From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Dietmar Maurer <dietmar@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [RFC proxmox 03/22] firewall-api-types: add firewall policy types
Date: Thu, 12 Mar 2026 11:17:39 +0100 [thread overview]
Message-ID: <wb3rji4tzgv3s2bxvlavl3xdhcoz6eaqfzj43gddyo46tsfpvi@wqcoqpuvkudx> (raw)
In-Reply-To: <20260216104401.3959270-4-dietmar@proxmox.com>
On Mon, Feb 16, 2026 at 11:43:41AM +0100, Dietmar Maurer wrote:
> Generated from perl api.
>
> Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
> ---
> proxmox-firewall-api-types/Cargo.toml | 5 +-
> proxmox-firewall-api-types/src/lib.rs | 3 +-
> proxmox-firewall-api-types/src/policy.rs | 151 +++++++++++++++++++++++
> 3 files changed, 157 insertions(+), 2 deletions(-)
> create mode 100644 proxmox-firewall-api-types/src/policy.rs
>
> diff --git a/proxmox-firewall-api-types/Cargo.toml b/proxmox-firewall-api-types/Cargo.toml
> index 515d1efc..3122d813 100644
> --- a/proxmox-firewall-api-types/Cargo.toml
> +++ b/proxmox-firewall-api-types/Cargo.toml
> @@ -9,12 +9,15 @@ license.workspace = true
> repository.workspace = true
> exclude.workspace = true
>
> +[features]
> +enum-fallback = ["dep:proxmox-fixed-string"]
> +
> [dependencies]
> anyhow.workspace = true
> regex.workspace = true
> -proxmox-fixed-string.workspace = true
>
> serde = { workspace = true, features = [ "derive" ] }
> serde_plain = { workspace = true }
You could replace this with `proxmox-serde`. We also already had
`serde-with` in some places for the same purpose (which now use
`proxmox-serde` I think).
> proxmox-schema = { workspace = true, features = ["api-macro"] }
> proxmox-serde = { workspace = true, features = ["perl"] }
> +proxmox-fixed-string = { workspace = true, optional = true }
> diff --git a/proxmox-firewall-api-types/src/lib.rs b/proxmox-firewall-api-types/src/lib.rs
> index 7c4a64a7..b8004c76 100644
> --- a/proxmox-firewall-api-types/src/lib.rs
> +++ b/proxmox-firewall-api-types/src/lib.rs
> @@ -1 +1,2 @@
> -// TODO: add code here
> +mod policy;
> +pub use policy::{FirewallFWPolicy, FirewallIOPolicy};
> diff --git a/proxmox-firewall-api-types/src/policy.rs b/proxmox-firewall-api-types/src/policy.rs
> new file mode 100644
> index 00000000..274fbe20
> --- /dev/null
> +++ b/proxmox-firewall-api-types/src/policy.rs
> @@ -0,0 +1,151 @@
> +use serde::{Deserialize, Serialize};
> +
> +#[cfg(feature = "enum-fallback")]
> +use proxmox_fixed_string::FixedString;
> +use proxmox_schema::api;
> +
> +#[api]
> +/// Firewall forward policy.
> +#[derive(Clone, Copy, Debug, Default, Eq, PartialEq, Deserialize, Serialize)]
> +pub enum FirewallFWPolicy {
> + #[serde(rename = "ACCEPT")]
> + #[default]
> + /// ACCEPT.
> + Accept,
> + #[serde(rename = "DROP")]
> + /// DROP.
> + Drop,
> + #[cfg(feature = "enum-fallback")]
> + #[serde(untagged)]
> + /// Unknwon
> + UnknownEnumValue(FixedString),
> +}
> +serde_plain::derive_display_from_serialize!(FirewallFWPolicy);
> +serde_plain::derive_fromstr_from_deserialize!(FirewallFWPolicy);
> +
> +#[api]
> +/// Firewall IO policy.
> +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)]
> +pub enum FirewallIOPolicy {
> + #[serde(rename = "ACCEPT")]
> + /// ACCEPT.
> + Accept,
> + #[serde(rename = "DROP")]
> + /// DROP.
> + Drop,
> + #[serde(rename = "REJECT")]
> + /// REJECT.
