liqotech
diff --git a/‎apis/networking/v1beta1/firewall/common_types.go‎
Lines changed: 2 additions & 0 deletions b/‎apis/networking/v1beta1/firewall/common_types.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎apis/networking/v1beta1/firewall/set_types.go‎
Lines changed: 56 additions & 0 deletions b/‎apis/networking/v1beta1/firewall/set_types.go‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎apis/networking/v1beta1/firewall/table_types.go‎
Lines changed: 3 additions & 0 deletions b/‎apis/networking/v1beta1/firewall/table_types.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml‎
Lines changed: 42 additions & 0 deletions b/‎deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎pkg/firewall/firewallconfiguration_controller.go‎
Lines changed: 7 additions & 1 deletion b/‎pkg/firewall/firewallconfiguration_controller.go‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎pkg/firewall/set.go‎
Lines changed: 238 additions & 0 deletions b/‎pkg/firewall/set.go‎
Lines changed: 238 additions & 0 deletions
diff --git a/‎pkg/firewall/table.go‎
Lines changed: 6 additions & 0 deletions b/‎pkg/firewall/table.go‎
Lines changed: 6 additions & 0 deletions
@@ -26,6 +26,8 @@ const (
 	IPValueTypeVoid IPValueType = "void"
 	// IPValueTypeRange is a string representing a range of IPs (eg. 10.0.0.1-10.0.0.20).
 	IPValueTypeRange IPValueType = "range"
+	// IPValueTypeNamedSet is a string representing the name of an IP set (eg. @my_ip_set).
+	IPValueTypeNamedSet IPValueType = "namedset"
 )
 
 // PortValueType is the type of the match value.
 
@@ -0,0 +1,56 @@
+// Copyright 2019-2025 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firewall
+
+// SetDataType is the type of a set element
+// +kubebuilder:validation:Enum="ipv4_addr"
+type SetDataType string
+
+// Possible SetDataType values.
+const (
+	SetTypeIPAddr SetDataType = "ipv4_addr"
+)
+
+// Set represents a nftables set
+// +kubebuilder:object:generate=true
+type Set struct {
+	// Name is the name of the set.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=200
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z][a-zA-Z0-9/\\_.]*$`
+	Name string `json:"name"`
+
+	// KeyType is the type of the set keys.
+	KeyType SetDataType `json:"keyType"`
+
+	// DataType is the type of the set data.
+	// +kubebuilder:validation:Optional
+	DataType *SetDataType `json:"dataType,omitempty"`
+
+	// Elements are the elements of the set.
+	// +kubebuilder:validation:Optional
+	Elements []SetElement `json:"elements,omitempty"`
+}
+
+// SetElement represents an element of a nftables set
+// +kubebuilder:object:generate=true
+type SetElement struct {
+	// Key is the key of the set element.
+	Key string `json:"key"`
+
+	// Data is the data of the set element.
+	// +kubebuilder:validation:Optional
+	Data *string `json:"data,omitempty"`
+}
@@ -39,4 +39,7 @@ type Table struct {
 	// Family is the family of the table.
 	// +kubebuilder:validation:Enum="INET";"IPV4";"IPV6";"ARP";"NETDEV";"BRIDGE"
 	Family *TableFamily `json:"family"`
+	// Sets is a list of sets to be applied to the table.
+	// +kubebuilder:validation:Optional
+	Sets []Set `json:"sets,omitempty"`
 }
@@ -418,6 +418,48 @@ spec:
                   name:
                     description: Name is the name of the table.
                     type: string
+                  sets:
+                    description: Sets is a list of sets to be applied to the table.
+                    items:
+                      description: Set represents a nftables set
+                      properties:
+                        dataType:
+                          description: DataType is the type of the set data.
+                          enum:
+                          - ipv4_addr
+                          type: string
+                        elements:
+                          description: Elements are the elements of the set.
+                          items:
+                            description: SetElement represents an element of a nftables
+                              set
+                            properties:
+                              data:
+                                description: Data is the data of the set element.
+                                type: string
+                              key:
+                                description: Key is the key of the set element.
+                                type: string
+                            required:
+                            - key
+                            type: object
+                          type: array
+                        keyType:
+                          description: KeyType is the type of the set keys.
+                          enum:
+                          - ipv4_addr
+                          type: string
+                        name:
+                          description: Name is the name of the set.
+                          maxLength: 200
+                          minLength: 1
+                          pattern: ^[a-zA-Z][a-zA-Z0-9/\\_.]*$
+                          type: string
+                      required:
+                      - keyType
+                      - name
+                      type: object
+                    type: array
                 required:
                 - family
                 - name
 
@@ -138,7 +138,7 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 		return ctrl.Result{}, err
 	}
 
-	// We need to flush the updates to allow the recreation of updated chains/rules.
+	// We need to flush the updates to allow the recreation of updated chains/rules and the usage of sets in rules.
 	if err = r.NftConnection.Flush(); err != nil {
 		return ctrl.Result{}, err
 	}
@@ -148,6 +148,12 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 	// Enforce table existence.
 	table := addTable(r.NftConnection, &fwcfg.Spec.Table)
 
