sent a v2:
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064855.html
On 7/23/24 15:14, Stefan Hanreich wrote:
> When detaching and attaching the network device on update, the
> link_down setting is not considered and the network device always gets
> attached to the gue
When detaching and attaching the network device on update, the
link_down setting is not considered and the network device always gets
attached to the guest - even if link_down is set.
Fixes: 3f14f206 ("nic online bridge/vlan change: link disconnect/reconnect")
Signed-off-by: Stefa
On 7/23/24 16:00, Fiona Ebner wrote:
>
> Am 23.07.24 um 15:14 schrieb Stefan Hanreich:
>> When detaching and attaching the network device on update, the
>> link_down setting is not considered and the network device always gets
>> attached to the guest - even if link_
When detaching and attaching the network device on update, the
link_down setting is not considered and the network device always gets
attached to the guest - even if link_down is set.
Fixes: 3f14f206 ("nic online bridge/vlan change: link disconnect/reconnect")
Signed-off-by: Stefa
tering is on!). This behavior might be
conterintuitive for users.
Consider this:
Tested-By: Stefan Hanreich
On 7/3/24 10:01, Aaron Lauterer wrote:
> this version reworks a few parts since v2.
>
> * renamed format in JSONSchema to a more generic `pve-vlan-id-or-range`
> * explicit
Umlauts, I at least get an error message, but cannot save.
Other than that everything worked fine - consider this:
Tested-By: Stefan Hanreich
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
that the file exists and does nothing
Reported-by: Hannes Laimer
Signed-off-by: Stefan Hanreich
---
Changes from v2 to v3:
* Use proper debug output formatter
Changes from v1 to v2:
* Removed misleading/wrong section about the probability of this
happening
* Added a detailed description
-off-by: Stefan Hanreich
---
www/manager6/tree/DhcpTree.js | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/www/manager6/tree/DhcpTree.js b/www/manager6/tree/DhcpTree.js
index d0b80803..6868bb60 100644
--- a/www/manager6/tree/DhcpTree.js
+++ b/www/manager6/tree
network changes.
Now we only add a new ipam entry if either:
* the value of the bridge or mac address changed
* the network device has been newly added
This way no duplicate IPAM entries should get created.
Signed-off-by: Stefan Hanreich
---
PVE/QemuServer.pm | 5 +++--
1 file changed, 3
On 6/28/24 15:46, Gabriel Goller wrote:
> Already talked with Stefan offlist, but some major things I noted when
> testing:
> * It would be cool to have the generated IPSets visible in the IPSet
> menu under Firewall (Datacenter). We could add a checkmark to hide
> them (as there can be
On 6/27/24 12:54, Gabriel Goller wrote:
> On 26.06.2024 14:15, Stefan Hanreich wrote:
>> diff --git a/proxmox-ve-config/src/sdn/config.rs
>> b/proxmox-ve-config/src/sdn/config.rs
>> new file mode 100644
>> index 000..8454adf
>> --- /dev/null
>> ++
On 6/27/24 12:56, Gabriel Goller wrote:
> On 26.06.2024 14:15, Stefan Hanreich wrote:
>> diff --git a/proxmox-ve-config/src/sdn/mod.rs
>> b/proxmox-ve-config/src/sdn/mod.rs
>> new file mode 100644
>> index 000..4e7c525
>> --- /dev/null
>> +++ b/prox
Did a quick smoke test of this series by creating an ISO with an answer
file baked in and checking the response via `nc -l`. Review is inline.
Consider this:
Tested-By: Stefan Hanreich
Reviewed-By: Stefan Hanreich
On 7/10/24 15:27, Christoph Heiss wrote:
> This implements a mechan
On 7/10/24 15:27, Christoph Heiss wrote:
> +impl Answer {
> +pub fn from_reader(reader: impl BufRead) -> Result {
> +let mut buffer = String::new();
> +let lines = reader.lines();
> +for line in lines {
> +buffer.push_str(());
> +
On 7/10/24 15:27, Christoph Heiss wrote:
> diff --git a/proxmox-installer-common/src/setup.rs
> b/proxmox-installer-common/src/setup.rs
> index 9131ac9..29137bf 100644
> --- a/proxmox-installer-common/src/setup.rs
> +++ b/proxmox-installer-common/src/setup.rs
> @@ -163,24 +163,29 @@ pub fn
On 7/10/24 15:27, Christoph Heiss wrote:
> Makes more sense and makes debugging easier.