> + Reject,
> + #[cfg(feature = "enum-fallback")]
> + #[serde(untagged)]
> + /// Unknwon
> + UnknownEnumValue(FixedString),
> +}
> +serde_plain::derive_display_from_serialize!(FirewallIOPolicy);
> +serde_plain::derive_fromstr_from_deserialize!(FirewallIOPolicy);
> +
> +#[cfg(test)]
> +mod tests {
> + use super::*;
> +
> + #[test]
> + fn test_firewall_fw_policy_default() {
> + assert_eq!(FirewallFWPolicy::default(), FirewallFWPolicy::Accept);
> + }
> +
> + #[test]
> + #[cfg(not(feature = "enum-fallback"))]
> + fn test_firewall_fw_policy_serde_invalid() {
> + serde_plain::from_str::<FirewallFWPolicy>("REJECT")
> + .expect_err("REJECT is not valid for FWPolicy");
Without `serde_plain` these types of tests could all be of the form:
"REJECT"
.parse::<FirewallFWPolicy>()
.expect_err("REJECT is not valid for FWPolicy");
> + serde_plain::from_str::<FirewallFWPolicy>("accept")
> + .expect_err("lowercase should be invalid");
> + serde_plain::from_str::<FirewallFWPolicy>("").expect_err("empty string should be invalid");
> + }
> +
> + #[test]
> + fn test_firewall_fw_policy_roundtrip() {
This tests Display and FromStr implementations generated by a crate
specifically meant to add these to a simple enum.
Testing this is the job of that external crate.
(After all, we don't test whether the implementation generated by
`#[derive(PartialEq)]` does the correct thing either for all the enum
values...)
> + for policy in [FirewallFWPolicy::Accept, FirewallFWPolicy::Drop] {
> + let serialized = serde_plain::to_string(&policy).expect("serialize");
> + let parsed: FirewallFWPolicy =
> + serde_plain::from_str(&serialized).expect("roundtrip parse");
> + assert_eq!(policy, parsed);
> + }
> + }
> +
> + #[test]
> + fn test_firewall_fw_policy_serde() {
Similar to the above. If we want to maintain a list of "this is the
value perl uses" *in addition to `#[serde(rename)]`, then why not
iterate through an array of `(FirewallFWPolicy::Foo, "FOO")` tuples.
But that's just another list to maintain - if anything, we should
involve pve-api-types in this without having to manually maintain
the wire foramt in multiple places like this.
> + let accept = FirewallFWPolicy::Accept;
> + let serialized = serde_plain::to_string(&accept).expect("serialize");
> + assert_eq!(serialized, "ACCEPT");
> +
> + let parsed: FirewallFWPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, accept);
> +
> + let drop = FirewallFWPolicy::Drop;
> + let serialized = serde_plain::to_string(&drop).expect("serialize");
> + assert_eq!(serialized, "DROP");
> +
> + let parsed: FirewallFWPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, drop);
> + }
> +
> + #[test]
> + #[cfg(feature = "enum-fallback")]
> + fn test_firewall_fw_policy_serde_enum_fallback() {
Meh... fine... but technically the job of the `serde` crate to test that
`serde(untagged)` on an enum actually works...
> + let unknown = FirewallFWPolicy::UnknownEnumValue(FixedString::new("TEST").unwrap());
> + let serialized = serde_plain::to_string(&unknown).expect("serialize");
And could use `.to_string()` instead of serde_plain here, too.
> + assert_eq!(serialized, "TEST");
> +
> + let parsed: FirewallFWPolicy = serde_plain::from_str(&serialized).expect("deserialize");
and then `serialized.parse().expect(…)`.
> + assert_eq!(parsed, unknown);
> + }
> +
> + #[test]
> + #[cfg(not(feature = "enum-fallback"))]
> + fn test_firewall_io_policy_serde_invalid() {
> + serde_plain::from_str::<FirewallIOPolicy>("ALLOW").expect_err("ALLOW is not valid");
> + serde_plain::from_str::<FirewallIOPolicy>("drop").expect_err("lowercase should be invalid");
> + serde_plain::from_str::<FirewallIOPolicy>("").expect_err("empty string should be invalid");
> + }
> +
> + #[test]
> + fn test_firewall_io_policy_roundtrip() {
Like for FW policy.