+	// Add the missing sets
+	if err = addSets(r.NftConnection, fwcfg.Spec.Table.Sets, table); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	// Add the missing chains and rules.
 	if err = addChains(r.NftConnection, fwcfg.Spec.Table.Chains, table); err != nil {
 		return ctrl.Result{}, err
 	}
 
@@ -0,0 +1,238 @@
+// Copyright 2019-2025 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firewall
+
+import (
+	"fmt"
+
+	"github.com/google/nftables"
+	firewallapi "github.com/liqotech/liqo/apis/networking/v1beta1/firewall"
+	"github.com/liqotech/liqo/pkg/firewall/utils"
+)
+
+// cleanSets removes the sets that are no longer used in the firewall configuration and updates the existing ones if their elements differ from the wanted elements.
+func cleanSets(nftconn *nftables.Conn, table *firewallapi.Table) error {
+	// Find the table by name and family
+	nftTables, err := nftconn.ListTablesOfFamily(getTableFamily(*table.Family))
+	if err != nil {
+		return err
+	}
+
+	var nftTable *nftables.Table
+	for _, t := range nftTables {
+		if t.Name == *table.Name {
+			nftTable = t
+			break
+		}
+	}
+
+	if nftTable == nil {
+		// Table does not exist, nothing to clean
+		return nil
+	}
+
+	// Get all existing sets in the table
+	nftSets, err := nftconn.GetSets(nftTable)
+	if err != nil {
+		return err
+	}
+
+	// Remove sets that are no longer used.
+	if err := removeOutdatedSets(nftconn, nftSets, table); err != nil {
+		return err
+	}
+
+	// Update existing sets if their elements differ from the wanted elements.
+	if err := updateSetElements(nftconn, nftSets, table); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// removeOutdatedSets removes the sets that are no longer used in the firewall configuration.
+func removeOutdatedSets(nftconn *nftables.Conn, nftSets []*nftables.Set, table *firewallapi.Table) error {
+	// Delete sets that are not used anymore in the table
+	usedSetNames := make(map[string]interface{})
+	for _, set := range table.Sets {
+		usedSetNames[set.Name] = nil
+	}
+
+	for _, nftSet := range nftSets {
+		if _, used := usedSetNames[nftSet.Name]; !used {
+			// Set is not used anymore, delete it
+			nftconn.DelSet(nftSet)
+		}
+	}
+
+	return nil
+}
+
+// updateSetElements updates the elements of an existing set, if they differ from the wanted elements.
+func updateSetElements(nftconn *nftables.Conn, nftSets []*nftables.Set, table *firewallapi.Table) error {
+	for _, set := range table.Sets {
+		// Find the corresponding nftables.Set
+		var nftSet *nftables.Set
+		for _, ns := range nftSets {
+			if ns.Name == set.Name {
+				nftSet = ns
+				break
+			}
+		}
+
+		if nftSet == nil {
+			// Set does not exist, skip
+			continue
+		}
+
+		// Get existing elements of the set
+		existingElements, err := nftconn.GetSetElements(nftSet)
+		if err != nil {
+			return err
+		}
+
+		// Get wanted elements of the set
+		wantedElements, err := genSetElements(&set)
+		if err != nil {
+			return err
+		}
+
+		// Check if the set is outdated
+		if isSetOutdated(existingElements, wantedElements) {
+			// Remove the existing elements and add the wanted ones
+			if err := nftconn.SetDeleteElements(nftSet, existingElements); err != nil {
+				return err
+			}
+			if err := nftconn.SetAddElements(nftSet, wantedElements); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+// isSetOutdated checks if the existing set elements differ from the wanted set elements.
+func isSetOutdated(existingElements []nftables.SetElement, wantedElements []nftables.SetElement) bool {
+	// If the lengths differ, the set is outdated.
+	if len(existingElements) != len(wantedElements) {
+		return true
+	}
+
+	// Build a map of existing elements for quick lookup.
+	existingElementsMap := make(map[string]string)
+	for _, element := range existingElements {
+		existingElementsMap[string(element.Key)] = string(element.Val)
+	}
+
+	// Check if any wanted element is missing or differs in value.
+	for _, wantedElement := range wantedElements {
+		val, exists := existingElementsMap[string(wantedElement.Key)]
+		if !exists || val != string(wantedElement.Val) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// addSets adds the sets that are missing in the nftables configuration.
+func addSets(nftconn *nftables.Conn, sets []firewallapi.Set, nftTable *nftables.Table) error {
+	nftSets, err := nftconn.GetSets(nftTable)
+	if err != nil {
+		return err
+	}
+	existingSetNames := make(map[string]struct{})
+	for _, nftSet := range nftSets {