>
> Signed-off-by: Christoph Heiss
> ---
> proxmox-auto-installer/tests/parse-answer.rs | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/proxmox-auto-installer/tests/parse-answer.rs
On 7/10/24 15:27, Christoph Heiss wrote:
> +impl<'de> Deserialize<'de> for FsType {
> +fn deserialize(deserializer: D) -> Result
> +where
> +D: serde::Deserializer<'de>,
> +{
> +let fs: String = Deserialize::deserialize(deserializer)?;
> +
> +match fs.as_str() {
superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064439.html
On 5/29/24 15:25, Stefan Hanreich wrote:
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In
that the file exists and does nothing
Reported-by: Hannes Laimer
Signed-off-by: Stefan Hanreich
---
Changes from v1 to v2:
* Removed misleading/wrong section about the probability of this
happening
* Added a detailed description of the scenario this commit prevents
proxmox-firewall/src/bin/proxmox
On 7/4/24 12:49, Fabian Grünbichler wrote:
> so if I understand this correctly, it should handle the following case:
>
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> pve-firewall runs and sets up legacy rules and force disable file
> proxmox-firewall runs and disables NFT
superseded by
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064404.html
On 6/27/24 17:01, Stefan Hanreich wrote:
> This can lead to issue when upgrading from ifupdown to ifupdown2. The
> particular issue this fixes occurs in the following scenario:
>
> * Suppose there
/ccdc386cfab70703b657fe7c0ffceb95448a9c2b/ifupdown2/addons/bond.py#L45
[2] https://github.com/CumulusNetworks/ifupdown2/pull/304
Signed-off-by: Stefan Hanreich
Tested-by: Friedrich Weber
Reviewed-by: Fabian Grünbichler
---
Changes from v1 -> v2:
* Improved commit message of patch (thanks @Fabian!)
...dpkg-files-w
When matching via ether type, VLAN packets are not matched. This can
cause ARP packets encapsulated in VLAN frames to be dropped.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/firewall.rs | 2 +-
.../tests/snapshots/integration_tests__firewall.snap | 10
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/Cargo.toml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/proxmox-ve-config/Cargo.toml b/proxmox-ve-config/Cargo.toml
index cc689c8..b0f3434 100644
--- a/proxmox-ve-config/Cargo.toml
+++ b/proxmox-ve-config/Cargo.toml
with VLAN header. Matching via meta protocol
ensures that VLAN encapsulated ARP packets are matched as well.
Otherwise ARP traffic inside VLANs gets dropped, due to them having
conntrack state invalid.
Signed-off-by: Stefan Hanreich
---
.../resources/proxmox-firewall.nft| 16
On 6/27/24 18:23, DERUMIER, Alexandre wrote:
> isolated on or isolated off
> Controls whether a given port will be isolated, which means it will be
> able to communicate with non-isolated ports only. By default this flag
> is off."
Yeah, makes sense this way. I thought since one can set this
-By: Stefan Hanreich
Reviewed-By: Stefan Hanreich
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> ___
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listin
/ccdc386cfab70703b657fe7c0ffceb95448a9c2b/ifupdown2/addons/bond.py#L45
[2] https://github.com/CumulusNetworks/ifupdown2/pull/304
Signed-off-by: Stefan Hanreich
---
...dpkg-files-when-running-hook-scripts.patch | 54 +++
debian/patches/series | 1 +
2 files changed, 55 insertions
- but works quite well
for this use case. We only have to do this for the cluster
configuration, since this is the only place where the cluster
configuration gets saved.
