[pve-devel] [PATCH proxmox-ve-rs v4 02/18] firewall: add bridge firewall config parser

Stefan Hanreich s.hanreich at proxmox.com
Fri Nov 15 13:10:53 CET 2024


We introduce a new type of firewall config file that can be used for
defining rules on bridge-level, similar to the existing
cluster/host/vm configuration files.

Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Tested-by: Hannes Dürr <h.duerr at proxmox.com>
---
 proxmox-ve-config/src/firewall/bridge.rs | 64 ++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 proxmox-ve-config/src/firewall/bridge.rs

diff --git a/proxmox-ve-config/src/firewall/bridge.rs b/proxmox-ve-config/src/firewall/bridge.rs
new file mode 100644
index 0000000..4acb6fa
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/bridge.rs
@@ -0,0 +1,64 @@
+use std::io;
+
+use anyhow::Error;
+use serde::Deserialize;
+
+use crate::firewall::parse::serde_option_bool;
+use crate::firewall::types::log::LogLevel;
+use crate::firewall::types::rule::{Direction, Verdict};
+
+use super::common::ParserConfig;
+use super::types::Rule;
+
+pub struct Config {
+    pub(crate) config: super::common::Config<Options>,
+}
+
+/// default return value for [`Config::enabled()`]
+pub const BRIDGE_ENABLED_DEFAULT: bool = false;
+/// default return value for [`Config::policy_forward()`]
+pub const BRIDGE_POLICY_FORWARD: Verdict = Verdict::Accept;
+
+impl Config {
+    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
+        let parser_config = ParserConfig {
+            guest_iface_names: false,
+            ipset_scope: None,
+            allowed_directions: vec![Direction::Forward],
+        };
+
+        Ok(Self {
+            config: super::common::Config::parse(input, &parser_config)?,
+        })
+    }
+
+    pub fn enabled(&self) -> bool {
+        self.config.options.enable.unwrap_or(BRIDGE_ENABLED_DEFAULT)
+    }
+
+    pub fn rules(&self) -> impl Iterator<Item = &Rule> + '_ {
+        self.config.rules.iter()
+    }
+
+    pub fn log_level_forward(&self) -> LogLevel {
+        self.config.options.log_level_forward.unwrap_or_default()
+    }
+
+    pub fn policy_forward(&self) -> Verdict {
+        self.config
+            .options
+            .policy_forward
+            .unwrap_or(BRIDGE_POLICY_FORWARD)
+    }
+}
+
+#[derive(Debug, Default, Deserialize)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+pub struct Options {
+    #[serde(default, with = "serde_option_bool")]
+    enable: Option<bool>,
+
+    policy_forward: Option<Verdict>,
+
+    log_level_forward: Option<LogLevel>,
+}
-- 
2.39.5




More information about the pve-devel mailing list