From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.wagner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 1DC8193FAA
 for <pve-devel@lists.proxmox.com>; Wed, 10 Apr 2024 12:26:06 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id F376DBACE
 for <pve-devel@lists.proxmox.com>; Wed, 10 Apr 2024 12:25:35 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Wed, 10 Apr 2024 12:25:35 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 39ADB43BE3
 for <pve-devel@lists.proxmox.com>; Wed, 10 Apr 2024 12:25:35 +0200 (CEST)
Message-ID: <b6da8738-258e-4857-9405-d6047430b35c@proxmox.com>
Date: Wed, 10 Apr 2024 12:25:34 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Stefan Hanreich <s.hanreich@proxmox.com>
References: <20240402171629.536804-1-s.hanreich@proxmox.com>
Content-Language: de-AT, en-US
From: Lukas Wagner <l.wagner@proxmox.com>
In-Reply-To: <20240402171629.536804-1-s.hanreich@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.006 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [RFC
 container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox
 firewall nftables implementation
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 10:26:06 -0000



On  2024-04-02 19:15, Stefan Hanreich wrote:
> ## Introduction
> This RFC provides a drop-in replacement for the current pve-firewall package
> that is based on Rust and nftables.
> 
> It consists of three crates:
> * proxmox-ve-config
>   for parsing firewall and guest configuration files, as well as some helpers
>   to access host configuration (particularly networking)
> * proxmox-nftables
>   contains bindings for libnftables as well as types that implement the JSON
>   schema defined by libnftables-json
> * proxmox-firewall
>   uses the other two crates to read the firewall configuration and create the
>   respective nftables configuration
> 

Great work!

Did a relatively shallow review of the Rust parts, digging deeper only into
a smaller subset of the code.
Some aspects where I see room for improvement are mostly documentation,
as Max already mentioned, and some more automated testing. I think it would
greatly benefit the long-term maintainability of this tool to test the
the full 'config files' --> 'Command' transformation. This would require some
refactoring in the part reading the configuration, because currently the
config paths seem to be mostly hard coded. 
Since `Command` is serializable anyway, we could have a nice test suite of
firewall/VM config files and expected commands as JSON dumps. 
This will be tedious to setup at first, but will help to detect any unwanted
regressions in the long-term.

-- 
- Lukas