[pve-devel] [PATCH proxmox-ve-rs 02/15] firewall: add forward direction
Stefan Hanreich
s.hanreich at proxmox.com
Wed Sep 11 11:31:03 CEST 2024
This direction will be used for specifying rules on bridge-level
firewalls as well as rules on the cluster / host level that are for
forwarded network packets.
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-ve-config/src/firewall/cluster.rs | 10 ++++++++++
proxmox-ve-config/src/firewall/guest.rs | 15 +++++++++++++++
proxmox-ve-config/src/firewall/host.rs | 4 ++++
proxmox-ve-config/src/firewall/mod.rs | 1 +
proxmox-ve-config/src/firewall/types/rule.rs | 10 ++++++++--
5 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/proxmox-ve-config/src/firewall/cluster.rs b/proxmox-ve-config/src/firewall/cluster.rs
index 223124b..b7bebae 100644
--- a/proxmox-ve-config/src/firewall/cluster.rs
+++ b/proxmox-ve-config/src/firewall/cluster.rs
@@ -25,6 +25,8 @@ pub const CLUSTER_EBTABLES_DEFAULT: bool = false;
pub const CLUSTER_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
/// default setting for [`Config::default_policy()`]
pub const CLUSTER_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
+/// default setting for [`Config::default_policy()`]
+pub const CLUSTER_POLICY_FORWARD_DEFAULT: Verdict = Verdict::Accept;
impl Config {
pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
@@ -86,6 +88,11 @@ impl Config {
.options
.policy_out
.unwrap_or(CLUSTER_POLICY_OUT_DEFAULT),
+ Direction::Forward => self
+ .config
+ .options
+ .policy_forward
+ .unwrap_or(CLUSTER_POLICY_FORWARD_DEFAULT),
}
}
@@ -121,6 +128,7 @@ pub struct Options {
policy_in: Option<Verdict>,
policy_out: Option<Verdict>,
+ policy_forward: Option<Verdict>,
}
#[cfg(test)]
@@ -148,6 +156,7 @@ log_ratelimit: 1,rate=10/second,burst=20
ebtables: 0
policy_in: REJECT
policy_out: REJECT
+policy_forward: DROP
[ALIASES]
@@ -191,6 +200,7 @@ IN BGP(REJECT) -log crit -source 1.2.3.4
)),
policy_in: Some(Verdict::Reject),
policy_out: Some(Verdict::Reject),
+ policy_forward: Some(Verdict::Drop),
}
);
diff --git a/proxmox-ve-config/src/firewall/guest.rs b/proxmox-ve-config/src/firewall/guest.rs
index c7e282f..b097f56 100644
--- a/proxmox-ve-config/src/firewall/guest.rs
+++ b/proxmox-ve-config/src/firewall/guest.rs
@@ -31,6 +31,8 @@ pub const GUEST_IPFILTER_DEFAULT: bool = false;
pub const GUEST_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
/// default return value for [`Config::default_policy()`]
pub const GUEST_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
+/// default return value for [`Config::default_policy()`]
+pub const GUEST_POLICY_FORWARD_DEFAULT: Verdict = Verdict::Accept;
#[derive(Debug, Default, Deserialize)]
#[cfg_attr(test, derive(Eq, PartialEq))]
@@ -52,6 +54,7 @@ pub struct Options {
log_level_in: Option<LogLevel>,
log_level_out: Option<LogLevel>,
+ log_level_forward: Option<LogLevel>,
#[serde(default, with = "serde_option_bool")]
macfilter: Option<bool>,
@@ -61,6 +64,8 @@ pub struct Options {
#[serde(rename = "policy_out")]
policy_out: Option<Verdict>,
+
+ policy_forward: Option<Verdict>,
}
#[derive(Debug)]
@@ -131,6 +136,7 @@ impl Config {
match dir {
Direction::In => self.config.options.log_level_in.unwrap_or_default(),
Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
