From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs/firewall/manager v8 0/5] autogenerate ipsets for sdn objects
Date: Tue, 19 Nov 2024 16:36:05 +0100 [thread overview]
Message-ID: <20241119153610.228658-1-s.hanreich@proxmox.com> (raw)
This patch series adds support for autogenerating ipsets for SDN objects. It
autogenerates ipsets for every VNet as follows:
* ipset containing all IP ranges of the VNet
* ipset containing all gateways of the VNet
* ipset containing all IP ranges of the subnet - except gateways
* ipset containing all dhcp ranges of the vnet
Additionally it generates an IPSet for every guest that has one or more IPAM
entries in the pve IPAM.
Those can then be used in the cluster / host / guest firewalls. Firewall rules
automatically update on changes of the SDN / IPAM configuration. This patch
series works for the old firewall as well as the new firewall.
The ipsets in nftables currently get generated as named ipsets in every table,
this means that the `nft list ruleset` output can get quite crowded for large
SDN configurations or large IPAM databases. Another option would be to only
include them as anonymous IPsets in the rules, which would make the nft output
far less crowded but this way would use more memory when making extensive use of
the sdn ipsets, since everytime it is used in a rule we create an entirely new
ipset.
Dependencies:
* proxmox-perl-rs and proxmox-firewall depend on proxmox-ve-rs
* pve-firewall depends on proxmox-perl-rs
* pve-manager depends on pve-firewall
Changes from v7 to v8:
* always return SDN configuration, even if cluster configuration
files does not exist
Changes from v6 to v7:
* cleaned up RPCEnvironment import in Firewall
* fix rule verification accepting all SDN IPsets for security groups / cluster
Changes from v5 to v6:
* Always load the full SDN configuration for the firewall instead of checking
for the scope of the current user
* Filter the output of the refs endpoints to only show IPSets that the user has
permission for
* Adapt create/update rule endpoints to only use IPSets from SDN config that the
user has permission for
Changes from v4 to v5:
* extracted the API changes setting protected into a separate commit and put
them up front
* fixed perl style issues - thanks @Thomas
Changes from v3 to v4:
* omitted proxmox-ve-rs since it is merged
* always load SDN configuration now when loading cluster config
* adapt is_nftables to check the flag file instead of reading the config
* gracefully fail when RPCEnvironment is not available
Changes from v2:
* rename end in IpRange to last to avoid confusion - thanks @Wolfgang
* bump Rust to 1.82 - thanks @Wolfgang
* improvements to the code generating IPSets - thanks @Wolfgang
* implement AsRef<str> for SDN name types - thanks @Wolfgang
* improve docstrings (proper capitalization and punctuation) - thanks @Wolfgang
* included a patch that removes proxmox-ve-config from proxmox-firewall
Changes from RFC:
* added documentation
* added separate SDN scope for IPSets
* rustfmt fixes
pve-firewall:
Stefan Hanreich (3):
add support for loading sdn firewall configuration
ipsets: return sdn ipsets from api
sdn: always include SDN configuration
src/PVE/API2/Firewall/Cluster.pm | 12 +++++++-
src/PVE/API2/Firewall/Helpers.pm | 50 ++++++++++++++++++++++++++++++++
src/PVE/API2/Firewall/Makefile | 1 +
src/PVE/API2/Firewall/Rules.pm | 25 ++++++++++++++++
src/PVE/API2/Firewall/VM.pm | 10 ++++++-
src/PVE/Firewall.pm | 49 ++++++++++++++++++++++++++-----
src/PVE/Service/pve_firewall.pm | 4 +--
7 files changed, 139 insertions(+), 12 deletions(-)
create mode 100644 src/PVE/API2/Firewall/Helpers.pm
pve-manager:
Stefan Hanreich (1):
firewall: add sdn scope to IPRefSelector
www/manager6/form/IPRefSelector.js | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
pve-docs:
Stefan Hanreich (1):
sdn: add documentation for firewall integration
pvesdn.adoc | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
Summary over all repositories:
9 files changed, 238 insertions(+), 13 deletions(-)
--
Generated by git-murpp 0.6.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2024-11-19 15:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-19 15:36 Stefan Hanreich [this message]
2024-11-19 15:36 ` [pve-devel] [PATCH pve-firewall v8 1/5] add support for loading sdn firewall configuration Stefan Hanreich
2024-11-19 15:36 ` [pve-devel] [PATCH pve-firewall v8 2/5] ipsets: return sdn ipsets from api Stefan Hanreich
2024-11-19 15:36 ` [pve-devel] [PATCH pve-firewall v8 3/5] sdn: always include SDN configuration Stefan Hanreich
2024-11-19 15:36 ` [pve-devel] [PATCH pve-manager v8 4/5] firewall: add sdn scope to IPRefSelector Stefan Hanreich
2024-11-19 15:36 ` [pve-devel] [PATCH pve-docs v8 5/5] sdn: add documentation for firewall integration Stefan Hanreich
2024-11-19 16:00 ` [pve-devel] applied-series: [PATCH docs/firewall/manager v8 0/5] autogenerate ipsets for sdn objects Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241119153610.228658-1-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox