firewall: add bridge firewall config parser

We introduce a new type of firewall config file that can be used for defining rules on bridge-level, similar to the existing cluster/host/vm configuration files. Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Tested-by: Hannes Dürr <h.duerr@proxmox.com>
2025-10-04 04:38:49 +00:00 · 2024-11-15 13:10:53 +01:00 · 2024-11-15 13:10:53 +01:00 · b44e3d69f9
commit b44e3d69f9
parent 944087250c
1 changed files with 64 additions and 0 deletions
--- a/proxmox-ve-config/src/firewall/bridge.rs
+++ b/proxmox-ve-config/src/firewall/bridge.rs
@ -0,0 +1,64 @@
+use std::io;
+
+use anyhow::Error;
+use serde::Deserialize;
+
+use crate::firewall::parse::serde_option_bool;
+use crate::firewall::types::log::LogLevel;
+use crate::firewall::types::rule::{Direction, Verdict};
+
+use super::common::ParserConfig;
+use super::types::Rule;
+
+pub struct Config {
+    pub(crate) config: super::common::Config<Options>,
+}
+
+/// default return value for [`Config::enabled()`]
+pub const BRIDGE_ENABLED_DEFAULT: bool = false;
+/// default return value for [`Config::policy_forward()`]
+pub const BRIDGE_POLICY_FORWARD: Verdict = Verdict::Accept;
+
+impl Config {
+    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
+        let parser_config = ParserConfig {
+            guest_iface_names: false,
+            ipset_scope: None,
+            allowed_directions: vec![Direction::Forward],
+        };
+
+        Ok(Self {
+            config: super::common::Config::parse(input, &parser_config)?,
+        })
+    }
+
+    pub fn enabled(&self) -> bool {
+        self.config.options.enable.unwrap_or(BRIDGE_ENABLED_DEFAULT)
+    }
+
+    pub fn rules(&self) -> impl Iterator<Item = &Rule> + '_ {
+        self.config.rules.iter()
+    }
+
+    pub fn log_level_forward(&self) -> LogLevel {
+        self.config.options.log_level_forward.unwrap_or_default()
+    }
+
+    pub fn policy_forward(&self) -> Verdict {
+        self.config
+            .options
+            .policy_forward
+            .unwrap_or(BRIDGE_POLICY_FORWARD)
+    }
+}
+
+#[derive(Debug, Default, Deserialize)]
+#[cfg_attr(test, derive(Eq, PartialEq))]
+pub struct Options {
+    #[serde(default, with = "serde_option_bool")]
+    enable: Option<bool>,
+
+    policy_forward: Option<Verdict>,
+
+    log_level_forward: Option<LogLevel>,
+}