nftables: types: add conversion traits

Some parts of the firewall config map directly to nftables objects, so we introduce conversion traits for convenient conversion into the respective nftables objects / types. They are guarded behind a feature, so the nftables crate can be used standalone without depending on the proxmox-ve-config crate. Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2025-08-14 00:28:28 +00:00 · 2024-03-29 16:52:06 +01:00 · 2024-03-29 16:52:06 +01:00 · 74602577f5
commit 74602577f5
parent 6b40860fd5
1 changed files with 79 additions and 1 deletions
--- a/proxmox-nftables/src/types.rs
+++ b/proxmox-nftables/src/types.rs
@ -7,6 +7,12 @@ use crate::{Expression, Statement};

 use serde::{Deserialize, Serialize};

+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::address::Family;
+
+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::ipset::IpsetName;
+
 #[cfg(feature = "config-ext")]
 use proxmox_ve_config::guest::types::Vmid;

@ -33,6 +39,15 @@ impl TableFamily {
            _ => vec![IpFamily::Ip, IpFamily::Ip6],
        }
    }
+
+    #[cfg(feature = "config-ext")]
+    pub fn families(&self) -> Vec<Family> {
+        match self {
+            TableFamily::Ip => vec![Family::V4],
+            TableFamily::Ip6 => vec![Family::V6],
+            _ => vec![Family::V4, Family::V6],
+        }
+    }
 }

 #[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)]
@ -157,6 +172,21 @@ pub enum RateTimescale {
    Day,
 }

+#[cfg(feature = "config-ext")]
+use proxmox_ve_config::firewall::types::log::LogRateLimitTimescale;
+
+#[cfg(feature = "config-ext")]
+impl From<LogRateLimitTimescale> for RateTimescale {
+    fn from(value: LogRateLimitTimescale) -> Self {
+        match value {
+            LogRateLimitTimescale::Second => RateTimescale::Second,
+            LogRateLimitTimescale::Minute => RateTimescale::Minute,
+            LogRateLimitTimescale::Hour => RateTimescale::Hour,
+            LogRateLimitTimescale::Day => RateTimescale::Day,
+        }
+    }
+}
+
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct TableName {
    family: TableFamily,
@ -586,6 +616,44 @@ impl SetName {
            name: name.into(),
        }
    }
+
+    pub fn name(&self) -> &str {
+        self.name.as_ref()
+    }
+
+    #[cfg(feature = "config-ext")]
+    pub fn ipset_name(
+        family: Family,
+        name: &IpsetName,
+        vmid: Option<Vmid>,
+        nomatch: bool,
+    ) -> String {
+        use proxmox_ve_config::firewall::types::ipset::IpsetScope;
+
+        let prefix = match family {
+            Family::V4 => "v4",
+            Family::V6 => "v6",
+        };
+
+        let name = match name.scope() {
+            IpsetScope::Datacenter => name.to_string(),
+            IpsetScope::Guest => {
+                if let Some(vmid) = vmid {
+                    format!("guest-{vmid}/{}", name.name())
+                } else {
+                    log::warn!("Creating IPSet for guest without vmid parameter!");
+                    name.to_string()
+                }
+            }
+        };
+
+        let suffix = match nomatch {
+            true => "-nomatch",
+            false => "",
+        };
+
+        format!("{prefix}-{name}{suffix}")
+    }
 }

 #[derive(Clone, Debug, Deserialize, Serialize)]
@ -788,7 +856,17 @@ pub enum L3Protocol {
    Ip6,
 }

-#[derive(Clone, Debug, Deserialize, Serialize)]
+#[cfg(feature = "config-ext")]
+impl From<Family> for L3Protocol {
+    fn from(value: Family) -> Self {
+        match value {
+            Family::V4 => L3Protocol::Ip,
+            Family::V6 => L3Protocol::Ip6,
+        }
+    }
+}
+
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
 #[serde(rename_all = "lowercase")]
 pub enum CtHelperProtocol {
    TCP,