On Wed Jun 26, 2024 at 2:15 PM CEST, Stefan Hanreich wrote:
> Used for obtaining the IPSets that get autogenerated by the nftables
> firewall. The returned configuration has the same format as the
> pve-firewall uses internally, making it compatible with the existing
> pve-firewall code.
>
> Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
> ---
> pve-rs/Cargo.toml | 1 +
> pve-rs/Makefile | 1 +
> pve-rs/src/firewall/mod.rs | 1 +
> pve-rs/src/firewall/sdn.rs | 130 +++++++++++++++++++++++++++++++++++++
> pve-rs/src/lib.rs | 1 +
> 5 files changed, 134 insertions(+)
> create mode 100644 pve-rs/src/firewall/mod.rs
> create mode 100644 pve-rs/src/firewall/sdn.rs
>
> diff --git a/pve-rs/Cargo.toml b/pve-rs/Cargo.toml
> index e40588d..f612b3a 100644
> --- a/pve-rs/Cargo.toml
> +++ b/pve-rs/Cargo.toml
> @@ -43,3 +43,4 @@ proxmox-subscription = "0.4"
> proxmox-sys = "0.5"
> proxmox-tfa = { version = "4.0.4", features = ["api"] }
> proxmox-time = "2"
> +proxmox-ve-config = { version = "0.1.0" }
This hunk doesn't apply anymore because proxmox-sys was bumped.
Manually adding proxmox-ve-config as depencency works just fine though,
so this needs just a little rebase.
> diff --git a/pve-rs/Makefile b/pve-rs/Makefile
> index c6b4e08..d01da69 100644
> --- a/pve-rs/Makefile
> +++ b/pve-rs/Makefile
> @@ -28,6 +28,7 @@ PERLMOD_GENPACKAGE := /usr/lib/perlmod/genpackage.pl \
>
> PERLMOD_PACKAGES := \
> PVE::RS::APT::Repositories \
> + PVE::RS::Firewall::SDN \
> PVE::RS::OpenId \
> PVE::RS::ResourceScheduling::Static \
> PVE::RS::TFA
> diff --git a/pve-rs/src/firewall/mod.rs b/pve-rs/src/firewall/mod.rs
> new file mode 100644
> index 0000000..8bd18a8
> --- /dev/null
> +++ b/pve-rs/src/firewall/mod.rs
> @@ -0,0 +1 @@
> +pub mod sdn;
> diff --git a/pve-rs/src/firewall/sdn.rs b/pve-rs/src/firewall/sdn.rs
> new file mode 100644
> index 0000000..55f3e93
> --- /dev/null
> +++ b/pve-rs/src/firewall/sdn.rs
> @@ -0,0 +1,130 @@
> +#[perlmod::package(name = "PVE::RS::Firewall::SDN", lib = "pve_rs")]
> +mod export {
> + use std::collections::HashMap;
> + use std::{fs, io};
> +
> + use anyhow::{bail, Context, Error};
> + use serde::Serialize;
> +
> + use proxmox_ve_config::{
> + common::Allowlist,
> + firewall::types::ipset::{IpsetAddress, IpsetEntry},
> + firewall::types::Ipset,
> + guest::types::Vmid,
> + sdn::{
> + config::{RunningConfig, SdnConfig},
> + ipam::{Ipam, IpamJson},
> + SdnNameError, VnetName,
SdnNameError isn't used here.
