Commit Graph

13 Commits

Author SHA1 Message Date
Stefan Hanreich
d409750487 config: nftables: add support for icmp-type any
We support any as wildcard for matching all icmp types. Implement
parsing logic for parsing the any value and support converting the any
value into an nftables expression.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-04-25 19:21:50 +02:00
Stefan Hanreich
6a824765a7 firewall: properly handle REJECT rules
Currently we generated DROP statements for all rules involving REJECT.
We only need to generate DROP when in the postrouting chain of tables
with type bridge, since REJECT is disallowed there. Otherwise we jump
into the do-reject chain which properly handles rejects for different
protocol types.

Reported-By: Stefan Sterz <s.sterz@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-04-23 18:33:15 +02:00
Stefan Hanreich
7438bb262a firewall: wait for nft process
NftClient never waits for the child process to terminate leading to
defunct leftover processes.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-04-19 19:41:23 +02:00
Stefan Hanreich
874c4d8d86 firewall: add rule generation logic
ToNftRules is basically a conversion trait for firewall config structs
to convert them into the respective nftables statements.

We are passing a list of rules to the method, which then modifies the
list of rules such that all relevant rules in the list have statements
appended that apply the configured constraints from the firewall
config.

This is particularly relevant for the rule generation logic for
ipsets. Due to how sets work in nftables we need to generate two rules
for every ipset: a rule for the v4 ipset and a rule for the v6 ipset.
This is because sets can only contain either v4 or v6 addresses. By
passing a list of all generated rules we can duplicate all rules and
then add a statement for the v4 or v6 set respectively.

This also enables us to start with multiple rules, which is required
for using log statements in conjunction with limit statements.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:46:43 +02:00
Stefan Hanreich
a4c504dcb8 nftables: add nft client
Add a thin wrapper around nft, which can be used to run commands
defined by the rust types.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:46:21 +02:00
Stefan Hanreich
74602577f5 nftables: types: add conversion traits
Some parts of the firewall config map directly to nftables objects, so
we introduce conversion traits for convenient conversion into the
respective nftables objects / types.

They are guarded behind a feature, so the nftables crate can be used
standalone without depending on the proxmox-ve-config crate.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:46:15 +02:00
Stefan Hanreich
6b40860fd5 nftables: commands: add types
Add rust types for most of the nftables commands as defined by
libnftables-json [1].

Different commands require different keys to be set for the same type
of object. E.g. deleting an object usually only requires a name +
name of the container (table/chain/rule). Creating an object usually
requires a few more keys, depending on the type of object created.

In order to be able to model the different objects for the different
commands, I've created specific models for a command where necessary.
Parts that are common across multiple commands (e.g. names) have been
moved to their own structs, so they can be reused.

[1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#COMMAND_OBJECTS

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
2024-04-18 21:46:09 +02:00
Stefan Hanreich
613c4b1424 nftables: statement: add conversion traits for config types
Some types from the firewall configuration map directly onto nftables
statements. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.

As with the expressions, those are guarded behind a feature so the
nftables crate can be used standalone without having to pull in the
proxmox-ve-config crate.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:46:04 +02:00
Stefan Hanreich
50f7b40151 nftables: statement: add types
Adds an enum containing most of the statements defined in the
nftables-json schema [1].

[1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#STATEMENTS

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:45:58 +02:00
Stefan Hanreich
e755a1b9e6 nftables: expression: implement conversion traits for firewall config
Some types from the firewall configuration map directly onto nftables
expressions. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.

Those are guarded behind a feature so the nftables crate can be used
standalone without having to pull in the proxmox-ve-config crate.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:45:53 +02:00
Stefan Hanreich
a3dc42104b nftables: expression: add types
Adds an enum containing most of the expressions defined in the
nftables-json schema [1].

[1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#EXPRESSIONS

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
2024-04-18 21:45:44 +02:00
Stefan Hanreich
3032d75d36 nftables: add helpers
Several objects, statements and expressions in nftables-json require
null values, for instance:

    { "flush": { "ruleset": null }}

For this purpose we define our own Null type, which we can then easily
use for defining types that accept Null as value.

Several keys accept as value either a singular element (string or
object) if there is only one object, but an array if there are
multiple objects. For instance when adding a single element to a set:

           { "element": {
	       ...
	       "elem": "element1"
           }}

but when adding multiple elements:

           { "element": {
	       ...
	       "elem": ["element1", "element2"]
           }}

NfVec<T> is a wrapper for Vec<T> that serializes into T iff Vec
contains one element, otherwise it serializes like a Vec would
normally do.

Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-18 21:45:39 +02:00
Stefan Hanreich
c1589cc796 nftables: add crate for libnftables bindings
Co-authored-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Max Carrara <m.carrara@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-18 21:45:34 +02:00