+		existingSetNames[nftSet.Name] = struct{}{}
+	}
+
+	for _, set := range sets {
+		if _, exists := existingSetNames[set.Name]; !exists {
+			_, err := addSet(nftconn, nftTable, &set)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// addSet adds a new set to the nftables configuration.
+func addSet(nftconn *nftables.Conn, table *nftables.Table, set *firewallapi.Set) (*nftables.Set, error) {
+	dataType, err := getSetDataType(set.DataType)
+	if err != nil {
+		return nil, err
+	}
+
+	keyType, err := getSetDataType(&set.KeyType)
+	if err != nil {
+		return nil, err
+	}
+
+	nftSet := &nftables.Set{
+		Table:    table,
+		Name:     set.Name,
+		KeyType:  keyType,
+		DataType: dataType,
+	}
+
+	setData, err := genSetElements(set)
+	if err != nil {
+		return nil, err
+	}
+
+	err = nftconn.AddSet(nftSet, setData)
+	if err != nil {
+		return nil, err
+	}
+
+	return nftSet, nil
+}
+
+func genSetElements(set *firewallapi.Set) ([]nftables.SetElement, error) {
+	setData := make([]nftables.SetElement, len(set.Elements))
+	for i, element := range set.Elements {
+		data, err := utils.ConvertSetData(element.Data, set.DataType)
+		if err != nil {
+			return nil, fmt.Errorf("unable to convert set element data: %v", err)
+		}
+
+		key, err := utils.ConvertSetData(&element.Key, &set.KeyType)
+		if err != nil {
+			return nil, fmt.Errorf("unable to convert set element key: %v", err)
+		}
+
+		setData[i] = nftables.SetElement{
+			Key: key,
+			Val: data,
+		}
+	}
+
+	return setData, nil
+}
+
+func getSetDataType(dataType *firewallapi.SetDataType) (nftables.SetDatatype, error) {
+	if dataType == nil {
+		return nftables.SetDatatype{}, nil
+	}
+
+	switch *dataType {
+	case firewallapi.SetTypeIPAddr:
+		return nftables.TypeIPAddr, nil
+	default:
+		return nftables.SetDatatype{}, fmt.Errorf("unsupported set data type: %s", *dataType)
+	}
+}
@@ -78,6 +78,12 @@ func cleanTable(nftconn *nftables.Conn, table *firewallapi.Table) error {
 			return err
 		}
 	}
+
+	// Delete sets that are not used anymore in the table.
+	if err := cleanSets(nftconn, table); err != nil {
+		return err
+	}
+
 	return nil
 }
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,8 @@ const (`
`26`	`26`	`IPValueTypeVoid IPValueType = "void"`
`27`	`27`	`// IPValueTypeRange is a string representing a range of IPs (eg. 10.0.0.1-10.0.0.20).`
`28`	`28`	`IPValueTypeRange IPValueType = "range"`
	`29`	`+ // IPValueTypeNamedSet is a string representing the name of an IP set (eg. @my_ip_set).`
	`30`	`+ IPValueTypeNamedSet IPValueType = "namedset"`
`29`	`31`	`)`
`30`	`32`
`31`	`33`	`// PortValueType is the type of the match value.`
Original file line number	Diff line number	Diff line change
`@@ -39,4 +39,7 @@ type Table struct {`
`39`	`39`	`// Family is the family of the table.`
`40`	`40`	`// +kubebuilder:validation:Enum="INET";"IPV4";"IPV6";"ARP";"NETDEV";"BRIDGE"`
`41`	`41`	Family *TableFamily `json:"family"`
	`42`	`+ // Sets is a list of sets to be applied to the table.`
	`43`	`+ // +kubebuilder:validation:Optional`
	`44`	+ Sets []Set `json:"sets,omitempty"`
`42`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr`
`138`	`138`	`return ctrl.Result{}, err`
`139`	`139`	`}`
`140`	`140`
`141`		`- // We need to flush the updates to allow the recreation of updated chains/rules.`
	`141`	`+ // We need to flush the updates to allow the recreation of updated chains/rules and the usage of sets in rules.`
`142`	`142`	`if err = r.NftConnection.Flush(); err != nil {`
`143`	`143`	`return ctrl.Result{}, err`
`144`	`144`	`}`
`@@ -148,6 +148,12 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr`
`148`	`148`	`// Enforce table existence.`
`149`	`149`	`table := addTable(r.NftConnection, &fwcfg.Spec.Table)`
`150`	`150`
	`151`	`+ // Add the missing sets`
	`152`	`+ if err = addSets(r.NftConnection, fwcfg.Spec.Table.Sets, table); err != nil {`
	`153`	`+ return ctrl.Result{}, err`
	`154`	`+ }`
	`155`	`+`
	`156`	`+ // Add the missing chains and rules.`
`151`	`157`	`if err = addChains(r.NftConnection, fwcfg.Spec.Table.Chains, table); err != nil {`
`152`	`158`	`return ctrl.Result{}, err`
`153`	`159`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,12 @@ func cleanTable(nftconn nftables.Conn, table firewallapi.Table) error {`
`78`	`78`	`return err`
`79`	`79`	`}`
`80`	`80`	`}`
	`81`	`+`
	`82`	`+ // Delete sets that are not used anymore in the table.`
	`83`	`+ if err := cleanSets(nftconn, table); err != nil {`
	`84`	`+ return err`
	`85`	`+ }`
	`86`	`+`
`81`	`87`	`return nil`
`82`	`88`	`}`
`83`	`89`