From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 26FE41FF17E
	for <inbox@lore.proxmox.com>; Thu, 27 Nov 2025 10:22:34 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 1A1831DCF1;
	Thu, 27 Nov 2025 10:22:48 +0100 (CET)
From: Hannes Laimer <h.laimer@proxmox.com>
To: pdm-devel@lists.proxmox.com
Date: Thu, 27 Nov 2025 10:21:57 +0100
Message-ID: <20251127092209.213535-1-h.laimer@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1764235294289
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.050 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [qemu.rs, tree.rs, columns.rs, firewall.rs, lxc.rs, node.rs,
 types.rs, context.rs, generate.pl, code.rs, rules.rs, lib.rs, mod.rs,
 proxmox.com]
Subject: [pdm-devel] [PATCH proxmox{, -datacenter-manager,
 -yew-comp} v5 00/12] add basic integration of PVE firewall
X-BeenThere: pdm-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Datacenter Manager development discussion
 <pdm-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdm-devel-bounces@lists.proxmox.com
Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>

Generally loading the status involves 2 requests per entity, so the PDM
server has to do quite a bit of work collecting all the relevant data.
That is the reason we have multiple status endpoints
 - for all pve remotes
 - for a specific remote
 - for a specific node
a bit more context on the commit adding these endpoints. With these we
can limit the number of requests the PDM potentially has to do. In this
context a cache could also make sense, should be somewhat straight
forward integrating something like Dominik proposed in [1]. But since
these are configs, caches would have to be really short lived, but still,
they could help with different useres requesting the same data at close
to the same time.

Firewall options edit form and the firewall rules tables were added to
yew-comp as they are not necesarrily PDM specific. I tried having them
in a way so it would not be too complicated reusing them in other places
at some point.

This also includes an updated pve-api.json, some api endpoint specs did
require minor adjustments so they'd work with the type generator.
Generally this is build with the latest master of proxmox-yew-comp and
proxmox-yew-widget-toolkit.

Notes: node or guest firewalls could be enabled, but end up being masked
by the cluster setting. I tried visualizing that by having the checkmark
normal if masked and green if not.

[1] https://lore.proxmox.com/pdm-devel/20251017120315.2723235-1-d.csapak@proxmox.com/

v5, thanks @Michael
 - use correct default if node does not have firewall enable set at all
 - ui: also refresh rules panel

v4, thanks @Stefan
 * UI:
   - fix sorting, now stable
   - fix problem with dirty-detection for the log-ratelimit field(s)
   - keep rules selection during tree refresh
   - properly show errors
   - minior code improvements
   - cache columns for rules tablem don't re-create them every time
 * handfull of non-specific, small code improvments I've noticed throughout
   the series
 * still needs [2] for the reason mentioned in v3


v3, thanks @Lukas and @Michael
 * UI:
   - fixed(as in !dynamic and as in !problem anymore) rule status text col width
   - align option edit form fields with the ones present in the current
     PVE ui
   - set defaults for checkboxes, note: this needs [2], without it
     having a default defined for checkboxes leads to the form being
     marked as dirty immediately
   - add missing .max(99) to field
   - only show remotes of type `pve` in remote filter
 * add doc strings to pub stuff, also made some thing private
 * drop default value for firewall IO policy and fix default for forward
   policy
 * fixed problem with how cluster firewall enable field was mapped from
   int to a bool
 
[2] https://lore.proxmox.com/yew-devel/20251110161831.261526-1-h.laimer@proxmox.com/T/#u


v2, thanks a lot @Dominik, @Lukas and @Thomas
 * rebased onto master
 * UI improvements
   - move filters into tree panel
   - shrink status tree panel
   - the firewall rules table now doesn't always show all the columns,
     instead we have a new column that shows only the things that are
     set. We save a lot of space like that, also, most of the columns are
     empty.
   - added toggle button that collapses the status tree and shows the
     rules tables "full-screen". With the current UI changes this should
     not really be needed unless a really small screen is used.
     Nontheless it may be useful, so I kept it it.
   - for the cluster options form I put a border around the log ratelimit
     fields, that should help separating them from the rest of the
     options.
 * concurrently fetch status data for `all remotes` and `single remote`,
   was sequential in v1
(* this doesn't include [3] anymore, since it was applied already )

