[pve-devel] [PATCH proxmox-ve-rs 03/15] firewall: add bridge firewall config parser

Stefan Hanreich s.hanreich at proxmox.com
Wed Sep 11 11:31:04 CEST 2024 

We introduce a new type of firewall config file that can be used for
defining rules on bridge-level, similar to the existing
cluster/host/vm configuration files.

Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
 proxmox-ve-config/src/firewall/bridge.rs | 59 ++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 proxmox-ve-config/src/firewall/bridge.rs

diff --git a/proxmox-ve-config/src/firewall/bridge.rs b/proxmox-ve-config/src/firewall/bridge.rs
new file mode 100644
index 0000000..13103e8
--- /dev/null
+++ b/proxmox-ve-config/src/firewall/bridge.rs
@@ -0,0 +1,59 @@
+use std::io;
+
+use anyhow::Error;
+use serde::Deserialize;
+
+use crate::firewall::parse::serde_option_bool;
+use crate::firewall::types::rule::Verdict;
+
+use super::common::ParserConfig;
+use super::types::Rule;
+
+pub struct Config {
+    pub(crate) config: super::common::Config<Options>,
+}
+
+/// default return value for [`Config::enabled()`]
+pub const BRIDGE_ENABLED_DEFAULT: bool = false;
+/// default return value for [`Config::policy_forward()`]
+pub const BRIDGE_POLICY_FORWARD: Verdict = Verdict::Accept;
+
+impl Config {
+    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
+        let parser_config = ParserConfig {
+            guest_iface_names: false,
+            ipset_scope: None,
+        };
+
+        Ok(Self {
+            config: super::common::Config::parse(input, &parser_config)?,
+        })
+    }
+
+    pub fn enabled(&self) -> bool {
+        self.config
+            .options
+            .enabled
+            .unwrap_or(BRIDGE_ENABLED_DEFAULT)
+    }
+
+    pub fn rules(&self) -> impl Iterator<Item = &Rule> + '_ {
+        self.config.rules.iter()
+    }
+
+    pub fn policy_forward(&self) -> Verdict {
+        self.config
+            .options
+            .policy_forward
+            .unwrap_or(BRIDGE_POLICY_FORWARD)
+    }
+}
+
+#[derive(Debug, Default, Deserialize)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+pub struct Options {
+    #[serde(default, with = "serde_option_bool")]
+    enabled: Option<bool>,
+
+    policy_forward: Option<Verdict>,
+}
-- 
2.39.2

More information about the pve-devel mailing list