On 6/26/24 14:15, Stefan Hanreich wrote:
> Signed-off-by: Stefan Hanreich
> ---
> src/PVE/API2/Firewall/Cluste
.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/firewall.rs | 22 +-
proxmox-firewall/src/object.rs| 41 +-
.../integration_tests__firewall.snap | 1288 +
proxmox-nftables/src/expression.rs| 17 +-
4 files changed, 1354
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/Cargo.toml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml
index 4246f18..c0ce579 100644
--- a/proxmox-firewall/Cargo.toml
+++ b/proxmox-firewall/Cargo.toml
@@ -25,4
Signed-off-by: Stefan Hanreich
---
src/PVE/API2/Firewall/Cluster.pm | 3 ++-
src/PVE/API2/Firewall/Rules.pm | 18 +++---
src/PVE/API2/Firewall/VM.pm | 3 ++-
3 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2
Used for obtaining the IPSets that get autogenerated by the nftables
firewall. The returned configuration has the same format as the
pve-firewall uses internally, making it compatible with the existing
pve-firewall code.
Signed-off-by: Stefan Hanreich
---
pve-rs/Cargo.toml | 1 +
pve
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/tests/sdn/main.rs | 144 ++
.../tests/sdn/resources/running-config.json | 54 +++
2 files changed, 198 insertions(+)
create mode 100644 proxmox-ve-config/tests/sdn/main.rs
create mode 100644 proxmox-ve-config
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/lib.rs | 1 +
proxmox-ve-config/src/sdn/mod.rs | 240 +++
2 files changed, 241 insertions(+)
create mode 100644 proxmox-ve-config/src/sdn/mod.rs
diff --git a/proxmox-ve-config/src/lib.rs b/proxmox-ve
Since we now have a standalone repository for Proxmox VE related
crates, add the required files for packaging the crates contained in
this repository.
Signed-off-by: Stefan Hanreich
---
.cargo/config.toml | 5 ++
.gitignore | 8 +++
Cargo.toml
. The following patches will use those
for (de-)serialization.
Signed-off-by: Stefan Hanreich
---
.../src/firewall/types/address.rs | 19 +++
proxmox-ve-config/src/firewall/types/alias.rs | 4 ++--
proxmox-ve-config/src/firewall/types/ipset.rs | 6 +++---
proxmox-ve-config/src
Signed-off-by: Stefan Hanreich
---
.../src/firewall/types/address.rs | 81 +++
proxmox-ve-config/src/firewall/types/rule.rs | 6 +-
2 files changed, 31 insertions(+), 56 deletions(-)
diff --git a/proxmox-ve-config/src/firewall/types/address.rs
b/proxmox-ve-config
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/types/address.rs | 10 ++
proxmox-ve-config/src/firewall/types/ipset.rs | 14 ++
2 files changed, 24 insertions(+)
diff --git a/proxmox-ve-config/src/firewall/types/address.rs
b/proxmox-ve-config/src
and should get reviewed as well, I suppose. It is already
included when pulling from the proxmox-ve-rs repository.
Dependencies:
* proxmox-perl-rs and proxmox-firewall depend on proxmox-ve-rs
* pve-firewall depends on proxmox-perl-rs
proxmox-ve-rs:
Stefan Hanreich (15):
debian: add files
This is mainly used in proxmox-perl-rs, so the generated ipsets can be
used in pve-firewall where only CIDRs are supported.
Signed-off-by: Stefan Hanreich
---
.../src/firewall/types/address.rs | 818 ++
1 file changed, 818 insertions(+)
diff --git a/proxmox-ve
enough we could always add a
HashSet for looking up values and speeding up the validation. For now,
I wanted to avoid the additional complexity.
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/sdn/config.rs | 571
proxmox-ve-config/src/sdn/mod.rs| 1 +
2
, this should be fine. Should it turn out to be
not performant enough we could always add a HashSet for looking up
values and speeding up the validation. For now, I wanted to avoid the
additional complexity.
Signed-off-by: Stefan Hanreich
---
.../src/firewall/types/address.rs | 8 +
proxmox-ve
Also add example SDN configuration files that get automatically
loaded, which can be used for future tests.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/config.rs| 69 +++
.../tests/input/.running-config.json | 45
proxmox
Signed-off-by: Stefan Hanreich
---
src/PVE/Firewall.pm | 43 +--
1 file changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 09544ba..95325a0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
ranges configured in the vnet
All of them are in the datacenter scope, so the fully qualified name
would look something like this: `+dc/{vnet-all}`.
