feat(firewall): add named sets to FirewallConfiguration

apis/networking/v1beta1/firewall/common_types.go

@@ -24,6 +24,10 @@ const (
 	IPValueTypeSubnet IPValueType = "subnet"
 	// IPValueTypeVoid is a void match value.
 	IPValueTypeVoid IPValueType = "void"
+	// IPValueTypeRange is a string representing a range of IPs (eg. 10.0.0.1-10.0.0.20).
+	IPValueTypeRange IPValueType = "range"
+	// IPValueTypeNamedSet is a string representing the name of an IP set (eg. @my_ip_set).
+	IPValueTypeNamedSet IPValueType = "namedset"
 )
 
 // PortValueType is the type of the match value.

apis/networking/v1beta1/firewall/filterrule_types.go

@@ -24,18 +24,30 @@ const (
 	// ActionSetMetaMarkFromCtMark is the action to be applied to the rule.
 	// It is used to set the meta mark from the conntrack mark.
 	ActionSetMetaMarkFromCtMark FilterAction = "metamarkfromctmark"
+	// ActionAccept is the action to be applied to the rule.
+	// ActionAccept accepts the packet.
+	ActionAccept FilterAction = "accept"
+	// ActionDrop is the action to be applied to the rule.
+	// ActionDrop drops the packet.
+	ActionDrop FilterAction = "drop"
+	// ActionReject is the action to be applied to the rule.
+	// ActionReject reject the packet with response.
+	ActionReject FilterAction = "reject"
 )
 
 // FilterRule is a rule to be applied to a filter chain.
 // +kubebuilder:object:generate=true
 type FilterRule struct {
 	// Name is the name of the rule.
 	Name *string `json:"name,omitempty"`
+	// Counter enables the counter for the rule, updated every time the rule is hit.
+	// +kubebuilder:default=true
+	Counter bool `json:"counter"`
 	// Match is the match to be applied to the rule.
 	// They can be multiple and they are applied with an AND operator.
 	Match []Match `json:"match"`
 	// Action is the action to be applied to the rule.
-	// +kubebuilder:validation:Enum=ctmark;metamarkfromctmark
+	// +kubebuilder:validation:Enum=ctmark;metamarkfromctmark;accept;drop;reject
 	Action FilterAction `json:"action"`
 	// Value is the value to be used for the action.
 	Value *string `json:"value,omitempty"`

apis/networking/v1beta1/firewall/set_types.go

@@ -0,0 +1,57 @@
+// Copyright 2019-2025 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firewall
+
+// SetDataType is the type of a set element
+// +kubebuilder:validation:Enum=integer;ipv4_addr
+type SetDataType string
+
+// Possible SetDataType values.
+const (
+	SetDataTypeInteger SetDataType = "integer"
+	SetDataTypeIPAddr  SetDataType = "ipv4_addr"
+)
+
+// Set represents a nftables set
+// +kubebuilder:object:generate=true
+type Set struct {
+	// Name is the name of the set.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=200
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z][a-zA-Z0-9/\\_.]*$`
+	Name string `json:"name"`
+
+	// KeyType is the type of the set keys.
+	KeyType SetDataType `json:"keyType"`
+
+	// DataType is the type of the set data.
+	// +kubebuilder:validation:Optional
+	DataType *SetDataType `json:"dataType,omitempty"`
+
+	// Elements are the elements of the set.
+	// +kubebuilder:validation:Optional
+	Elements []SetElement `json:"elements,omitempty"`
+}
+
+// SetElement represents an element of a nftables set
+// +kubebuilder:object:generate=true
+type SetElement struct {
+	// Key is the key of the set element.
+	Key string `json:"key"`
+
+	// Data is the data of the set element.
+	// +kubebuilder:validation:Optional
+	Data *string `json:"data,omitempty"`
+}

