[pve-devel] [PATCH proxmox-firewall v2 32/39] firewall: add proxmox-firewall binary
Stefan Hanreich
s.hanreich at proxmox.com
Wed Apr 17 15:53:57 CEST 2024
Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
Reviewed-by: Max Carrara <m.carrara at proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-firewall/src/main.rs | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index 53c1289..bff71b9 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -5,7 +5,41 @@ mod firewall;
mod object;
mod rule;
+use firewall::Firewall;
+use proxmox_nftables::NftCtx;
+
+const RULE_BASE: &str = include_str!("../resources/proxmox-firewall.nft");
+
fn main() -> Result<(), Error> {
env_logger::init();
+
+ let mut nft = NftCtx::new()?;
+ let firewall = Firewall::new();
+
+ if !firewall.is_enabled() {
+ log::info!("Removing existing firewall rules");
+ let commands = firewall.remove_firewall();
+
+ // can ignore failures, since it fails when table does not exist
+ let _ = nft.run_commands(&commands);
+
+ return Ok(());
+ }
+
+ let commands = firewall.full_host_fw()?;
+
+ log::info!("Running proxmox-firewall.nft");
+ let got = nft.run_nft_commands(RULE_BASE)?;
+ log::info!("got response from nftables: {got:?}");
+
+ log::info!("Running proxmox-firewall commands");
+
+ for (idx, c) in commands.iter().enumerate() {
+ log::debug!("cmd #{idx} {}", serde_json::to_string(&c)?);
+ }
+
+ let got = nft.run_commands(&commands)?;
+ log::info!("got response from nftables: {got:?}");
+
Ok(())
}
--
2.39.2
More information about the pve-devel
mailing list