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/sdn/config.rs | 72 +
1 file changed, 72 insertions(+)
diff
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/tests/sdn/main.rs | 45 +++
proxmox-ve-config/tests/sdn/resources/ipam.db | 26 +++
2 files changed, 71 insertions(+)
create mode 100644 proxmox-ve-config/tests/sdn/resources/ipam.db
diff --git a/proxmox-ve
For every guest that has at least one entry in the IPAM we generate an
ipset with the name `+dc/guest-ipam-{vmid}`. The ipset contains all
IPs from all zones for a guest with {vmid}.
Signed-off-by: Stefan Hanreich
---
.../src/firewall/types/address.rs | 9
proxmox-ve-config
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/common/mod.rs | 30 +
proxmox-ve-config/src/lib.rs| 1 +
2 files changed, 31 insertions(+)
create mode 100644 proxmox-ve-config/src/common/mod.rs
diff --git a/proxmox-ve-config/src/common/mod.rs
b
Currently we are using tuples to represent IP ranges which is
suboptimal. Validation logic and invariant checking needs to happen at
every site using the IP range rather than having a unified struct for
enforcing those invariants.
Signed-off-by: Stefan Hanreich
---
.../src/firewall/types
A range can be used to store multiple IP addresses in an ipset that do
not neatly fit into a single CIDR.
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/types/ipset.rs | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/proxmox-ve-config/src/firewall
.
For ICMP we additionally allow 'Source Quench' as well.
Signed-off-by: Stefan Hanreich
---
While Source Quench is deprecated, there might be niche use cases
using it and allowing it shouldn't really hurt so I've thrown it into
the mix as well.
.../resources/proxmox-firewall.nft| 22
-firewall main loop almost always runs at least
once before the force disable file gets created and flushes the
ruleset.
Reported-by: Hannes Laimer
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/bin/proxmox-firewall.rs | 4
1 file changed, 4 insertions(+)
diff --git a/proxmox-firewall/src
to the out direction we can simply accept all incoming ARP
traffic, since we do not do any MAC filtering for incoming traffic.
Since we create fdb entries for every NIC, guests should only see ARP
traffic for their MAC addresses anyway.
Signed-off-by: Stefan Hanreich
Originally-by: Laurent Guerby
The output chain did not have any conntrack rules, which lead to
issues when the default output policy is not accept. Also, move the
conntrack rules to the beginning of all chains.
Signed-off-by: Stefan Hanreich
Originally-by: Laurent Guerby
---
Based this on the earlier patch in order to avoid
v2 available:
https://lists.proxmox.com/pipermail/pve-devel/2024-May/063839.html
On 5/13/24 13:35, Stefan Hanreich wrote:
> ICMPv6 has different message types for rejecting traffic. With ICMP we
> used host-prohibited as rejection type, which doesn't exist in ICMPv6.
> Add an additi
matched from bypassing the reject chain.
Signed-off-by: Stefan Hanreich
---
Changes from v1 -> v2:
* add a terminal drop statement to prevent any unmatched traffic from
bypassing the reject chain
* properly match ICMPv6 traffic via l4proto
proxmox-firewall/resources/proxmox-firewall.nft
ICMPv6 has different message types for rejecting traffic. With ICMP we
used host-prohibited as rejection type, which doesn't exist in ICMPv6.
Add an additional rule for IPv6, so it uses admin-prohibited.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/resources/proxmox-firewall.nft | 6
Error handling of the firewall binary should now be much more robust
on configuration errors. Instead of panicking in some cases it should
now log an error.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/bin/proxmox-firewall.rs | 7 +-
proxmox-firewall/src/config.rs
We support any as wildcard for matching all icmp types. Implement
parsing logic for parsing the any value and support converting the any
value into an nftables expression.
Signed-off-by: Stefan Hanreich
---
proxmox-nftables/src/expression.rs | 2 ++
proxmox-ve-config/src
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/resources/macros.json | 9 +
1 file changed, 9 insertions(+)
diff --git a/proxmox-ve-config/resources/macros.json
b/proxmox-ve-config/resources/macros.json
index 67e1d89..2fcc0fb 100644
--- a/proxmox-ve-config/resources/macros.json
This should bring the allowed names on par with the pve-firewall
naming scheme [1].
