[pve-devel] [PATCH proxmox-firewall v2 12/39] config: firewall: add cluster-specific config + option types

Stefan Hanreich s.hanreich at proxmox.com
Wed Apr 17 15:53:37 CEST 2024


Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
Reviewed-by: Max Carrara <m.carrara at proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
 proxmox-ve-config/src/firewall/cluster.rs | 374 ++++++++++++++++++++++
 proxmox-ve-config/src/firewall/mod.rs     |   1 +
 2 files changed, 375 insertions(+)
 create mode 100644 proxmox-ve-config/src/firewall/cluster.rs

diff --git a/proxmox-ve-config/src/firewall/cluster.rs b/proxmox-ve-config/src/firewall/cluster.rs
new file mode 100644
index 0000000..223124b
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/cluster.rs
@@ -0,0 +1,374 @@
+use std::collections::BTreeMap;
+use std::io;
+
+use anyhow::Error;
+use serde::Deserialize;
+
+use crate::firewall::common::ParserConfig;
+use crate::firewall::types::ipset::{Ipset, IpsetScope};
+use crate::firewall::types::log::LogRateLimit;
+use crate::firewall::types::rule::{Direction, Verdict};
+use crate::firewall::types::{Alias, Group, Rule};
+
+use crate::firewall::parse::{serde_option_bool, serde_option_log_ratelimit};
+
+#[derive(Debug, Default)]
+pub struct Config {
+    pub(crate) config: super::common::Config<Options>,
+}
+
+/// default setting for [`Config::is_enabled()`]
+pub const CLUSTER_ENABLED_DEFAULT: bool = false;
+/// default setting for [`Config::ebtables()`]
+pub const CLUSTER_EBTABLES_DEFAULT: bool = false;
+/// default setting for [`Config::default_policy()`]
+pub const CLUSTER_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
+/// default setting for [`Config::default_policy()`]
+pub const CLUSTER_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
+
+impl Config {
+    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
+        let parser_config = ParserConfig {
+            guest_iface_names: false,
+            ipset_scope: Some(IpsetScope::Datacenter),
+        };
+
+        Ok(Self {
+            config: super::common::Config::parse(input, &parser_config)?,
+        })
+    }
+
+    pub fn rules(&self) -> &Vec<Rule> {
+        &self.config.rules
+    }
+
+    pub fn groups(&self) -> &BTreeMap<String, Group> {
+        &self.config.groups
+    }
+
+    pub fn ipsets(&self) -> &BTreeMap<String, Ipset> {
+        &self.config.ipsets
+    }
+
+    pub fn alias(&self, name: &str) -> Option<&Alias> {
+        self.config.alias(name)
+    }
+
+    pub fn is_enabled(&self) -> bool {
+        self.config
+            .options
+            .enable
+            .unwrap_or(CLUSTER_ENABLED_DEFAULT)
+    }
+
+    /// returns the ebtables option from the cluster config or [`CLUSTER_EBTABLES_DEFAULT`] if
+    /// unset
+    ///
+    /// this setting is leftover from the old firewall, but has no effect on the nftables firewall
+    pub fn ebtables(&self) -> bool {
+        self.config
+            .options
+            .ebtables
+            .unwrap_or(CLUSTER_EBTABLES_DEFAULT)
+    }
+
+    /// returns policy_in / out or [`CLUSTER_POLICY_IN_DEFAULT`] / [`CLUSTER_POLICY_OUT_DEFAULT`] if
+    /// unset
+    pub fn default_policy(&self, dir: Direction) -> Verdict {
+        match dir {
+            Direction::In => self
+                .config
+                .options
+                .policy_in
+                .unwrap_or(CLUSTER_POLICY_IN_DEFAULT),
+            Direction::Out => self
+                .config
+                .options
+                .policy_out
+                .unwrap_or(CLUSTER_POLICY_OUT_DEFAULT),
+        }
+    }
+
+    /// returns the rate_limit for logs or [`None`] if rate limiting is disabled
+    ///
+    /// If there is no rate limit set, then [`LogRateLimit::default`] is used
+    pub fn log_ratelimit(&self) -> Option<LogRateLimit> {
+        let rate_limit = self
+            .config
+            .options
+            .log_ratelimit
+            .clone()
+            .unwrap_or_default();
+
+        match rate_limit.enabled() {
+            true => Some(rate_limit),
+            false => None,
+        }
+    }
+}
+
+#[derive(Debug, Default, Deserialize)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+pub struct Options {
+    #[serde(default, with = "serde_option_bool")]
+    enable: Option<bool>,