apis/networking/v1beta1/firewall/table_types.go

@@ -39,4 +39,7 @@ type Table struct {
 	// Family is the family of the table.
 	// +kubebuilder:validation:Enum="INET";"IPV4";"IPV6";"ARP";"NETDEV";"BRIDGE"
 	Family *TableFamily `json:"family"`
+	// Sets is a list of sets to be applied to the table.
+	// +kubebuilder:validation:Optional
+	Sets []Set `json:"sets,omitempty"`
 }

cmd/gateway/main.go

@@ -215,6 +215,7 @@ func run(cmd *cobra.Command, _ []string) error {
 		[]labels.Set{
 			gateway.ForgeFirewallInternalTargetLabels(),
 			remapping.ForgeFirewallTargetLabels(connoptions.GwOptions.RemoteClusterID),
+			remapping.ForgeFirewallAllTargetLabels(),
 			remapping.ForgeFirewallTargetLabelsIPMappingGw(),
 		},
 	)

deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml

@@ -103,7 +103,15 @@ spec:
                                     enum:
                                     - ctmark
                                     - metamarkfromctmark
+                                    - accept
+                                    - drop
+                                    - reject
                                     type: string
+                                  counter:
+                                    default: true
+                                    description: Counter enables the counter for the
+                                      rule, updated every time the rule is hit.
+                                    type: boolean
                                   match:
                                     description: |-
                                       Match is the match to be applied to the rule.
@@ -203,6 +211,7 @@ spec:
                                     type: string
                                 required:
                                 - action
+                                - counter
                                 - match
                                 type: object
                               type: array
@@ -409,6 +418,48 @@ spec:
                   name:
                     description: Name is the name of the table.
                     type: string
+                  sets:
+                    description: Sets is a list of sets to be applied to the table.
+                    items:
+                      description: Set represents a nftables set
+                      properties:
+                        dataType:
+                          description: DataType is the type of the set data.
+                          enum:
+                          - ipv4_addr
+                          type: string
+                        elements:
+                          description: Elements are the elements of the set.
+                          items:
+                            description: SetElement represents an element of a nftables
+                              set
+                            properties:
+                              data:
+                                description: Data is the data of the set element.
+                                type: string
+                              key:
+                                description: Key is the key of the set element.
+                                type: string
+                            required:
+                            - key
+                            type: object
+                          type: array
+                        keyType:
+                          description: KeyType is the type of the set keys.
+                          enum:
+                          - ipv4_addr
+                          type: string
+                        name:
+                          description: Name is the name of the set.
+                          maxLength: 200
+                          minLength: 1
+                          pattern: ^[a-zA-Z][a-zA-Z0-9/\\_.]*$
+                          type: string
+                      required:
+                      - keyType
+                      - name
+                      type: object
+                    type: array
                 required:
                 - family
                 - name

pkg/firewall/firewallconfiguration_controller.go

@@ -138,7 +138,7 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 		return ctrl.Result{}, err
 	}
 
-	// We need to flush the updates to allow the recreation of updated chains/rules.
+	// We need to flush the updates to allow the recreation of updated chains/rules and the usage of sets in rules.
 	if err = r.NftConnection.Flush(); err != nil {
 		return ctrl.Result{}, err
 	}
@@ -148,6 +148,12 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 	// Enforce table existence.
 	table := addTable(r.NftConnection, &fwcfg.Spec.Table)
 
+	// Add the missing sets
+	if err = addSets(r.NftConnection, fwcfg.Spec.Table.Sets, table); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	// Add the missing chains and rules.
 	if err = addChains(r.NftConnection, fwcfg.Spec.Table.Chains, table); err != nil {
 		return ctrl.Result{}, err
 	}

pkg/firewall/label.go

@@ -21,4 +21,6 @@ const (
 	FirewallSubCategoryTargetKey = "networking.liqo.io/firewall-subcategory"
 	// FirewallUniqueTargetKey is the key used by the firewallconfiguration controller to reconcile only resources related to a single component.
 	FirewallUniqueTargetKey = "networking.liqo.io/firewall-unique"
+	// FirewallAllTargetKey is the key used by the firewallconfiguration controller to reconcile resources related to all components.
+	FirewallAllTargetKey = "networking.liqo.io/firewall-all"
 )