBzZXR9LT57JG5hbWV9KSB7CisJ ICAgIH0gZWxzaWYgKCRpc19zY29wZS0+KCdkYycpICYmICRjbHVzdGVyX2NvbmYgJiYgJGNsdXN0 ZXJfY29uZi0+e2lwc2V0fS0+eyRuYW1lfSkgeworCQkkaXBzZXRfY2hhaW4gPSBjb21wdXRlX2lw c2V0X2NoYWluX25hbWUoMCwgJG5hbWUsICRpcHZlcnNpb24pOworCSAgICB9IGVsc2lmICgkaXNf c2NvcGUtPignc2RuJykgJiYgJGNsdXN0ZXJfY29uZi0+e3Nkbn0gJiYgJGNsdXN0ZXJfY29uZi0+ e3Nkbn0tPntpcHNldH0tPnskbmFtZX0pIHsKIAkJJGlwc2V0X2NoYWluID0gY29tcHV0ZV9pcHNl dF9jaGFpbl9uYW1lKDAsICRuYW1lLCAkaXB2ZXJzaW9uKTsKIAkgICAgfSBlbHNlIHsKIAkJZGll ICJubyBzdWNoIGlwc2V0ICckbmFtZSdcbiI7CkBAIC0zNjU1LDYgKzM2NjcsNyBAQCBzdWIgbG9h ZF9jbHVzdGVyZndfY29uZiB7CiAJZ3JvdXBfY29tbWVudHMgPT4ge30sCiAJaXBzZXQgPT4ge30g LAogCWlwc2V0X2NvbW1lbnRzID0+IHt9LAorCXNkbiA9PiBsb2FkX3Nkbl9jb25mKCksCiAgICAg fTsKIAogICAgIG15ICRjbHVzdGVyX2NvbmYgPSBnZW5lcmljX2Z3X2NvbmZpZ19wYXJzZXIoJGZp bGVuYW1lLCAkZW1wdHlfY29uZiwgJGVtcHR5X2NvbmYsICdjbHVzdGVyJyk7CkBAIC0zNjYzLDYg KzM2NzYsNDAgQEAgc3ViIGxvYWRfY2x1c3RlcmZ3X2NvbmYgewogICAgIHJldHVybiAkY2x1c3Rl cl9jb25mOwogfQogCitzdWIgbG9hZF9zZG5fY29uZiB7CisgICAgbXkgJHJwY2VudiA9IGV2YWwg eyBQVkU6OlJQQ0Vudmlyb25tZW50OjpnZXQoKSB9OworCisgICAgaWYgKCRAKSB7CisJd2FybiAi Y291bGQgbm90IGxvYWQgU0ROIGNvbmZpZ3VyYXRpb24gYmVjYXVzZSBSUENFbnZpcm9ubWVudCBp cyBub3QgaW5pdGlhbGl6ZWQuIjsKKwlyZXR1cm4ge307CisgICAgfQorCisgICAgbXkgJGF1dGh1 c2VyID0gJHJwY2Vudi0+Z2V0X3VzZXIoKTsKKworICAgIG15ICRndWVzdHMgPSBQVkU6OkNsdXN0 ZXI6OmdldF92bWxpc3QoKTsKKyAgICBteSAkYWxsb3dlZF92bXMgPSBbCisJZ3JlcCB7ICRycGNl bnYtPmNoZWNrKCRhdXRodXNlciwgIi92bXMvJF8iLCBbICdWTS5BdWRpdCcgXSwgMSkgfSBzb3J0 IGtleXMgJGd1ZXN0cy0+e2lkc30tPiUqCisgICAgXTsKKworICAgIG15ICR2bmV0cyA9IFBWRTo6 TmV0d29yazo6U0ROOjpWbmV0czo6Y29uZmlnKDEpOworICAgIG15ICRwcml2cyA9IFsgJ1NETi5B dWRpdCcsICdTRE4uQWxsb2NhdGUnIF07CisgICAgbXkgJGFsbG93ZWRfdm5ldHMgPSBbXTsKKyAg ICBmb3JlYWNoIG15ICR2bmV0IChzb3J0IGtleXMgJXskdm5ldHMtPntpZHN9fSkgeworCW15ICR6 b25lID0gJHZuZXRzLT57aWRzfS0+eyR2bmV0fS0+e3pvbmV9OworCW5leHQgaWYgISRycGNlbnYt PmNoZWNrX2FueSgkYXV0aHVzZXIsICIvc2RuL3pvbmVzLyR6b25lLyR2bmV0IiwgJHByaXZzLCAx KTsKKwlwdXNoIEAkYWxsb3dlZF92bmV0cywgJHZuZXQ7CisgICAgfQorCisgICAgbXkgJGVtcHR5 X3Nkbl9jb25maWcgPSB7IGlwc2V0ID0+IHt9ICwgaXBzZXRfY29tbWVudHMgPT4ge30gfTsKKwor ICAgIG15ICRzZG5fY29uZmlnID0gZXZhbCB7CisJUFZFOjpSUzo6RmlyZXdhbGw6OlNETjo6Y29u ZmlnKCRhbGxvd2VkX3ZuZXRzLCAkYWxsb3dlZF92bXMpCisgICAgfTsKKyAgICB3YXJuICRAIGlm ICRAOworCisgICAgcmV0dXJuICRzZG5fY29uZmlnIC8vICRlbXB0eV9zZG5fY29uZmlnOworfQor