public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH proxmox-firewall v4 1/9] add proxmox-ve-rs crate - move proxmox-ve-config there
Date: Fri, 15 Nov 2024 13:09:29 +0100	[thread overview]
Message-ID: <20241115120937.169342-2-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20241115120937.169342-1-s.hanreich@proxmox.com>

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 Cargo.toml                                    |   4 +-
 Makefile                                      |   2 +-
 proxmox-firewall/Cargo.toml                   |   2 +-
 proxmox-nftables/Cargo.toml                   |   2 +-
 proxmox-ve-config/Cargo.toml                  |  25 -
 proxmox-ve-config/resources/ct_helper.json    |  52 -
 proxmox-ve-config/resources/macros.json       | 923 -----------------
 proxmox-ve-config/src/firewall/cluster.rs     | 374 -------
 proxmox-ve-config/src/firewall/common.rs      | 184 ----
 proxmox-ve-config/src/firewall/ct_helper.rs   | 115 ---
 proxmox-ve-config/src/firewall/fw_macros.rs   |  69 --
 proxmox-ve-config/src/firewall/guest.rs       | 237 -----
 proxmox-ve-config/src/firewall/host.rs        | 372 -------
 proxmox-ve-config/src/firewall/mod.rs         |  10 -
 proxmox-ve-config/src/firewall/parse.rs       | 494 ---------
 proxmox-ve-config/src/firewall/ports.rs       |  80 --
 .../src/firewall/types/address.rs             | 615 -----------
 proxmox-ve-config/src/firewall/types/alias.rs | 174 ----
 proxmox-ve-config/src/firewall/types/group.rs |  36 -
 proxmox-ve-config/src/firewall/types/ipset.rs | 349 -------
 proxmox-ve-config/src/firewall/types/log.rs   | 222 ----
 proxmox-ve-config/src/firewall/types/mod.rs   |  14 -
 proxmox-ve-config/src/firewall/types/port.rs  | 181 ----
 proxmox-ve-config/src/firewall/types/rule.rs  | 412 --------
 .../src/firewall/types/rule_match.rs          | 977 ------------------
 proxmox-ve-config/src/guest/mod.rs            | 115 ---
 proxmox-ve-config/src/guest/types.rs          |  38 -
 proxmox-ve-config/src/guest/vm.rs             | 510 ---------
 proxmox-ve-config/src/host/mod.rs             |   1 -
 proxmox-ve-config/src/host/utils.rs           |  70 --
 proxmox-ve-config/src/lib.rs                  |   3 -
 31 files changed, 6 insertions(+), 6656 deletions(-)
 delete mode 100644 proxmox-ve-config/Cargo.toml
 delete mode 100644 proxmox-ve-config/resources/ct_helper.json
 delete mode 100644 proxmox-ve-config/resources/macros.json
 delete mode 100644 proxmox-ve-config/src/firewall/cluster.rs
 delete mode 100644 proxmox-ve-config/src/firewall/common.rs
 delete mode 100644 proxmox-ve-config/src/firewall/ct_helper.rs
 delete mode 100644 proxmox-ve-config/src/firewall/fw_macros.rs
 delete mode 100644 proxmox-ve-config/src/firewall/guest.rs
 delete mode 100644 proxmox-ve-config/src/firewall/host.rs
 delete mode 100644 proxmox-ve-config/src/firewall/mod.rs
 delete mode 100644 proxmox-ve-config/src/firewall/parse.rs
 delete mode 100644 proxmox-ve-config/src/firewall/ports.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/address.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/alias.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/group.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/ipset.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/log.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/mod.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/port.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/rule.rs
 delete mode 100644 proxmox-ve-config/src/firewall/types/rule_match.rs
 delete mode 100644 proxmox-ve-config/src/guest/mod.rs
 delete mode 100644 proxmox-ve-config/src/guest/types.rs
 delete mode 100644 proxmox-ve-config/src/guest/vm.rs
 delete mode 100644 proxmox-ve-config/src/host/mod.rs
 delete mode 100644 proxmox-ve-config/src/host/utils.rs
 delete mode 100644 proxmox-ve-config/src/lib.rs

diff --git a/Cargo.toml b/Cargo.toml
index 1fbc2e0..3894d9f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,7 +1,9 @@
 [workspace]
 members = [
-    "proxmox-ve-config",
     "proxmox-nftables",
     "proxmox-firewall",
 ]
 resolver = "2"
+
+[workspace.dependencies]
+proxmox-ve-config = { version = "0.1.0" }
diff --git a/Makefile b/Makefile
index e49e58f..a134423 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,7 @@ cargo-build:
 build: $(BUILDDIR)
 $(BUILDDIR):
 	rm -rf $@ $@.tmp; mkdir $@.tmp
-	cp -a proxmox-firewall proxmox-nftables proxmox-ve-config debian Cargo.toml Makefile defines.mk $@.tmp/
+	cp -a proxmox-firewall proxmox-nftables debian Cargo.toml Makefile defines.mk $@.tmp/
 	mv $@.tmp $@
 
