[pve-devel] [PATCH docs/firewall/manager/proxmox{-ve-rs, -firewall, -perl-rs} v2 00/25] autogenerate ipsets for sdn objects
Stefan Hanreich
s.hanreich at proxmox.com
Thu Oct 10 17:56:12 CEST 2024
This patch series adds support for autogenerating ipsets for SDN objects. It
autogenerates ipsets for every VNet as follows:
* ipset containing all IP ranges of the VNet
* ipset containing all gateways of the VNet
* ipset containing all IP ranges of the subnet - except gateways
* ipset containing all dhcp ranges of the vnet
Additionally it generates an IPSet for every guest that has one or more IPAM
entries in the pve IPAM.
Those can then be used in the cluster / host / guest firewalls. Firewall rules
automatically update on changes of the SDN / IPAM configuration. This patch
series works for the old firewall as well as the new firewall.
The ipsets in nftables currently get generated as named ipsets in every table,
this means that the `nft list ruleset` output can get quite crowded for large
SDN configurations or large IPAM databases. Another option would be to only
include them as anonymous IPsets in the rules, which would make the nft output
far less crowded but this way would use more memory when making extensive use of
the sdn ipsets, since everytime it is used in a rule we create an entirely new
ipset.
This patch series is based on my private repositories that split the existing
proxmox-firewall package into proxmox-firewall and proxmox-ve-rs. Those can be
found in my staff repo:
staff/s.hanreich/proxmox-ve-rs.git master
staff/s.hanreich/proxmox-firewall.git no-config
Please note that I included the debian packaging commit in this patch series,
since it is new and should get reviewed as well, I suppose. It is already
included when pulling from the proxmox-ve-rs repository.
Dependencies:
* proxmox-perl-rs and proxmox-firewall depend on proxmox-ve-rs
* pve-firewall depends on proxmox-perl-rs
Changes from RFC:
* added documentation
* added separate SDN scope for IPSets
* rustfmt fixes
proxmox-ve-rs:
Fabian Grünbichler (1):
bump serde_with to 3
Stefan Hanreich (17):
debian: add files for packaging
bump dependencies
firewall: add sdn scope for ipsets
firewall: add ip range types
firewall: address: use new iprange type for ip entries
ipset: add range variant to addresses
iprange: add methods for converting an ip range to cidrs
ipset: address: add helper methods
firewall: guest: derive traits according to rust api guidelines
common: add allowlist
sdn: add name types
sdn: add ipam module
sdn: ipam: add method for generating ipsets
sdn: add config module
sdn: config: add method for generating ipsets
tests: add sdn config tests
tests: add ipam tests
.cargo/config.toml | 5 +
.gitignore | 8 +
Cargo.toml | 17 +
Makefile | 69 +
build.sh | 35 +
bump.sh | 44 +
proxmox-ve-config/Cargo.toml | 18 +-
proxmox-ve-config/debian/changelog | 5 +
proxmox-ve-config/debian/control | 43 +
proxmox-ve-config/debian/copyright | 19 +
proxmox-ve-config/debian/debcargo.toml | 4 +
proxmox-ve-config/src/common/mod.rs | 31 +
.../src/firewall/types/address.rs | 1171 ++++++++++++++++-
proxmox-ve-config/src/firewall/types/alias.rs | 4 +-
proxmox-ve-config/src/firewall/types/ipset.rs | 32 +-
proxmox-ve-config/src/firewall/types/rule.rs | 6 +-
proxmox-ve-config/src/guest/types.rs | 7 +-
proxmox-ve-config/src/guest/vm.rs | 11 +-
proxmox-ve-config/src/lib.rs | 2 +
proxmox-ve-config/src/sdn/config.rs | 642 +++++++++
proxmox-ve-config/src/sdn/ipam.rs | 382 ++++++
proxmox-ve-config/src/sdn/mod.rs | 243 ++++
proxmox-ve-config/tests/sdn/main.rs | 189 +++
proxmox-ve-config/tests/sdn/resources/ipam.db | 26 +
.../tests/sdn/resources/running-config.json | 54 +
25 files changed, 2980 insertions(+), 87 deletions(-)
create mode 100644 .cargo/config.toml
create mode 100644 .gitignore
create mode 100644 Cargo.toml
create mode 100644 Makefile
create mode 100755 build.sh
create mode 100755 bump.sh
create mode 100644 proxmox-ve-config/debian/changelog
create mode 100644 proxmox-ve-config/debian/control
create mode 100644 proxmox-ve-config/debian/copyright
create mode 100644 proxmox-ve-config/debian/debcargo.toml
create mode 100644 proxmox-ve-config/src/common/mod.rs
create mode 100644 proxmox-ve-config/src/sdn/config.rs
create mode 100644 proxmox-ve-config/src/sdn/ipam.rs
create mode 100644 proxmox-ve-config/src/sdn/mod.rs
create mode 100644 proxmox-ve-config/tests/sdn/main.rs
create mode 100644 proxmox-ve-config/tests/sdn/resources/ipam.db
create mode 100644 proxmox-ve-config/tests/sdn/resources/running-config.json
proxmox-firewall:
Stefan Hanreich (2):
config: tests: add support for loading sdn and ipam config
ipsets: autogenerate ipsets for vnets and ipam
proxmox-firewall/src/config.rs | 69 +
proxmox-firewall/src/firewall.rs | 22 +-
proxmox-firewall/src/object.rs | 41 +-
.../tests/input/.running-config.json | 45 +
proxmox-firewall/tests/input/ipam.db | 32 +
proxmox-firewall/tests/integration_tests.rs | 10 +
.../integration_tests__firewall.snap | 1288 +++++++++++++++++
proxmox-nftables/src/expression.rs | 17 +-
proxmox-nftables/src/types.rs | 2 +-
9 files changed, 1511 insertions(+), 15 deletions(-)
create mode 100644 proxmox-firewall/tests/input/.running-config.json
create mode 100644 proxmox-firewall/tests/input/ipam.db
pve-firewall:
Stefan Hanreich (2):
add support for loading sdn firewall configuration
api: load sdn ipsets
src/PVE/API2/Firewall/Cluster.pm | 8 +++--
src/PVE/API2/Firewall/Rules.pm | 12 ++++---
src/PVE/API2/Firewall/VM.pm | 3 +-
src/PVE/Firewall.pm | 59 ++++++++++++++++++++++++++++----
4 files changed, 67 insertions(+), 15 deletions(-)
proxmox-perl-rs:
Stefan Hanreich (1):
add PVE::RS::Firewall::SDN module
pve-rs/Cargo.toml | 1 +
pve-rs/Makefile | 1 +
pve-rs/src/firewall/mod.rs | 1 +
pve-rs/src/firewall/sdn.rs | 130 +++++++++++++++++++++++++++++++++++++
pve-rs/src/lib.rs | 1 +
5 files changed, 134 insertions(+)
create mode 100644 pve-rs/src/firewall/mod.rs
create mode 100644 pve-rs/src/firewall/sdn.rs
pve-manager:
Stefan Hanreich (1):
firewall: add sdn scope to IPRefSelector
www/manager6/form/IPRefSelector.js | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
pve-docs:
Stefan Hanreich (1):
sdn: add documentation for firewall integration
pvesdn.adoc | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
Summary over all repositories:
45 files changed, 4791 insertions(+), 118 deletions(-)
--
Generated by git-murpp 0.6.0
More information about the pve-devel
mailing list