CiBzdWIgc2F2ZV9jbHVzdGVyZndfY29uZiB7CiAgICAgbXkgKCRjbHVzdGVyX2NvbmYpID0gQF87 CiAKQEAgLTM3NjgsNyArMzgxNSw3IEBAIHN1YiBjb21waWxlIHsKIAogCSR2bWZ3X2NvbmZpZ3Mg PSByZWFkX3ZtX2ZpcmV3YWxsX2NvbmZpZ3MoJGNsdXN0ZXJfY29uZiwgJHZtZGF0YSwgJHRlc3Rk aXIpOwogICAgIH0gZWxzZSB7ICMgbm9ybWFsIG9wZXJhdGlvbgotCSRjbHVzdGVyX2NvbmYgPSBs b2FkX2NsdXN0ZXJmd19jb25mKHVuZGVmKSBpZiAhJGNsdXN0ZXJfY29uZjsKKwkkY2x1c3Rlcl9j b25mID0gbG9hZF9jbHVzdGVyZndfY29uZigpIGlmICEkY2x1c3Rlcl9jb25mOwogCiAJJGhvc3Rm d19jb25mID0gbG9hZF9ob3N0ZndfY29uZigkY2x1c3Rlcl9jb25mLCB1bmRlZikgaWYgISRob3N0 ZndfY29uZjsKIApAQCAtNDA0Myw2ICs0MDkwLDcgQEAgc3ViIGNvbXBpbGVfaXBzZXRzIHsKICAg ICB9CiAKICAgICBnZW5lcmF0ZV9pcHNldF9jaGFpbnMoJGlwc2V0X3J1bGVzZXQsIHVuZGVmLCAk Y2x1c3Rlcl9jb25mLCB1bmRlZiwgJGNsdXN0ZXJfY29uZi0+e2lwc2V0fSk7CisgICAgZ2VuZXJh dGVfaXBzZXRfY2hhaW5zKCRpcHNldF9ydWxlc2V0LCB1bmRlZiwgJGNsdXN0ZXJfY29uZiwgdW5k ZWYsICRjbHVzdGVyX2NvbmYtPntzZG59LT57aXBzZXR9KTsKIAogICAgIHJldHVybiAkaXBzZXRf cnVsZXNldDsKIH0KZGlmZiAtLWdpdCBhL3NyYy9QVkUvU2VydmljZS9wdmVfZmlyZXdhbGwucG0g Yi9zcmMvUFZFL1NlcnZpY2UvcHZlX2ZpcmV3YWxsLnBtCmluZGV4IDY1Y2IyYjguLjAyYjUwN2Eg MTAwNzU1Ci0tLSBhL3NyYy9QVkUvU2VydmljZS9wdmVfZmlyZXdhbGwucG0KKysrIGIvc3JjL1BW RS9TZXJ2aWNlL3B2ZV9maXJld2FsbC5wbQpAQCAtMTU4LDcgKzE1OCw3IEBAIF9fUEFDS0FHRV9f LT5yZWdpc3Rlcl9tZXRob2QgKHsKIAogCSAgICBQVkU6OkZpcmV3YWxsOjpzZXRfdmVyYm9zZSgx KTsgIyBzaG93IHN5bnRheCBlcnJvcnMKIAotCSAgICBteSAkY2x1c3Rlcl9jb25mID0gUFZFOjpG aXJld2FsbDo6bG9hZF9jbHVzdGVyZndfY29uZih1bmRlZik7CisJICAgIG15ICRjbHVzdGVyX2Nv bmYgPSBQVkU6OkZpcmV3YWxsOjpsb2FkX2NsdXN0ZXJmd19jb25mKCk7CiAJICAgICRyZXMtPntl bmFibGV9ID0gJGNsdXN0ZXJfY29uZi0+e29wdGlvbnN9LT57ZW5hYmxlfSA/IDEgOiAwOwogCiAJ ICAgIGlmICgkc3RhdHVzIGVxICdydW5uaW5nJykgewpAQCAtMjAyLDcgKzIwMiw3IEBAIF9fUEFD S0FHRV9fLT5yZWdpc3Rlcl9tZXRob2QgKHsKIAogCSAgICBQVkU6OkZpcmV3YWxsOjpzZXRfdmVy Ym9zZSgxKTsKIAotCSAgICBteSAkY2x1c3Rlcl9jb25mID0gUFZFOjpGaXJld2FsbDo6bG9hZF9j bHVzdGVyZndfY29uZih1bmRlZik7CisJICAgIG15ICRjbHVzdGVyX2NvbmYgPSBQVkU6OkZpcmV3 YWxsOjpsb2FkX2NsdXN0ZXJmd19jb25mKCk7CiAJICAgIG15ICgkcnVsZXNldCwgJGlwc2V0X3J1 bGVzZXQsICRydWxlc2V0djYsICRlYnRhYmxlc19ydWxlc2V0KSA9IFBWRTo6RmlyZXdhbGw6OmNv bXBpbGUoJGNsdXN0ZXJfY29uZiwgdW5kZWYsIHVuZGVmKTsKIAogCSAgICBwcmludCAiaXBzZXQg Y21kbGlzdDpcbiI7Ci0tIAoyLjM5LjUKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXwpwdmUtZGV2ZWwgbWFpbGluZyBsaXN0CnB2ZS1kZXZlbEBsaXN0cy5w cm94bW94LmNvbQpodHRwczovL2xpc3RzLnByb3htb3guY29tL2NnaS1iaW4vbWFpbG1hbi9saXN0 aW5mby9wdmUtZGV2ZWwK