> + for policy in [
> + FirewallIOPolicy::Accept,
> + FirewallIOPolicy::Drop,
> + FirewallIOPolicy::Reject,
> + ] {
> + let serialized = serde_plain::to_string(&policy).expect("serialize");
> + let parsed: FirewallIOPolicy =
> + serde_plain::from_str(&serialized).expect("roundtrip parse");
> + assert_eq!(policy, parsed);
> + }
> + }
> +
> + #[test]
> + fn test_firewall_io_policy_serde() {
> + for (policy, expected) in [
> + (FirewallIOPolicy::Accept, "ACCEPT"),
> + (FirewallIOPolicy::Drop, "DROP"),
> + (FirewallIOPolicy::Reject, "REJECT"),
So here we do use a list, but the other argument from the FW policy
variant still stands :S
> + ] {
> + let serialized = serde_plain::to_string(&policy).expect("serialize");
> + assert_eq!(serialized, expected);
> +
> + let parsed: FirewallIOPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, policy);
> + }
> + }
> +
> + #[test]
> + #[cfg(feature = "enum-fallback")]
> + fn test_firewall_io_policy_serde_enum_fallback() {
> + let unknown = FirewallIOPolicy::UnknownEnumValue(FixedString::new("TEST").unwrap());
> + let serialized = serde_plain::to_string(&unknown).expect("serialize");
> + assert_eq!(serialized, "TEST");
> +
> + let parsed: FirewallIOPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, unknown);
> + }
> +}
> --
> 2.47.3
next prev parent reply other threads:[~2026-03-12 10:18 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 10:43 [RFC proxmox 00/22] New crate for firewall api types Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 01/22] firewall-api-types: add new " Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 02/22] firewall-api-types: add README.md Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 03/22] firewall-api-types: add firewall policy types Dietmar Maurer
2026-03-12 10:17 ` Wolfgang Bumiller [this message]
2026-02-16 10:43 ` [RFC proxmox 04/22] firewall-api-types: add logging types Dietmar Maurer
2026-03-02 12:24 ` Stefan Hanreich
2026-03-05 7:04 ` Dietmar Maurer
2026-03-12 10:22 ` Wolfgang Bumiller
2026-03-12 10:31 ` Wolfgang Bumiller
2026-02-16 10:43 ` [RFC proxmox 05/22] firewall-api-types: add FirewallClusterOptions Dietmar Maurer
2026-03-02 12:27 ` Stefan Hanreich
2026-03-05 7:06 ` Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 06/22] firewall-api-types: add FirewallGuestOptions Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 07/22] firewall-api-types: add FirewallConntrackHelper enum Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 08/22] firewall-api-types: add FirewallNodeOptions struct Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 09/22] firewall-api-types: add FirewallRef type Dietmar Maurer
2026-03-12 10:36 ` Wolfgang Bumiller
2026-03-12 10:41 ` Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 10/22] firewall-api-types: add FirewallPortList types Dietmar Maurer
2026-03-02 12:17 ` Stefan Hanreich
2026-03-05 7:02 ` Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 11/22] firewall-api-types: add FirewallIcmpType Dietmar Maurer
2026-03-12 10:51 ` Wolfgang Bumiller
2026-02-16 10:43 ` [RFC proxmox 12/22] firewall-api-types: add FirewallIpsetReference type Dietmar Maurer
2026-03-02 12:39 ` Stefan Hanreich
2026-02-16 10:43 ` [RFC proxmox 13/22] firewall-api-types: add FirewallAliasReference type Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 14/22] firewall-api-types: add firewall address types Dietmar Maurer
2026-03-12 13:24 ` Wolfgang Bumiller
2026-02-16 10:43 ` [RFC proxmox 15/22] firewall-api-types: add FirewallRule type Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 16/22] firewall-api-types: use ConfigDigest from proxmox-config-digest crate Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 17/22] firewall-api-types: use COMMENT_SCHEMA from proxmox-schema crate Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 18/22] firewall-api-types: add FirewallRuleUpdater type Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 19/22] firewall-api-types: refactor FirewallRule and add FirewallRuleListEntry Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 20/22] firewall-api-types: add DeletableFirewallRuleProperty enum Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 21/22] firewall-api-types: add FirewallAliasEntry API type Dietmar Maurer
2026-02-16 10:44 ` [RFC proxmox 22/22] firewall-api-types: add FirewallIpsetListEntry and FirewallIpsetEntry api types Dietmar Maurer
2026-02-17 6:17 ` [RFC proxmox 00/22] New crate for firewall " Hannes Laimer
2026-02-17 6:39 ` Dietmar Maurer
2026-02-17 8:17 ` Hannes Laimer
2026-03-02 13:55 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=wb3rji4tzgv3s2bxvlavl3xdhcoz6eaqfzj43gddyo46tsfpvi@wqcoqpuvkudx \
--to=w.bumiller@proxmox.com \
--cc=dietmar@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.