From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id AB4C91FF142
	for <inbox@lore.proxmox.com>; Mon, 16 Feb 2026 11:44:22 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 7F07DCA44;
	Mon, 16 Feb 2026 11:44:37 +0100 (CET)
From: Dietmar Maurer <dietmar@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [RFC proxmox 00/22] New crate for firewall api types
Date: Mon, 16 Feb 2026 11:43:38 +0100
Message-ID: <20260216104401.3959270-1-dietmar@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.580 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery
 methods
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RDNS_NONE               0.793 Delivered to internal network by a host with no
 rDNS
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Message-ID-Hash: HA3PVJJKO6HMAKFKCGQ3BEIL7XCHGUJ3
X-Message-ID-Hash: HA3PVJJKO6HMAKFKCGQ3BEIL7XCHGUJ3
X-MailFrom: dietmar@zilli.proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

The current PVE firewall implementation is written in Perl, and Rust type
definitions can be auto-generated from its API schemas. However, many of the
more complex types are represented as opaque strings, which limits type safety.

Verifiers for complex types like ports and address matches cannot be generated
automatically, so we need to implement them manually anyway.

To address this, the crate provides hand-crafted Rust types that parse and validate these
string-encoded values into proper enums and structs, while remaining fully
compatible with the existing API wire format. The initial type definitions were
seeded from the auto-generated `pve-api-types` crate and then refined by hand.

Types from proxmox-ve-rs/proxmox-ve-config/src/firewall/ are not really designed
to be used directly, as they are not fully compatible with the API wire format. they
also depends on system crates (nix, proxmox-sys, etc.) which we want to avoid for this crate. 
I tried to reuse some of those types, but in many cases it was easier to 
use types generated from the perl API schemas as a starting point and then modify them 
as needed.

Dependencies are minimal, so that we can use this crate for wasm targets (GUI).


This series depends on the CommaSeparatedList patch send recently.


Dietmar Maurer (22):
  firewall-api-types: add new crate for firewall api types
  firewall-api-types: add README.md
  firewall-api-types: add firewall policy types
  firewall-api-types: add logging types
  firewall-api-types: add FirewallClusterOptions
  firewall-api-types: add FirewallGuestOptions
  firewall-api-types: add FirewallConntrackHelper enum
  firewall-api-types: add FirewallNodeOptions struct
  firewall-api-types: add FirewallRef type
  firewall-api-types: add FirewallPortList types
  firewall-api-types: add FirewallIcmpType
  firewall-api-types: add FirewallIpsetReference type
  firewall-api-types: add FirewallAliasReference type
  firewall-api-types: add firewall address types
  firewall-api-types: add FirewallRule type
  firewall-api-types: use ConfigDigest from proxmox-config-digest crate
  firewall-api-types: use COMMENT_SCHEMA from proxmox-schema crate
  firewall-api-types: add FirewallRuleUpdater type
  firewall-api-types: refactor FirewallRule and add
    FirewallRuleListEntry
  firewall-api-types: add DeletableFirewallRuleProperty enum
  firewall-api-types: add FirewallAliasEntry API type
  firewall-api-types: add FirewallIpsetListEntry and FirewallIpsetEntry
    api types

 Cargo.toml                                    |   1 +
 proxmox-firewall-api-types/Cargo.toml         |  30 +
 proxmox-firewall-api-types/README.md          |  54 ++
 proxmox-firewall-api-types/debian/changelog   |   5 +
 proxmox-firewall-api-types/debian/control     |  52 ++
 proxmox-firewall-api-types/debian/copyright   |  18 +
 .../debian/debcargo.toml                      |   7 +
 proxmox-firewall-api-types/src/address.rs     | 229 +++++++
 proxmox-firewall-api-types/src/alias.rs       | 181 ++++++
 .../src/cluster_options.rs                    |  61 ++
 proxmox-firewall-api-types/src/conntrack.rs   |  52 ++
 .../src/firewall_ref.rs                       |  62 ++
 .../src/guest_options.rs                      |  97 +++
 proxmox-firewall-api-types/src/icmp_type.rs   | 559 ++++++++++++++++++
 proxmox-firewall-api-types/src/ipset.rs       | 254 ++++++++
 proxmox-firewall-api-types/src/lib.rs         |  46 ++
 proxmox-firewall-api-types/src/log.rs         | 312 ++++++++++
 .../src/node_options.rs                       | 240 ++++++++
 proxmox-firewall-api-types/src/policy.rs      | 151 +++++
 proxmox-firewall-api-types/src/port.rs        | 177 ++++++
 proxmox-firewall-api-types/src/rule.rs        | 351 +++++++++++
 21 files changed, 2939 insertions(+)
 create mode 100644 proxmox-firewall-api-types/Cargo.toml
 create mode 100644 proxmox-firewall-api-types/README.md
 create mode 100644 proxmox-firewall-api-types/debian/changelog
 create mode 100644 proxmox-firewall-api-types/debian/control
 create mode 100644 proxmox-firewall-api-types/debian/copyright
 create mode 100644 proxmox-firewall-api-types/debian/debcargo.toml
 create mode 100644 proxmox-firewall-api-types/src/address.rs
 create mode 100644 proxmox-firewall-api-types/src/alias.rs
 create mode 100644 proxmox-firewall-api-types/src/cluster_options.rs
 create mode 100644 proxmox-firewall-api-types/src/conntrack.rs
 create mode 100644 proxmox-firewall-api-types/src/firewall_ref.rs
 create mode 100644 proxmox-firewall-api-types/src/guest_options.rs
 create mode 100644 proxmox-firewall-api-types/src/icmp_type.rs
 create mode 100644 proxmox-firewall-api-types/src/ipset.rs
 create mode 100644 proxmox-firewall-api-types/src/lib.rs
 create mode 100644 proxmox-firewall-api-types/src/log.rs
 create mode 100644 proxmox-firewall-api-types/src/node_options.rs
 create mode 100644 proxmox-firewall-api-types/src/policy.rs
 create mode 100644 proxmox-firewall-api-types/src/port.rs
 create mode 100644 proxmox-firewall-api-types/src/rule.rs

-- 
2.47.3