[pve-devel] [PATCH proxmox-firewall v3 28/39] firewall: add config loader
Stefan Hanreich
s.hanreich at proxmox.com
Thu Apr 18 18:14:23 CEST 2024
We load the firewall configuration from the default paths, as well as
only the guest configurations that are local to the node itself. In
the future we could change this to use pmxcfs directly instead.
We also load information from nftables directly about dynamically
created chains (mostly chains for the guest firewall).
Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
Reviewed-by: Max Carrara <m.carrara at proxmox.com>
Co-authored-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-firewall/Cargo.toml | 2 +
proxmox-firewall/src/config.rs | 283 +++++++++++++++++++++++++++++++++
proxmox-firewall/src/main.rs | 3 +
3 files changed, 288 insertions(+)
create mode 100644 proxmox-firewall/src/config.rs
diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml
index b59d973..431e71a 100644
--- a/proxmox-firewall/Cargo.toml
+++ b/proxmox-firewall/Cargo.toml
@@ -11,6 +11,8 @@ description = "Proxmox VE nftables firewall implementation"
license = "AGPL-3"
[dependencies]
+log = "0.4"
+env_logger = "0.10"
anyhow = "1"
proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] }
diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs
new file mode 100644
index 0000000..2cf3e39
--- /dev/null
+++ b/proxmox-firewall/src/config.rs
@@ -0,0 +1,283 @@
+use std::collections::BTreeMap;
+use std::default::Default;
+use std::fs::File;
+use std::io::{self, BufReader};
+use std::sync::OnceLock;
+
+use anyhow::Error;
+
+use proxmox_ve_config::firewall::cluster::Config as ClusterConfig;
+use proxmox_ve_config::firewall::guest::Config as GuestConfig;
+use proxmox_ve_config::firewall::host::Config as HostConfig;
+use proxmox_ve_config::firewall::types::alias::{Alias, AliasName, AliasScope};
+
+use proxmox_ve_config::guest::types::Vmid;
+use proxmox_ve_config::guest::{GuestEntry, GuestMap};
+
+use proxmox_nftables::command::{CommandOutput, Commands, List, ListOutput};
+use proxmox_nftables::types::ListChain;
+use proxmox_nftables::NftClient;
+
+pub trait FirewallConfigLoader {
+ fn cluster(&self) -> Option<Box<dyn io::BufRead>>;
+ fn host(&self) -> Option<Box<dyn io::BufRead>>;
+ fn guest_list(&self) -> GuestMap;
+ fn guest_config(&self, vmid: &Vmid, guest: &GuestEntry) -> Option<Box<dyn io::BufRead>>;
+ fn guest_firewall_config(&self, vmid: &Vmid) -> Option<Box<dyn io::BufRead>>;
+}
+
+#[derive(Default)]
+struct PveFirewallConfigLoader {}
+
+impl PveFirewallConfigLoader {
+ pub fn new() -> Self {
+ Default::default()
+ }
+}
+
+/// opens a configuration file
+///
+/// It returns a file handle to the file or [`None`] if it doesn't exist.
+fn open_config_file(path: &str) -> Result<Option<File>, Error> {
+ match File::open(path) {
+ Ok(data) => Ok(Some(data)),
+ Err(err) if err.kind() == io::ErrorKind::NotFound => {
+ log::info!("config file does not exist: {path}");
+ Ok(None)
+ }
+ Err(err) => {
+ let context = format!("unable to open configuration file at {path}");
+ Err(anyhow::Error::new(err).context(context))
+ }
+ }
+}
+
+const CLUSTER_CONFIG_PATH: &str = "/etc/pve/firewall/cluster.fw";
+const HOST_CONFIG_PATH: &str = "/etc/pve/local/host.fw";
+
+impl FirewallConfigLoader for PveFirewallConfigLoader {
+ fn cluster(&self) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading cluster config");
+
+ let fd =
+ open_config_file(CLUSTER_CONFIG_PATH).expect("able to read cluster firewall config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+
+ fn host(&self) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading host config");
+
+ let fd = open_config_file(HOST_CONFIG_PATH).expect("able to read host firewall config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+
+ fn guest_list(&self) -> GuestMap {
+ log::info!("loading vmlist");
+ GuestMap::new().expect("able to read vmlist")
+ }
+
+ fn guest_config(&self, vmid: &Vmid, entry: &GuestEntry) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading guest #{vmid} config");
+
+ let fd = open_config_file(&GuestMap::config_path(vmid, entry))
+ .expect("able to read guest config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+
+ fn guest_firewall_config(&self, vmid: &Vmid) -> Option<Box<dyn io::BufRead>> {
+ log::info!("loading guest #{vmid} firewall config");
+
+ let fd = open_config_file(&GuestMap::firewall_config_path(vmid))
+ .expect("able to read guest firewall config");
