public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Robert Obkircher <r.obkircher@proxmox.com>
Subject: Re: [pve-devel] [PATCH v1 proxmox-firewall] fix #7068: show rule comments in nftables output
Date: Fri, 5 Dec 2025 11:54:55 +0100	[thread overview]
Message-ID: <46d69814-f3a8-4ce9-888c-e78f52e9d526@proxmox.com> (raw)
In-Reply-To: <20251202125343.91927-1-r.obkircher@proxmox.com>

Tested this on my machine:
* "normal" comments
* comments that are too long
* comments that are too long and do not truncate nicely at the 128
boundary
* comments in security groups
* emojis in comments

We might wanna consider hiding this functionality behind an option in
the cluster firewall.

lgtm so far! one comment inline

On 12/2/25 1:53 PM, Robert Obkircher wrote:
> Add rule comments from the config file to the generated nft rules.
> Truncate them to at most 128 bytes to match the limit in libnftnl.
> 
> Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
> ---
>  proxmox-firewall/src/rule.rs | 37 +++++++++++++++++++++++++++++++++++-
>  1 file changed, 36 insertions(+), 1 deletion(-)
> 
> diff --git a/proxmox-firewall/src/rule.rs b/proxmox-firewall/src/rule.rs
> index b79f91c..f6c5e44 100644
> --- a/proxmox-firewall/src/rule.rs
> +++ b/proxmox-firewall/src/rule.rs
> @@ -36,14 +36,19 @@ pub(crate) struct NftRule {
>      family: Option<Family>,
>      statements: Vec<Statement>,
>      terminal_statements: Vec<Statement>,
> +    comment: Option<String>,
>  }
>  
>  impl NftRule {
> +    /// from NFTNL_UDATA_COMMENT_MAXLEN
> +    pub const MAX_COMMENT_LEN: usize = 128;
> +
>      pub fn from_terminal_statements(terminal_statements: Vec<Statement>) -> Self {
>          Self {
>              family: None,
>              statements: Vec::new(),
>              terminal_statements,
> +            comment: None,
>          }
>      }
>  
> @@ -52,6 +57,7 @@ impl NftRule {
>              family: None,
>              statements: Vec::new(),
>              terminal_statements: vec![terminal_statement],
> +            comment: None,
>          }
>      }
>  
> @@ -81,6 +87,24 @@ impl NftRule {
>          ipfilter.to_nft_rules(&mut rules, env)?;
>          Ok(rules)
>      }
> +
> +    pub fn set_comment(&mut self, comment: &str) {
> +        self.comment =
> +            Some(comment[..my_floor_char_boundary(comment, Self::MAX_COMMENT_LEN)].to_string());

Might make sense imo to add a test case with a comment that does not
nicely truncate at that index to have this covered. Potentially also
some "normal" comments.

There are snapshot tests in this repository that take a fw configuration
and generate the full JSON for the ruleset - would be a good addition
there imo. They use insta [1] and you'd need to regenerate the snapshots
after changing the input files.

[1] https://insta.rs/

> +    }
> +}
> +
> +// TODO: replace with str::floor_char_boundary once rustc 1.91.0 is available
> +fn my_floor_char_boundary(s: &str, index: usize) -> usize {
> +    if index >= s.len() {
> +        s.len()
> +    } else {
> +        s.char_indices()
> +            .map(|(i, _)| i)
> +            .take_while(|i| *i <= index)
> +            .last()
> +            .unwrap_or(0)
> +    }
>  }
>  
>  impl Deref for NftRule {
> @@ -101,7 +125,12 @@ impl NftRule {
>      pub fn into_add_rule(self, chain: ChainPart) -> AddRule {
>          let statements = self.statements.into_iter().chain(self.terminal_statements);
>  
> -        AddRule::from_statements(chain, statements)
> +        let result = AddRule::from_statements(chain, statements);
> +        if let Some(comment) = self.comment {
> +            result.with_comment(comment)
> +        } else {
> +            result
> +        }
>      }
>  
>      pub fn family(&self) -> Option<Family> {
> @@ -175,11 +204,17 @@ impl ToNftRules for Rule {
>      fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
>          log::trace!("generating nft rules for config rule {self:?}");
>  
> +        let before = rules.len();
>          match self.kind() {
>              Kind::Match(rule) => rule.to_nft_rules(rules, env)?,
>              Kind::Group(group) => group.to_nft_rules(rules, env)?,
>          };
>  
> +        if let Some(comment) = self.comment() {
> +            for nft_rule in &mut rules[before..] {
> +                nft_rule.set_comment(comment);
> +            }
> +        }
>          Ok(())
>      }
>  }



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2025-12-05 10:55 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-02 12:52 Robert Obkircher
2025-12-05 10:54 ` Stefan Hanreich [this message]
2025-12-05 13:39   ` Robert Obkircher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46d69814-f3a8-4ce9-888c-e78f52e9d526@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=r.obkircher@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal