Co-authored-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
proxmox-firewall/src/main.rs | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/proxmox-firewall/src/main.rs b/proxmox-firewall/src/main.rs
index 53c1289..28aecdf 100644
--- a/proxmox-firewall/src/main.rs
+++ b/proxmox-firewall/src/main.rs
@@ -5,7 +5,41 @@ mod firewall;
mod object;
mod rule;
+use firewall::Firewall;
+use proxmox_nftables::NftCtx;
+
+const RULE_BASE: &str = include_str!("../resources/proxmox-firewall.nft");
+
fn main() -> Result<(), Error> {
env_logger::init();
+
+ let mut nft = NftCtx::new()?;
+ let firewall = Firewall::new()?;
+
+ if !firewall.is_enabled() {
+ log::info!("Removing existing firewall rules");
+ let commands = firewall.remove_firewall();
+
+ // can ignore failures, since it fails when table does not exist
+ let _ = nft.run_commands(&commands);
+
+ return Ok(());
+ }
+
+ let commands = firewall.full_host_fw()?;
+
+ log::info!("Running proxmox-firewall.nft");
+ let got = nft.run_nft_commands(RULE_BASE)?;
+ log::info!("got response from nftables: {got:?}");
+
+ log::info!("Running proxmox-firewall commands");
+
+ for (idx, c) in commands.iter().enumerate() {
+ log::debug!("cmd #{idx} {}", serde_json::to_string(&c)?);
+ }
+
+ let got = nft.run_commands(&commands)?;
+ log::info!("got response from nftables: {got:?}");
+
Ok(())
}
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