+
+    #[serde(default, with = "serde_option_bool")]
+    ebtables: Option<bool>,
+
+    #[serde(default, with = "serde_option_log_ratelimit")]
+    log_ratelimit: Option<LogRateLimit>,
+
+    policy_in: Option<Verdict>,
+    policy_out: Option<Verdict>,
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::firewall::types::{
+        address::IpList,
+        alias::{AliasName, AliasScope},
+        ipset::{IpsetAddress, IpsetEntry},
+        log::{LogLevel, LogRateLimitTimescale},
+        rule::{Kind, RuleGroup},
+        rule_match::{
+            Icmpv6, Icmpv6Code, IpAddrMatch, IpMatch, Ports, Protocol, RuleMatch, Tcp, Udp,
+        },
+        Cidr,
+    };
+
+    use super::*;
+
+    #[test]
+    fn test_parse_config() {
+        const CONFIG: &str = r#"
+[OPTIONS]
+enable: 1
+log_ratelimit: 1,rate=10/second,burst=20
+ebtables: 0
+policy_in: REJECT
+policy_out: REJECT
+
+[ALIASES]
+
+another 8.8.8.18
+analias 7.7.0.0/16 # much
+wide cccc::/64
+
+[IPSET a-set]
+
+!5.5.5.5
+1.2.3.4/30
+dc/analias # a comment
+dc/wide
+dddd::/96
+
+[RULES]
+
+GROUP tgr -i eth0 # acomm
+IN ACCEPT -p udp -dport 33 -sport 22 -log warning
+
+[group tgr] # comment for tgr
+
+|OUT ACCEPT -source fe80::1/48 -dest dddd:3:3::9/64 -p icmpv6 -log nolog -icmp-type port-unreachable
+OUT ACCEPT -p tcp -sport 33 -log nolog
+IN BGP(REJECT) -log crit -source 1.2.3.4
+"#;
+
+        let mut config = CONFIG.as_bytes();
+        let config = Config::parse(&mut config).unwrap();
+
+        assert_eq!(
+            config.config.options,
+            Options {
+                ebtables: Some(false),
+                enable: Some(true),
+                log_ratelimit: Some(LogRateLimit::new(
+                    true,
+                    10,
+                    LogRateLimitTimescale::Second,
+                    20
+                )),
+                policy_in: Some(Verdict::Reject),
+                policy_out: Some(Verdict::Reject),
+            }
+        );
+
+        assert_eq!(config.config.aliases.len(), 3);
+
+        assert_eq!(
+            config.config.aliases["another"],
+            Alias::new("another", Cidr::new_v4([8, 8, 8, 18], 32).unwrap(), None),
+        );
+
+        assert_eq!(
+            config.config.aliases["analias"],
+            Alias::new(
+                "analias",
+                Cidr::new_v4([7, 7, 0, 0], 16).unwrap(),
+                "much".to_string()
+            ),
+        );
+
+        assert_eq!(
+            config.config.aliases["wide"],
+            Alias::new(
+                "wide",
+                Cidr::new_v6(
+                    [0xCCCC, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x000],
+                    64
+                )
+                .unwrap(),
+                None
+            ),
+        );
+
+        assert_eq!(config.config.ipsets.len(), 1);
+
+        let mut ipset_elements = vec![
+            IpsetEntry {
+                nomatch: true,
+                address: Cidr::new_v4([5, 5, 5, 5], 32).unwrap().into(),
+                comment: None,
+            },
+            IpsetEntry {
+                nomatch: false,
+                address: Cidr::new_v4([1, 2, 3, 4], 30).unwrap().into(),
+                comment: None,
+            },
+            IpsetEntry {
+                nomatch: false,
+                address: IpsetAddress::Alias(AliasName::new(AliasScope::Datacenter, "analias")),
+                comment: Some("a comment".to_string()),
+            },
+            IpsetEntry {
+                nomatch: false,
+                address: IpsetAddress::Alias(AliasName::new(AliasScope::Datacenter, "wide")),
+                comment: None,
+            },
+            IpsetEntry {
+                nomatch: false,
+                address: Cidr::new_v6([0xdd, 0xdd, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 96)
+                    .unwrap()
+                    .into(),
+                comment: None,
+            },
+        ];
+
+        let mut ipset = Ipset::from_parts(IpsetScope::Datacenter, "a-set");
+        ipset.append(&mut ipset_elements);
+
+        assert_eq!(config.config.ipsets["a-set"], ipset,);
+
+        assert_eq!(config.config.rules.len(), 2);
+
+        assert_eq!(
+            config.config.rules[0],
+            Rule {