 .PHONY: deb
diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml
index 6cb1b09..c2adcac 100644
--- a/proxmox-firewall/Cargo.toml
+++ b/proxmox-firewall/Cargo.toml
@@ -21,7 +21,7 @@ serde_json = "1"
 signal-hook = "0.3"
 
 proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] }
-proxmox-ve-config = { path = "../proxmox-ve-config" }
+proxmox-ve-config = { workspace = true }
 
 [dev-dependencies]
 insta = { version = "1.21", features = ["json"] }
diff --git a/proxmox-nftables/Cargo.toml b/proxmox-nftables/Cargo.toml
index e84509d..4ff6f41 100644
--- a/proxmox-nftables/Cargo.toml
+++ b/proxmox-nftables/Cargo.toml
@@ -22,4 +22,4 @@ serde = { version = "1", features = [ "derive" ] }
 serde_json = "1"
 serde_plain = "1"
 
-proxmox-ve-config = { path = "../proxmox-ve-config", optional = true }
+proxmox-ve-config = { workspace = true, optional = true }
diff --git a/proxmox-ve-config/Cargo.toml b/proxmox-ve-config/Cargo.toml
deleted file mode 100644
index 0239c08..0000000
--- a/proxmox-ve-config/Cargo.toml
+++ /dev/null
@@ -1,25 +0,0 @@
-[package]
-name = "proxmox-ve-config"
-version = "0.1.0"
-edition = "2021"
-authors = [
-    "Wolfgang Bumiller <w.bumiller@proxmox.com>",
-    "Stefan Hanreich <s.hanreich@proxmox.com>",
-    "Proxmox Support Team <support@proxmox.com>",
-]
-description = "Proxmox VE config parsing"
-license = "AGPL-3"
-
-[dependencies]
-log = "0.4"
-anyhow = "1"
-nix = "0.26"
-
-serde = { version = "1", features = [ "derive" ] }
-serde_json = "1"
-serde_plain = "1"
-serde_with = "3"
-
-proxmox-schema = "3.1.2"
-proxmox-sys = "0.6"
-proxmox-sortable-macro = "0.1.3"
diff --git a/proxmox-ve-config/resources/ct_helper.json b/proxmox-ve-config/resources/ct_helper.json
deleted file mode 100644
index 5e70a3a..0000000
--- a/proxmox-ve-config/resources/ct_helper.json
+++ /dev/null
@@ -1,52 +0,0 @@
-[
-  {
-    "name": "amanda",
-    "v4": true,
-    "v6": true,
-    "udp": 10080
-  },
-  {
-    "name": "ftp",
-    "v4": true,
-    "v6": true,
-    "tcp": 21
-  } ,
-  {
-    "name": "irc",
-    "v4": true,
-    "tcp": 6667
-  },
-  {
-    "name": "netbios-ns",
-    "v4": true,
-    "udp": 137
-  },
-  {
-    "name": "pptp",
-    "v4": true,
-    "tcp": 1723
-  },
-  {
-    "name": "sane",
-    "v4": true,
-    "v6": true,
-    "tcp": 6566
-  },
-  {
-    "name": "sip",
-    "v4": true,
-    "v6": true,
-    "udp": 5060
-  },
-  {
-    "name": "snmp",
-    "v4": true,
-    "udp": 161
-  },
-  {
-    "name": "tftp",
-    "v4": true,
-    "v6": true,
-    "udp": 69
-  }
-]
diff --git a/proxmox-ve-config/resources/macros.json b/proxmox-ve-config/resources/macros.json
deleted file mode 100644
index 2fcc0fb..0000000
--- a/proxmox-ve-config/resources/macros.json
+++ /dev/null
@@ -1,923 +0,0 @@
-{
-  "Amanda": {
-    "code": [
-      {
-        "dport": "10080",
-        "proto": "udp"
-      },
-      {
-        "dport": "10080",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Amanda Backup"
-  },
-  "Auth": {
-    "code": [
-      {
-        "dport": "113",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Auth (identd) traffic"
-  },
-  "BGP": {
-    "code": [
-      {
-        "dport": "179",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Border Gateway Protocol traffic"
-  },
-  "BitTorrent": {
-    "code": [
-      {
-        "dport": "6881:6889",
-        "proto": "tcp"
-      },
-      {
-        "dport": "6881",
-        "proto": "udp"
-      }
-    ],
-    "desc": "BitTorrent traffic for BitTorrent 3.1 and earlier"
-  },
-  "BitTorrent32": {
-    "code": [
-      {
-        "dport": "6881:6999",
-        "proto": "tcp"
-      },
-      {
-        "dport": "6881",
-        "proto": "udp"
-      }
-    ],
-    "desc": "BitTorrent traffic for BitTorrent 3.2 and later"
-  },
-  "CVS": {
-    "code": [
-      {
-        "dport": "2401",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Concurrent Versions System pserver traffic"
-  },
-  "Ceph": {
-    "code": [
-      {
-        "dport": "6789",
-        "proto": "tcp"
-      },
-      {