[3] https://git.proxmox.com/?p=proxmox.git;a=commit;h=eb41684db1a6d13f4ae3d95761e40db5a7c333ce


proxmox:

Hannes Laimer (4):
  pve-api-types: update pve-api.json
  pve-api-types: add get/update firewall options endpoints
  pve-api-types: add list firewall rules endpoints
  pve-api-types: regenerate

 pve-api-types/generate.pl            |   53 +
 pve-api-types/pve-api.json           |  362 +------
 pve-api-types/src/generated/code.rs  |  206 +++-
 pve-api-types/src/generated/types.rs | 1363 +++++++++++++++++++++++++-
 4 files changed, 1587 insertions(+), 397 deletions(-)


proxmox-datacenter-manager:

Hannes Laimer (4):
  pdm-api-types: add firewall status types
  api: firewall: add option, rules and status endpoints
  pdm-client: add api methods for firewall options, rules and status
    endpoints
  ui: add firewall status tree

 lib/pdm-api-types/src/firewall.rs     | 173 ++++++
 lib/pdm-api-types/src/lib.rs          |   2 +
 lib/pdm-client/src/lib.rs             | 133 ++++
 server/src/api/pve/firewall.rs        | 857 ++++++++++++++++++++++++++
 server/src/api/pve/lxc.rs             |   1 +
 server/src/api/pve/mod.rs             |   3 +
 server/src/api/pve/node.rs            |   1 +
 server/src/api/pve/qemu.rs            |   1 +
 ui/src/remotes/firewall/columns.rs    | 153 +++++
 ui/src/remotes/firewall/mod.rs        |  30 +
 ui/src/remotes/firewall/tree.rs       | 673 ++++++++++++++++++++
 ui/src/remotes/firewall/types.rs      | 284 +++++++++
 ui/src/remotes/firewall/ui_helpers.rs | 182 ++++++
 ui/src/remotes/mod.rs                 |  10 +
 14 files changed, 2503 insertions(+)
 create mode 100644 lib/pdm-api-types/src/firewall.rs
 create mode 100644 server/src/api/pve/firewall.rs
 create mode 100644 ui/src/remotes/firewall/columns.rs
 create mode 100644 ui/src/remotes/firewall/mod.rs
 create mode 100644 ui/src/remotes/firewall/tree.rs
 create mode 100644 ui/src/remotes/firewall/types.rs
 create mode 100644 ui/src/remotes/firewall/ui_helpers.rs


proxmox-yew-comp:

Hannes Laimer (4):
  form: add helpers for extractig data out of schemas
  firewall: add FirewallContext
  firewall: add options edit form
  firewall: add rules table

 src/firewall/context.rs             | 142 ++++++++
 src/firewall/log_ratelimit_field.rs | 334 +++++++++++++++++++
 src/firewall/mod.rs                 |  11 +
 src/firewall/options_edit.rs        | 495 ++++++++++++++++++++++++++++
 src/firewall/rules.rs               | 275 ++++++++++++++++
 src/form/mod.rs                     |  70 ++++
 src/lib.rs                          |   3 +
 7 files changed, 1330 insertions(+)
 create mode 100644 src/firewall/context.rs
 create mode 100644 src/firewall/log_ratelimit_field.rs
 create mode 100644 src/firewall/mod.rs
 create mode 100644 src/firewall/options_edit.rs
 create mode 100644 src/firewall/rules.rs


Summary over all repositories:
  25 files changed, 5420 insertions(+), 397 deletions(-)

-- 
Generated by git-murpp 0.8.1


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel