From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 14D251FF142 for ; Mon, 16 Feb 2026 11:45:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 88258DC49; Mon, 16 Feb 2026 11:45:14 +0100 (CET) From: Dietmar Maurer To: pve-devel@lists.proxmox.com Subject: [RFC proxmox 15/22] firewall-api-types: add FirewallRule type Date: Mon, 16 Feb 2026 11:43:53 +0100 Message-ID: <20260216104401.3959270-16-dietmar@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260216104401.3959270-1-dietmar@proxmox.com> References: <20260216104401.3959270-1-dietmar@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.569 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: VPANDRBQMT34CNAVFIE54GVE6DWP7Q2U X-Message-ID-Hash: VPANDRBQMT34CNAVFIE54GVE6DWP7Q2U X-MailFrom: dietmar@zilli.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Extracted from Perl API and migrated to Rust with type-safe implementations. Replaced string-based types with strongly-typed Rust counterparts including: - FirewallAction (Accept, Reject, Drop) - FirewallLogLevel - FirewallDirection (In, Out, Group) - FirewallAddressMatch for source/destination addresses - FirewallPortList for port specifications - FirewallIcmpType for ICMP type matching Signed-off-by: Dietmar Maurer --- proxmox-firewall-api-types/src/lib.rs | 3 + proxmox-firewall-api-types/src/rule.rs | 192 +++++++++++++++++++++++++ 2 files changed, 195 insertions(+) create mode 100644 proxmox-firewall-api-types/src/rule.rs diff --git a/proxmox-firewall-api-types/src/lib.rs b/proxmox-firewall-api-types/src/lib.rs index c6f00250..25e260c3 100644 --- a/proxmox-firewall-api-types/src/lib.rs +++ b/proxmox-firewall-api-types/src/lib.rs @@ -37,3 +37,6 @@ mod port; pub use port::{ FirewallPortList, FirewallPortListEntry, FIREWALL_DPORT_API_SCHEMA, FIREWALL_SPORT_API_SCHEMA, }; + +mod rule; +pub use rule::{FirewallRule, FirewallRuleType}; diff --git a/proxmox-firewall-api-types/src/rule.rs b/proxmox-firewall-api-types/src/rule.rs new file mode 100644 index 00000000..a2298609 --- /dev/null +++ b/proxmox-firewall-api-types/src/rule.rs @@ -0,0 +1,192 @@ +use serde::{Deserialize, Serialize}; + +#[cfg(feature = "enum-fallback")] +use proxmox_fixed_string::FixedString; +use proxmox_schema::{api, const_regex, ApiStringFormat}; + +use crate::{FirewallAddressMatch, FirewallIcmpType, FirewallPortList}; +use crate::{FIREWALL_DPORT_API_SCHEMA, FIREWALL_SPORT_API_SCHEMA}; +use super::FirewallLogLevel; + +const_regex! { + FIREWALL_RULE_IFACE_RE = r##"^[a-zA-Z][a-zA-Z0-9_]{1,20}([:\.]\d+)?$"##; + FIREWALL_SECURITY_GROUP_RE = r##"^[A-Za-z][A-Za-z0-9\-\_]+$"##; +} + +#[api( + properties: { + action: { + format: &ApiStringFormat::Pattern(&FIREWALL_SECURITY_GROUP_RE), + max_length: 20, + min_length: 2, + type: String, + }, + comment: { + optional: true, + type: String, + }, + dest: { + optional: true, + }, + digest: { + max_length: 64, + optional: true, + type: String, + }, + dport: { + optional: true, + schema: FIREWALL_DPORT_API_SCHEMA, + }, + enable: { + minimum: 0, + optional: true, + type: Integer, + }, + "icmp-type": { + optional: true, + }, + iface: { + format: &ApiStringFormat::Pattern(&FIREWALL_RULE_IFACE_RE), + max_length: 20, + min_length: 2, + optional: true, + type: String, + }, + log: { + optional: true, + }, + "macro": { + max_length: 128, + optional: true, + type: String, + }, + pos: { + minimum: 0, + optional: true, + type: Integer, + }, + proto: { + max_length: 64, // arbitrary limit, much longer than anything in /etc/protocols + optional: true, + type: String, + }, + source: { + optional: true, + }, + sport: { + optional: true, + schema: FIREWALL_SPORT_API_SCHEMA, + }, + type: { + type: FirewallRuleType, + }, + }, +)] +/// Firewall Rule. +#[derive(Debug, serde::Deserialize, serde::Serialize)] +pub struct FirewallRule { + /// Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name. + pub action: String, + + /// Descriptive comment. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub comment: Option, + + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dest: Option, + + /// Prevent changes if current configuration file has a different digest. + /// This can be used to prevent concurrent modifications. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub digest: Option, + + /// Restrict TCP/UDP destination port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dport: Option, + + /// Flag to enable/disable a rule. + #[serde(deserialize_with = "proxmox_serde::perl::deserialize_u64")] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub enable: Option, + + /// Specify icmp-type. Only valid if proto equals 'icmp' or + /// 'icmpv6'/'ipv6-icmp'. + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(rename = "icmp-type")] + pub icmp_type: Option, + + /// Network interface name. You have to use network configuration key names + /// for VMs and containers ('net\d+'). Host related rules can use arbitrary + /// strings. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub iface: Option, + + #[serde(default, skip_serializing_if = "Option::is_none")] + pub log: Option, + + /// Use predefined standard macro. + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(rename = "macro")] + pub r#macro: Option, + + /// Update rule at position . + #[serde(deserialize_with = "proxmox_serde::perl::deserialize_u64")] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub pos: Option, + + /// IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, + /// as defined in '/etc/protocols'. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub proto: Option, + + #[serde(default, skip_serializing_if = "Option::is_none")] + pub source: Option, + + /// Restrict TCP/UDP source port. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub sport: Option, + + #[serde(rename = "type")] + pub ty: FirewallRuleType, +} + +#[api] +/// Rule type. +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] +pub enum FirewallRuleType { + #[serde(rename = "in")] + /// in. + In, + #[serde(rename = "out")] + /// out. + Out, + #[serde(rename = "forward")] + /// forward. + Forward, + #[serde(rename = "group")] + /// group. + Group, + /// Unknown variants for forward compatibility. + #[cfg(feature = "enum-fallback")] + #[serde(untagged)] + UnknownEnumValue(FixedString), +} + +serde_plain::derive_display_from_serialize!(FirewallRuleType); +serde_plain::derive_fromstr_from_deserialize!(FirewallRuleType); + +#[cfg(test)] +mod test { + use super::*; + + #[test] + fn test_regex_compilation_firewall_rule_iface_re() { + use regex::Regex; + let _: &Regex = &FIREWALL_RULE_IFACE_RE; + } + #[test] + fn test_regex_compilation_firewall_security_group_re() { + use regex::Regex; + let _: &Regex = &FIREWALL_SECURITY_GROUP_RE; + } +} -- 2.47.3