> + },
> + };
> +
> + #[derive(Clone, Debug, Default, Serialize)]
> + pub struct LegacyIpsetEntry {
> + nomatch: bool,
> + cidr: String,
> + comment: Option<String>,
> + }
> +
> + impl LegacyIpsetEntry {
> + pub fn from_ipset_entry(entry: &IpsetEntry) -> Vec<LegacyIpsetEntry>
> {
> + let mut entries = Vec::new();
> +
> + match &entry.address {
> + IpsetAddress::Alias(name) => {
> + entries.push(Self {
> + nomatch: entry.nomatch,
> + cidr: name.to_string(),
> + comment: entry.comment.clone(),
> + });
> + }
> + IpsetAddress::Cidr(cidr) => {
> + entries.push(Self {
> + nomatch: entry.nomatch,
> + cidr: cidr.to_string(),
> + comment: entry.comment.clone(),
> + });
> + }
> + IpsetAddress::Range(range) => {
> + entries.extend(range.to_cidrs().into_iter().map(|cidr|
> Self {
> + nomatch: entry.nomatch,
> + cidr: cidr.to_string(),
> + comment: entry.comment.clone(),
> + }))
> + }
> + };
> +
> + entries
> + }
> + }
> +
> + #[derive(Clone, Debug, Default, Serialize)]
> + pub struct SdnFirewallConfig {
> + ipset: HashMap<String, Vec<LegacyIpsetEntry>>,
> + ipset_comments: HashMap<String, String>,
> + }
> +
> + impl SdnFirewallConfig {
> + pub fn new() -> Self {
> + Default::default()
> + }
> +
> + pub fn extend_ipsets(&mut self, ipsets: impl IntoIterator<Item =
> Ipset>) {
> + for ipset in ipsets {
> + let entries = ipset
> + .iter()
> + .flat_map(LegacyIpsetEntry::from_ipset_entry)
> + .collect();
> +
> + self.ipset.insert(ipset.name().name().to_string(), entries);
> +
> + if let Some(comment) = &ipset.comment {
> + self.ipset_comments
> + .insert(ipset.name().name().to_string(),
> comment.to_string());
> + }
> + }
> + }
> + }
> +
> + const SDN_RUNNING_CONFIG: &str = "/etc/pve/sdn/.running-config";
> + const SDN_IPAM: &str = "/etc/pve/priv/ipam.db";
> +
> + #[export]
> + pub fn config(
> + vnet_filter: Option<Vec<VnetName>>,
> + vm_filter: Option<Vec<Vmid>>,
> + ) -> Result<SdnFirewallConfig, Error> {
> + let mut refs = SdnFirewallConfig::new();
> +
> + match fs::read_to_string(SDN_RUNNING_CONFIG) {
> + Ok(data) => {
> + let running_config: RunningConfig =
> serde_json::from_str(&data)?;
> + let sdn_config = SdnConfig::try_from(running_config)
> + .with_context(|| "Failed to parse SDN
> config".to_string())?;
> +
> + let allowlist = vnet_filter.map(Allowlist::from_iter);
> + refs.extend_ipsets(sdn_config.ipsets(allowlist.as_ref()));
> + }
> + Err(e) if e.kind() == io::ErrorKind::NotFound => (),
> + Err(e) => {
> + bail!("Cannot open SDN running config: {e:#}");
> + }
> + };
> +
> + match fs::read_to_string(SDN_IPAM) {
> + Ok(data) => {
> + let ipam_json: IpamJson = serde_json::from_str(&data)?;
> + let ipam: Ipam = Ipam::try_from(ipam_json)
> + .with_context(|| "Failed to parse IPAM".to_string())?;
> +
> + let allowlist = vm_filter.map(Allowlist::from_iter);
> + refs.extend_ipsets(ipam.ipsets(allowlist.as_ref()));
> + }
> + Err(e) if e.kind() == io::ErrorKind::NotFound => (),
> + Err(e) => {
> + bail!("Cannot open IPAM database: {e:#}");
> + }
> + };
> +
> + Ok(refs)
> + }
> +}
> diff --git a/pve-rs/src/lib.rs b/pve-rs/src/lib.rs
> index 42be39e..dae190e 100644
> --- a/pve-rs/src/lib.rs
> +++ b/pve-rs/src/lib.rs
> @@ -4,6 +4,7 @@
> pub mod common;
>
> pub mod apt;
> +pub mod firewall;
> pub mod openid;
> pub mod resource_scheduling;
> pub mod tfa;
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
