[pve-devel] [PATCH proxmox-ve-rs v4 02/18] firewall: add bridge firewall config parser
Stefan Hanreich
s.hanreich at proxmox.com
Fri Nov 15 13:10:53 CET 2024
We introduce a new type of firewall config file that can be used for
defining rules on bridge-level, similar to the existing
cluster/host/vm configuration files.
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Tested-by: Hannes Dürr <h.duerr at proxmox.com>
---
proxmox-ve-config/src/firewall/bridge.rs | 64 ++++++++++++++++++++++++
1 file changed, 64 insertions(+)
create mode 100644 proxmox-ve-config/src/firewall/bridge.rs
diff --git a/proxmox-ve-config/src/firewall/bridge.rs b/proxmox-ve-config/src/firewall/bridge.rs
new file mode 100644
index 0000000..4acb6fa
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/bridge.rs
@@ -0,0 +1,64 @@
+use std::io;
+
+use anyhow::Error;
+use serde::Deserialize;
+
+use crate::firewall::parse::serde_option_bool;
+use crate::firewall::types::log::LogLevel;
+use crate::firewall::types::rule::{Direction, Verdict};
+
+use super::common::ParserConfig;
+use super::types::Rule;
+
+pub struct Config {
+ pub(crate) config: super::common::Config<Options>,
+}
+
+/// default return value for [`Config::enabled()`]
+pub const BRIDGE_ENABLED_DEFAULT: bool = false;
+/// default return value for [`Config::policy_forward()`]
+pub const BRIDGE_POLICY_FORWARD: Verdict = Verdict::Accept;
+
+impl Config {
+ pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
+ let parser_config = ParserConfig {
+ guest_iface_names: false,
+ ipset_scope: None,
+ allowed_directions: vec![Direction::Forward],
+ };
+
+ Ok(Self {
+ config: super::common::Config::parse(input, &parser_config)?,
+ })
+ }
+
+ pub fn enabled(&self) -> bool {
+ self.config.options.enable.unwrap_or(BRIDGE_ENABLED_DEFAULT)
+ }
+
+ pub fn rules(&self) -> impl Iterator<Item = &Rule> + '_ {
+ self.config.rules.iter()
+ }
+
+ pub fn log_level_forward(&self) -> LogLevel {
+ self.config.options.log_level_forward.unwrap_or_default()
+ }
+
+ pub fn policy_forward(&self) -> Verdict {
+ self.config
+ .options
+ .policy_forward
+ .unwrap_or(BRIDGE_POLICY_FORWARD)
+ }
+}
+
+#[derive(Debug, Default, Deserialize)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+pub struct Options {
+ #[serde(default, with = "serde_option_bool")]
+ enable: Option<bool>,
+
+ policy_forward: Option<Verdict>,
+
+ log_level_forward: Option<LogLevel>,
+}
--
2.39.5
More information about the pve-devel
mailing list