From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 0A97E1FF163 for ; Thu, 7 Nov 2024 11:44:43 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 667FE1E474; Thu, 7 Nov 2024 11:44:52 +0100 (CET) Date: Thu, 7 Nov 2024 11:44:18 +0100 From: Wolfgang Bumiller To: Stefan Hanreich Message-ID: References: <20241010155637.255451-1-s.hanreich@proxmox.com> <20241010155637.255451-22-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20241010155637.255451-22-s.hanreich@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.081 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH pve-firewall v2 21/25] add support for loading sdn firewall configuration X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: pve-devel@lists.proxmox.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On Thu, Oct 10, 2024 at 05:56:33PM GMT, Stefan Hanreich wrote: > This also includes support for parsing rules referencing IPSets in the > new SDN scope and generating those IPSets in the firewall. > > Loading SDN configuration is optional, since loading it requires root > privileges which we do not have in all call sites. Adding the flag > allows us to selectively load the SDN configuration only where > required and at the same time allows us to only elevate privileges in > the API where absolutely needed. > > Signed-off-by: Stefan Hanreich > --- > src/PVE/Firewall.pm | 59 +++++++++++++++++++++++++++++++++++++++------ > 1 file changed, 52 insertions(+), 7 deletions(-) > > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm > index 09544ba..9943f2e 100644 > --- a/src/PVE/Firewall.pm > +++ b/src/PVE/Firewall.pm > @@ -25,6 +25,7 @@ use PVE::Tools qw($IPV4RE $IPV6RE); > use PVE::Tools qw(run_command lock_file dir_glob_foreach); > > use PVE::Firewall::Helpers; > +use PVE::RS::Firewall::SDN; > > my $pvefw_conf_dir = "/etc/pve/firewall"; > my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw"; > @@ -1689,9 +1690,11 @@ sub verify_rule { > > if (my $value = $rule->{$name}) { > if ($value =~ m/^\+/) { > - if ($value =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) { > + if ($value =~ m@^\+(guest/|dc/|sdn/)?(${ipset_name_pattern})$@) { > &$add_error($name, "no such ipset '$2'") > - if !($cluster_conf->{ipset}->{$2} || ($fw_conf && $fw_conf->{ipset}->{$2})); > + if !($cluster_conf->{ipset}->{$2} > + || ($fw_conf && $fw_conf->{ipset}->{$2}) > + || ($cluster_conf->{sdn} && $cluster_conf->{sdn}->{ipset}->{$2})); > > } else { > &$add_error($name, "invalid ipset name '$value'"); > @@ -2108,13 +2111,15 @@ sub ipt_gen_src_or_dst_match { > > my $match; > if ($adr =~ m/^\+/) { > - if ($adr =~ m@^\+(guest/|dc/)?(${ipset_name_pattern})$@) { > + if ($adr =~ m@^\+(guest/|dc/|sdn/)?(${ipset_name_pattern})$@) { > my $scope = $1 // ""; > my $name = $2; > my $ipset_chain; The hunk below looks fishy. > - if ($scope ne 'dc/' && $fw_conf && $fw_conf->{ipset}->{$name}) { Previously $scope was dc or guest (or nothing). This was the "guest" case, and guests took precedence, hence `ne 'dc/'` > + if ((!$scope || $scope eq 'guest/') && $fw_conf && $fw_conf->{ipset}->{$name}) { ^ So this seems fine: "(not set or set to guest) and a guest entry exists" > $ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion); > - } elsif ($scope ne 'guest/' && $cluster_conf && $cluster_conf->{ipset}->{$name}) { ^ Then we had "not guest", so: "not set or set to datacenter and a cluster entry exists" > + } elsif ((!$scope || $scope eq 'guest/') && $cluster_conf && $cluster_conf->{ipset}->{$name}) { ^ But here we have a 2nd instance of `eq 'guest/'`, so: "not set or set to guest and a cluster entry exists" Should probably be `(!$scope && $scope eq 'dc/')`, no? > + $ipset_chain = compute_ipset_chain_name(0, $name, $ipversion); > + } elsif ((!$scope || $scope eq 'sdn/') && $cluster_conf->{sdn} && $cluster_conf->{sdn}->{ipset}->{$name}) { ^ Finally the new case for "not set or scope is sdn and sdn entry exists" which means that now we can also "fall through" to an sdn entry if no scope is set (which makes sense I guess). > $ipset_chain = compute_ipset_chain_name(0, $name, $ipversion); > } else { > die "no such ipset '$name'\n"; _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel