[pve-devel] [PATCH proxmox-firewall v2 24/39] nftables: types: add conversion traits
Stefan Hanreich
s.hanreich at proxmox.com
Wed Apr 17 15:53:49 CEST 2024
Some parts of the firewall config map directly to nftables objects, so
we introduce conversion traits for convenient conversion into the
respective nftables objects / types.
They are guarded behind a feature, so the nftables crate can be used
standalone without depending on the proxmox-ve-config crate.
Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
Reviewed-by: Max Carrara <m.carrara at proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-nftables/src/types.rs | 80 ++++++++++++++++++++++++++++++++++-
1 file changed, 79 insertions(+), 1 deletion(-)
diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs
index 90d3466..a83e958 100644
--- a/proxmox-nftables/src/types.rs
+++ b/proxmox-nftables/src/types.rs
@@ -7,6 +7,12 @@ use crate::{Expression, Statement};
use serde::{Deserialize, Serialize};
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::address::Family;
+
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::ipset::IpsetName;
+
#[cfg(feature = "config-ext")]
use proxmox_ve_config::guest::types::Vmid;
@@ -33,6 +39,15 @@ impl TableFamily {
_ => vec![IpFamily::Ip, IpFamily::Ip6],
}
}
+
+ #[cfg(feature = "config-ext")]
+ pub fn families(&self) -> Vec<Family> {
+ match self {
+ TableFamily::Ip => vec![Family::V4],
+ TableFamily::Ip6 => vec![Family::V6],
+ _ => vec![Family::V4, Family::V6],
+ }
+ }
}
#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)]
@@ -157,6 +172,21 @@ pub enum RateTimescale {
Day,
}
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::log::LogRateLimitTimescale;
+
+#[cfg(feature = "config-ext")]
+impl From<LogRateLimitTimescale> for RateTimescale {
+ fn from(value: LogRateLimitTimescale) -> Self {
+ match value {
+ LogRateLimitTimescale::Second => RateTimescale::Second,
+ LogRateLimitTimescale::Minute => RateTimescale::Minute,
+ LogRateLimitTimescale::Hour => RateTimescale::Hour,
+ LogRateLimitTimescale::Day => RateTimescale::Day,
+ }
+ }
+}
+
#[derive(Clone, Debug, Deserialize, Serialize)]
pub struct TableName {
family: TableFamily,
@@ -586,6 +616,44 @@ impl SetName {
name: name.into(),
}
}
+
+ pub fn name(&self) -> &str {
+ self.name.as_ref()
+ }
+
+ #[cfg(feature = "config-ext")]
+ pub fn ipset_name(
+ family: Family,
+ name: &IpsetName,
+ vmid: Option<Vmid>,
+ nomatch: bool,
+ ) -> String {
+ use proxmox_ve_config::firewall::types::ipset::IpsetScope;
+
+ let prefix = match family {
+ Family::V4 => "v4",
+ Family::V6 => "v6",
+ };
+
+ let name = match name.scope() {
+ IpsetScope::Datacenter => name.to_string(),
+ IpsetScope::Guest => {
+ if let Some(vmid) = vmid {
+ format!("guest-{vmid}/{}", name.name())
+ } else {
+ log::warn!("Creating IPSet for guest without vmid parameter!");
+ name.to_string()
+ }
+ }
+ };
+
+ let suffix = match nomatch {
+ true => "-nomatch",
+ false => "",
+ };
+
+ format!("{prefix}-{name}{suffix}")
+ }
}
#[derive(Clone, Debug, Deserialize, Serialize)]
@@ -788,7 +856,17 @@ pub enum L3Protocol {
Ip6,
}
-#[derive(Clone, Debug, Deserialize, Serialize)]
+#[cfg(feature = "config-ext")]
+impl From<Family> for L3Protocol {
+ fn from(value: Family) -> Self {
+ match value {
+ Family::V4 => L3Protocol::Ip,
+ Family::V6 => L3Protocol::Ip6,
+ }
+ }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
pub enum CtHelperProtocol {
TCP,
--
2.39.2
More information about the pve-devel
mailing list