[1]
https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=0abfeccffc94cec940760e69a894e392dc33f151;hb=29b48c381d14bf425232dc65c9c0d18f95c8f222#l51
Signed-off-by: Stefan Hanreich
On 4/23/24 18:02, Stefan Hanreich wrote:
> Currently we generated DROP statements for all rules involving REJECT.
> We only need to generate DROP when in the postrouting chain of tables
> with type bridge, since REJECT is disallowed there. Otherwise we jump
> into the do-reject
.
Signed-off-by: Stefan Hanreich
---
Seems like the proper handling for this got lost somewhere during my
big refactoring :/
.../resources/proxmox-firewall.nft| 7 +-
proxmox-firewall/src/firewall.rs | 9 +-
proxmox-firewall/src/rule.rs | 22
to support running multiple separate batches in
the NftClient in the future in order to avoid having to call nft
twice.
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/bin/proxmox-firewall.rs | 9 +
proxmox-firewall/src/firewall.rs | 10 +-
2 files changed, 10
On 4/22/24 14:06, Thomas Lamprecht wrote:
> seems OK from a high-level glance, would need a rebase now though
sent a rebased v2:
https://lists.proxmox.com/pipermail/pve-devel/2024-April/063588.html
___
pve-devel mailing list
Signed-off-by: Stefan Hanreich
---
src/PVE/Network/SDN/Dhcp.pm | 2 +-
src/PVE/Network/SDN/Dhcp/Dnsmasq.pm | 7 ++-
src/PVE/Network/SDN/Dhcp/Plugin.pm | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/PVE/Network/SDN/Dhcp.pm b/src/PVE/Network/SDN/Dhcp.pm
Signed-off-by: Stefan Hanreich
---
src/PVE/Network/SDN/Zones.pm | 8
src/PVE/Network/SDN/Zones/Plugin.pm | 7 +++
src/PVE/Network/SDN/Zones/SimplePlugin.pm | 8 +++-
3 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Network/SDN/Zones.pm b
Signed-off-by: Stefan Hanreich
---
src/PVE/Network/SDN/Dhcp/Plugin.pm | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/PVE/Network/SDN/Dhcp/Plugin.pm
b/src/PVE/Network/SDN/Dhcp/Plugin.pm
index b99f598..6e985cd 100644
--- a/src/PVE/Network/SDN/Dhcp/Plugin.pm
Changes from v1 -> v2:
* rebased branch, everything else unchanged
pve-network:
Stefan Hanreich (3):
dhcp: fix function signatures in abstract class
zones: add method for getting MTU
dhcp: dnsmasq: send mtu option via dhcp
src/PVE/Network/SDN/Dhcp.pm | 2 +-
src/
Explicitly mark the service as simple and remove the PIDFile
attribute, which doesn't do anything with simple services.
Signed-off-by: Stefan Hanreich
---
debian/proxmox-firewall.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/proxmox-firewall.service b/debian
NftClient never waits for the child process to terminate leading to
defunct leftover processes.
Signed-off-by: Stefan Hanreich
---
proxmox-nftables/src/client.rs | 38 --
1 file changed, 9 insertions(+), 29 deletions(-)
diff --git a/proxmox-nftables/src
Add a section that explains how to use the new nftables-based
proxmox-firewall.
Signed-off-by: Stefan Hanreich
---
pve-firewall.adoc | 181 ++
1 file changed, 181 insertions(+)
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index a5e40f9..9fb4e46
Signed-off-by: Stefan Hanreich
---
www/manager6/grid/FirewallOptions.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/www/manager6/grid/FirewallOptions.js
b/www/manager6/grid/FirewallOptions.js
index 0ac9979c4..6aacb47be 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6
the option is set to `1`.
Signed-off-by: Stefan Hanreich
---
This looks a bit awkward, but I wanted to avoid having to re-parse the
configuration when calling from pve-firewall but also avoid having to
load the config manually when calling from qemu-server / pve-container
src/PVE/Firewall.pm
hanges only relevant for the firewall itself)
qemu-server:
Stefan Hanreich (1):
firewall: add handling for new nft firewall
vm-network-scripts/pve-bridge | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
pve-container:
Stefan Hanreich (1):
firewall: add handling for new nft fir
When the nftables firewall is enabled, we do not need to create
firewall bridges.
