From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 159E21FF142
	for <inbox@lore.proxmox.com>; Mon, 16 Feb 2026 11:43:47 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id E257EC46E;
	Mon, 16 Feb 2026 11:44:29 +0100 (CET)
From: Dietmar Maurer <dietmar@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [RFC proxmox 02/22] firewall-api-types: add README.md
Date: Mon, 16 Feb 2026 11:43:40 +0100
Message-ID: <20260216104401.3959270-3-dietmar@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260216104401.3959270-1-dietmar@proxmox.com>
References: <20260216104401.3959270-1-dietmar@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.578 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery
 methods
	RDNS_NONE               0.793 Delivered to internal network by a host with no
 rDNS
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Message-ID-Hash: 5HPK5NOET3NLZVU6IZLKDWFB7DU2ZFWE
X-Message-ID-Hash: 5HPK5NOET3NLZVU6IZLKDWFB7DU2ZFWE
X-MailFrom: dietmar@zilli.proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
---
 proxmox-firewall-api-types/README.md | 54 ++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 proxmox-firewall-api-types/README.md

diff --git a/proxmox-firewall-api-types/README.md b/proxmox-firewall-api-types/README.md
new file mode 100644
index 00000000..1ae22118
--- /dev/null
+++ b/proxmox-firewall-api-types/README.md
@@ -0,0 +1,54 @@
+# proxmox-firewall-api-types
+
+Strongly typed Rust definitions for the Proxmox VE Firewall API.
+
+## Motivation
+
+The current PVE firewall implementation is written in Perl, and Rust type
+definitions can be auto-generated from its API schemas. However, many of the
+more complex types are represented as opaque strings, which limits type safety.
+
+Verifiers for complex types like ports and address matches cannot be generated
+automatically, so we need to implement them manually anyway.
+
+To address this, the crate provides hand-crafted Rust types that parse and validate these
+string-encoded values into proper enums and structs, while remaining fully
+compatible with the existing API wire format. The initial type definitions were
+seeded from the auto-generated `pve-api-types` crate and then refined by hand.
+
+Dependencies are minimal, so that we can use this crate for wasm targets (GUI).
+
+## Compatibility
+
+All types must serialize and deserialize to the same JSON wire format that the
+existing Perl-based PVE API produces and consumes. There is currently no
+automated compatibility test against the live Perl API, so changes must be
+verified manually.
+
+Key techniques used to maintain wire-format compatibility:
+
+- **Perl-specific deserializers** — The Perl API encodes booleans and integers
+  as strings. Fields that come from Perl use custom deserializers such as
+  `proxmox_serde::perl::deserialize_bool` and `deserialize_u64` to accept
+  these representations.
+- **Serde renames** — `#[serde(rename = "...")]` and `#[serde(rename_all = "kebab-case")]`
+  ensure that Rust field and variant names map to the exact keys and values
+  the Perl API expects (e.g. `icmp-type`, `macro`, `type`).
+- **Forward-compatible enums** — When the `enum-fallback` feature is enabled,
+  enums gain an `UnknownEnumValue` catch-all variant (backed by
+  `proxmox-fixed-string`) so that new values added in a future API version
+  can be deserialized without errors.
+
+When adding or modifying types, compare the serde output against the
+corresponding Perl API endpoint to ensure the JSON representation matches.
+
+## Features
+
+- **`enum-fallback`** — Enables an `UnknownEnumValue` catch-all variant on
+  enums (backed by `proxmox-fixed-string`) for forward-compatible
+  deserialization of values added in newer API versions.
+
+## Usage
+
+- All public types are re-exported from the crate root.
+- Every type implements `serde::Serialize` / `Deserialize`.
-- 
2.47.3