+
+ if let Some(file) = fd {
+ let buf_reader = Box::new(BufReader::new(file)) as Box<dyn io::BufRead>;
+ return Some(buf_reader);
+ }
+
+ None
+ }
+}
+
+pub trait NftConfigLoader {
+ fn chains(&self) -> CommandOutput;
+}
+
+#[derive(Debug, Default)]
+pub struct PveNftConfigLoader {}
+
+impl PveNftConfigLoader {
+ pub fn new() -> Self {
+ Default::default()
+ }
+}
+
+impl NftConfigLoader for PveNftConfigLoader {
+ fn chains(&self) -> CommandOutput {
+ log::info!("querying nftables config for chains");
+
+ let commands = Commands::new(vec![List::chains()]);
+
+ NftClient::run_json_commands(&commands)
+ .expect("can query chains in nftables")
+ .expect("nft returned output")
+ }
+}
+
+pub struct FirewallConfig {
+ firewall_loader: Box<dyn FirewallConfigLoader>,
+ nft_loader: Box<dyn NftConfigLoader>,
+ cluster_config: OnceLock<ClusterConfig>,
+ host_config: OnceLock<HostConfig>,
+ guest_config: OnceLock<BTreeMap<Vmid, GuestConfig>>,
+ nft_config: OnceLock<BTreeMap<String, ListChain>>,
+}
+
+impl Default for FirewallConfig {
+ fn default() -> Self {
+ Self {
+ firewall_loader: Box::new(PveFirewallConfigLoader::new()),
+ nft_loader: Box::new(PveNftConfigLoader::new()),
+ cluster_config: OnceLock::new(),
+ host_config: OnceLock::new(),
+ guest_config: OnceLock::new(),
+ nft_config: OnceLock::new(),
+ }
+ }
+}
+
+impl FirewallConfig {
+ pub fn new(
+ firewall_loader: Box<dyn FirewallConfigLoader>,
+ nft_loader: Box<dyn NftConfigLoader>,
+ ) -> Self {
+ Self {
+ firewall_loader,
+ nft_loader,
+ cluster_config: OnceLock::new(),
+ host_config: OnceLock::new(),
+ guest_config: OnceLock::new(),
+ nft_config: OnceLock::new(),
+ }
+ }
+
+ pub fn cluster(&self) -> &ClusterConfig {
+ self.cluster_config.get_or_init(|| {
+ let raw_config = self.firewall_loader.cluster();
+
+ match raw_config {
+ Some(data) => ClusterConfig::parse(data).expect("cluster firewall config is valid"),
+ None => {
+ log::info!("no cluster config found, falling back to default");
+ ClusterConfig::default()
+ }
+ }
+ })
+ }
+
+ pub fn host(&self) -> &HostConfig {
+ self.host_config.get_or_init(|| {
+ let raw_config = self.firewall_loader.host();
+
+ match raw_config {
+ Some(data) => HostConfig::parse(data).expect("host firewall config is valid"),
+ None => {
+ log::info!("no host config found, falling back to default");
+ HostConfig::default()
+ }
+ }
+ })
+ }
+
+ pub fn guests(&self) -> &BTreeMap<Vmid, GuestConfig> {
+ self.guest_config.get_or_init(|| {
+ let mut guests = BTreeMap::new();
+
+ for (vmid, entry) in self.firewall_loader.guest_list().iter() {
+ if !entry.is_local() {
+ log::debug!("guest #{vmid} is not local, skipping");
+ continue;
+ }
+
+ let raw_firewall_config = self.firewall_loader.guest_firewall_config(vmid);
+
+ if let Some(raw_firewall_config) = raw_firewall_config {
+ log::debug!("found firewall config for #{vmid}, loading guest config");
+
+ let raw_config = self
+ .firewall_loader
+ .guest_config(vmid, entry)
+ .expect("guest config exists if firewall config exists");
+
+ let config = GuestConfig::parse(
+ vmid,
+ entry.ty().iface_prefix(),
+ raw_firewall_config,
+ raw_config,
+ )
+ .expect("guest config is valid");
+
+ guests.insert(*vmid, config);
+ }
+ }
+
+ guests
+ })
+ }
+
+ pub fn nft_chains(&self) -> &BTreeMap<String, ListChain> {
+ self.nft_config.get_or_init(|| {
+ let output = self.nft_loader.chains();
+ let mut chains = BTreeMap::new();
+
+ for element in &output.nftables {
+ if let ListOutput::Chain(chain) = element {
+ chains.insert(chain.name().to_owned(), chain.clone());
+ }
+ }
+
+ chains
+ })
+ }
+
+ pub fn is_enabled(&self) -> bool {
+ self.cluster().is_enabled() && self.host().nftables()
+ }
+
+ pub fn alias(&self, name: &AliasName, vmid: Option<Vmid>) -> Option<&Alias> {
+ log::trace!("getting alias {name:?}");
+
+ match name.scope() {
+ AliasScope::Datacenter => self.cluster().alias(name.name()),
+ AliasScope::Guest => {
+ if let Some(vmid) = vmid {
+ if let Some(entry) = self.guests().get(&vmid) {
+ return entry.alias(name);
+ }
+
+ log::warn!("trying to get alias {name} for non-existing guest: #{vmid}");
+ }
+
+ None
+ }
+ }
+ }
+}
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index 248ac39..656ac15 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -1,5 +1,8 @@
use anyhow::Error;
+mod config;
+
fn main() -> Result<(), Error> {
+ env_logger::init();
Ok(())
}
--
2.39.2
More information about the pve-devel
mailing list