Signed-off-by: Stefan Hanreich
---
vm-network-scripts/pve-bridge | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/vm-network-scripts/pve-bridge b/vm-network-scripts/pve-bridge
index
When the nftables firewall is enabled, we do not need to create
firewall bridges.
Signed-off-by: Stefan Hanreich
---
src/PVE/LXC.pm | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 400cf4f..44f5ccf 100644
--- a/src/PVE/LXC.pm
+++ b
Signed-off-by: Stefan Hanreich
---
.gitignore|1 +
debian/control|1 +
proxmox-firewall/Cargo.toml |4 +
proxmox-firewall/tests/input/100.conf | 10 +
proxmox-firewall/tests/input/100.fw
Introduces new nftables configuration option that en/disables the new
nftables firewall.
pve-firewall reads this option and only generates iptables rules when
nftables is set to `0`. Conversely proxmox-firewall only generates
nftables rules when the option is set to `1`.
Signed-off-by: Stefan
Adds an enum containing most of the expressions defined in the
nftables-json schema [1].
[1]
https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#EXPRESSIONS
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan
We create the rules from the firewall config by utilizing the
ToNftRules and ToNftObjects traits to convert the firewall config
structs to nftables objects/chains/rules.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
crate can be used standalone without having to pull in the
proxmox-ve-config crate.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-nftables/src/statement.rs | 71 ++-
1 file changed, 70
Add a thin wrapper around nft, which can be used to run commands
defined by the rust types.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-nftables/src/client.rs | 85 ++
proxmox
for the guest firewall).
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/Cargo.toml| 2 +
proxmox-firewall/src/config.rs | 283 +
proxmox-firewall/src/main.rs | 3
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/resources/ct_helper.json | 52 +
proxmox-ve-config/src/firewall/ct_helper.rs | 115
proxmox-ve-config/src/firewall/mod.rs
a lot easier, since we can
reuse the deserialization logic from serde. Also, we can split the
parsing/deserialization logic from the validation logic.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src
Suggested-By: Fabian Grünbichler
Signed-off-by: Stefan Hanreich
---
.gitignore | 3 ++
Makefile| 70 +
debian/changelog| 5 +++
debian/control | 39 ++
debian
ToNftObjects is basically a conversion trait that converts firewall
config structs into nftables objects. It returns a list of commands
that create the respective nftables objects.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan
When the nftables firewall is enabled, we do not need to create
firewall bridges.
Signed-off-by: Stefan Hanreich
---
src/PVE/LXC.pm | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index e688ea6..85800ea 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
When the nftables firewall is enabled, we do not need to create
firewall bridges.
Signed-off-by: Stefan Hanreich
---
vm-network-scripts/pve-bridge | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/vm-network-scripts/pve-bridge b/vm-network-scripts/pve-bridge
index
Adds an enum containing most of the statements defined in the
nftables-json schema [1].
[1]
https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#STATEMENTS
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan
a Vec would
normally do.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-nftables/Cargo.toml| 4 +
proxmox-nftables/src/helper.rs | 190 +
proxmox-nftables/src/lib.rs| 1 +
3
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/host.rs | 372 +
proxmox-ve-config/src/firewall/mod.rs | 1 +
2 files changed, 373 insertions(+)
create mode
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/guest.rs | 237
proxmox-ve-config/src/firewall/mod.rs | 1 +
2 files changed, 238 insertions(+)
create mode
deem it acceptable for now, since that would usually
mean something is amiss with the network configuration and a firewall
won't really do anything then anyway.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/mod.rs| 1 +
proxmox-ve-config/src/firewall/ports.rs | 80
proxmox-ve-config/src/firewall/types/mod.rs | 1 +
proxmox-ve-config/src/firewall/types/port.rs | 181 +++
4 files changed, 263
Adds types for log and (log-)rate-limiting firewall config options as
well as FromStr implementations for parsing them from the config.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/Cargo.toml
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
.cargo/config| 5 +
.gitignore | 6 ++
Cargo.toml | 4
proxmox-ve-config/Cargo.toml | 19
Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-firewall/src/main.rs | 1 +
proxmox-firewall/src/rule.rs | 761 +
proxmox-nftables/src/expression.rs | 4 +
3 files changed, 766 insertions
1 - 100 of 501 matches
Mail list logo