+ Direction::Forward => self.config.options.log_level_forward.unwrap_or_default(),
}
}
@@ -179,6 +185,11 @@ impl Config {
.options
.policy_out
.unwrap_or(GUEST_POLICY_OUT_DEFAULT),
+ Direction::Forward => self
+ .config
+ .options
+ .policy_forward
+ .unwrap_or(GUEST_POLICY_FORWARD_DEFAULT),
}
}
@@ -206,11 +217,13 @@ dhcp: 1
ipfilter: 0
log_level_in: emerg
log_level_out: crit
+log_level_forward: warn
macfilter: 0
ndp:1
radv:1
policy_in: REJECT
policy_out: REJECT
+policy_forward: DROP
"#;
let config = CONFIG.as_bytes();
@@ -228,9 +241,11 @@ policy_out: REJECT
radv: Some(true),
log_level_in: Some(LogLevel::Emergency),
log_level_out: Some(LogLevel::Critical),
+ log_level_forward: Some(LogLevel::Warning),
macfilter: Some(false),
policy_in: Some(Verdict::Reject),
policy_out: Some(Verdict::Reject),
+ policy_forward: Some(Verdict::Drop),
}
);
}
diff --git a/proxmox-ve-config/src/firewall/host.rs b/proxmox-ve-config/src/firewall/host.rs
index 3de6fad..56ed46d 100644
--- a/proxmox-ve-config/src/firewall/host.rs
+++ b/proxmox-ve-config/src/firewall/host.rs
@@ -44,6 +44,7 @@ pub struct Options {
log_level_in: Option<LogLevel>,
log_level_out: Option<LogLevel>,
+ log_level_forward: Option<LogLevel>,
#[serde(default, with = "parse::serde_option_bool")]
log_nf_conntrack: Option<bool>,
@@ -262,6 +263,7 @@ impl Config {
match dir {
Direction::In => self.config.options.log_level_in.unwrap_or_default(),
Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
+ Direction::Forward => self.config.options.log_level_forward.unwrap_or_default(),
}
}
}
@@ -284,6 +286,7 @@ enable: 1
nftables: 1
log_level_in: debug
log_level_out: emerg
+log_level_forward: warn
log_nf_conntrack: 0
ndp: 1
nf_conntrack_allow_invalid: yes
@@ -316,6 +319,7 @@ IN ACCEPT -p udp -dport 33 -sport 22 -log warning
nftables: Some(true),
log_level_in: Some(LogLevel::Debug),
log_level_out: Some(LogLevel::Emergency),
+ log_level_forward: Some(LogLevel::Warning),
log_nf_conntrack: Some(false),
ndp: Some(true),
nf_conntrack_allow_invalid: Some(true),
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
index 2cf57e2..6ee3c31 100644
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ b/proxmox-ve-config/src/firewall/mod.rs
@@ -1,3 +1,4 @@
+pub mod bridge;
pub mod cluster;
pub mod common;
pub mod ct_helper;
diff --git a/proxmox-ve-config/src/firewall/types/rule.rs b/proxmox-ve-config/src/firewall/types/rule.rs
index 5374bb0..2c8f49c 100644
--- a/proxmox-ve-config/src/firewall/types/rule.rs
+++ b/proxmox-ve-config/src/firewall/types/rule.rs
@@ -13,19 +13,24 @@ pub enum Direction {
#[default]
In,
Out,
+ Forward,
}
impl std::str::FromStr for Direction {
type Err = Error;
fn from_str(s: &str) -> Result<Self, Error> {
- for (name, dir) in [("IN", Direction::In), ("OUT", Direction::Out)] {
+ for (name, dir) in [
+ ("IN", Direction::In),
+ ("OUT", Direction::Out),
+ ("FORWARD", Direction::Forward),
+ ] {
if s.eq_ignore_ascii_case(name) {
return Ok(dir);
}
}
- bail!("invalid direction: {s:?}, expect 'IN' or 'OUT'");
+ bail!("invalid direction: {s:?}, expect 'IN', 'OUT' or 'FORWARD'");
}
}
@@ -36,6 +41,7 @@ impl fmt::Display for Direction {
match self {
Direction::In => f.write_str("in"),
Direction::Out => f.write_str("out"),
+ Direction::Forward => f.write_str("forward"),
}
}
}
--
2.39.2
More information about the pve-devel
mailing list