+                disabled: false,
+                comment: Some("acomm".to_string()),
+                kind: Kind::Group(RuleGroup {
+                    group: "tgr".to_string(),
+                    iface: Some("eth0".to_string()),
+                }),
+            },
+        );
+
+        assert_eq!(
+            config.config.rules[1],
+            Rule {
+                disabled: false,
+                comment: None,
+                kind: Kind::Match(RuleMatch {
+                    dir: Direction::In,
+                    verdict: Verdict::Accept,
+                    proto: Some(Protocol::Udp(Udp::new(Ports::from_u16(22, 33)))),
+                    log: Some(LogLevel::Warning),
+                    ..Default::default()
+                }),
+            },
+        );
+
+        assert_eq!(config.config.groups.len(), 1);
+
+        let entry = &config.config.groups["tgr"];
+        assert_eq!(entry.comment(), Some("comment for tgr"));
+        assert_eq!(entry.rules().len(), 3);
+
+        assert_eq!(
+            entry.rules()[0],
+            Rule {
+                disabled: true,
+                comment: None,
+                kind: Kind::Match(RuleMatch {
+                    dir: Direction::Out,
+                    verdict: Verdict::Accept,
+                    ip: Some(IpMatch {
+                        src: Some(IpAddrMatch::Ip(IpList::from(
+                            Cidr::new_v6(
+                                [0xfe, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],
+                                48
+                            )
+                            .unwrap()
+                        ))),
+                        dst: Some(IpAddrMatch::Ip(IpList::from(
+                            Cidr::new_v6(
+                                [0xdd, 0xdd, 0, 3, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9],
+                                64
+                            )
+                            .unwrap()
+                        ))),
+                    }),
+                    proto: Some(Protocol::Icmpv6(Icmpv6::new_code(Icmpv6Code::Named(
+                        "port-unreachable"
+                    )))),
+                    log: Some(LogLevel::Nolog),
+                    ..Default::default()
+                }),
+            },
+        );
+        assert_eq!(
+            entry.rules()[1],
+            Rule {
+                disabled: false,
+                comment: None,
+                kind: Kind::Match(RuleMatch {
+                    dir: Direction::Out,
+                    verdict: Verdict::Accept,
+                    proto: Some(Protocol::Tcp(Tcp::new(Ports::from_u16(33, None)))),
+                    log: Some(LogLevel::Nolog),
+                    ..Default::default()
+                }),
+            },
+        );
+
+        assert_eq!(
+            entry.rules()[2],
+            Rule {
+                disabled: false,
+                comment: None,
+                kind: Kind::Match(RuleMatch {
+                    dir: Direction::In,
+                    verdict: Verdict::Reject,
+                    log: Some(LogLevel::Critical),
+                    fw_macro: Some("BGP".to_string()),
+                    ip: Some(IpMatch {
+                        src: Some(IpAddrMatch::Ip(IpList::from(
+                            Cidr::new_v4([1, 2, 3, 4], 32).unwrap()
+                        ))),
+                        dst: None,
+                    }),
+                    ..Default::default()
+                }),
+            },
+        );
+
+        let empty_config = Config::parse("".as_bytes()).expect("empty config is invalid");
+
+        assert_eq!(empty_config.config.options, Options::default());
+        assert!(empty_config.config.rules.is_empty());
+        assert!(empty_config.config.aliases.is_empty());
+        assert!(empty_config.config.ipsets.is_empty());
+        assert!(empty_config.config.groups.is_empty());
+    }
+}
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
index 591ee52..82689c3 100644
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ b/proxmox-ve-config/src/firewall/mod.rs
@@ -1,3 +1,4 @@
+pub mod cluster;
 pub mod common;
 pub mod ports;
 pub mod types;
-- 
2.39.2




More information about the pve-devel mailing list