-        "dport": "3300",
-        "proto": "tcp"
-      },
-      {
-        "dport": "6800:7300",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Daemons)"
-  },
-  "Citrix": {
-    "code": [
-      {
-        "dport": "1494",
-        "proto": "tcp"
-      },
-      {
-        "dport": "1604",
-        "proto": "udp"
-      },
-      {
-        "dport": "2598",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Citrix/ICA traffic (ICA, ICA Browser, CGP)"
-  },
-  "DAAP": {
-    "code": [
-      {
-        "dport": "3689",
-        "proto": "tcp"
-      },
-      {
-        "dport": "3689",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons)"
-  },
-  "DCC": {
-    "code": [
-      {
-        "dport": "6277",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Distributed Checksum Clearinghouse spam filtering mechanism"
-  },
-  "DHCPfwd": {
-    "code": [
-      {
-        "dport": "67:68",
-        "proto": "udp",
-        "sport": "67:68"
-      }
-    ],
-    "desc": "Forwarded DHCP traffic"
-  },
-  "DHCPv6": {
-    "code": [
-      {
-        "dport": "546:547",
-        "proto": "udp",
-        "sport": "546:547"
-      }
-    ],
-    "desc": "DHCPv6 traffic"
-  },
-  "DNS": {
-    "code": [
-      {
-        "dport": "53",
-        "proto": "udp"
-      },
-      {
-        "dport": "53",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Domain Name System traffic (upd and tcp)"
-  },
-  "Distcc": {
-    "code": [
-      {
-        "dport": "3632",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Distributed Compiler service"
-  },
-  "FTP": {
-    "code": [
-      {
-        "dport": "21",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "File Transfer Protocol"
-  },
-  "Finger": {
-    "code": [
-      {
-        "dport": "79",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Finger protocol (RFC 742)"
-  },
-  "GNUnet": {
-    "code": [
-      {
-        "dport": "2086",
-        "proto": "tcp"
-      },
-      {
-        "dport": "2086",
-        "proto": "udp"
-      },
-      {
-        "dport": "1080",
-        "proto": "tcp"
-      },
-      {
-        "dport": "1080",
-        "proto": "udp"
-      }
-    ],
-    "desc": "GNUnet secure peer-to-peer networking traffic"
-  },
-  "GRE": {
-    "code": [
-      {
-        "proto": "47"
-      }
-    ],
-    "desc": "Generic Routing Encapsulation tunneling protocol"
-  },
-  "Git": {
-    "code": [
-      {
-        "dport": "9418",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Git distributed revision control traffic"
-  },
-  "HKP": {
-    "code": [
-      {
-        "dport": "11371",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "OpenPGP HTTP key server protocol traffic"
-  },
-  "HTTP": {
-    "code": [
-      {
-        "dport": "80",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Hypertext Transfer Protocol (WWW)"
-  },
-  "HTTPS": {
-    "code": [
-      {
-        "dport": "443",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Hypertext Transfer Protocol (WWW) over SSL"
-  },
-  "HTTP/3": {
-    "code": [
-      {
-        "dport": "443",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Hypertext Transfer Protocol v3"
-  },
-  "ICPV2": {
-    "code": [
-      {
-        "dport": "3130",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Internet Cache Protocol V2 (Squid) traffic"
-  },
-  "ICQ": {
-    "code": [
-      {
-        "dport": "5190",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "AOL Instant Messenger traffic"
-  },
-  "IMAP": {
-    "code": [
-      {
-        "dport": "143",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Internet Message Access Protocol"
-  },
-  "IMAPS": {
-    "code": [
-      {
-        "dport": "993",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Internet Message Access Protocol over SSL"
-  },
-  "IPIP": {
-    "code": [
-      {
-        "proto": "94"
-      }
-    ],
-    "desc": "IPIP capsulation traffic"
-  },
-  "IPsec": {
-    "code": [
-      {
-        "dport": "500",
-        "proto": "udp",
-        "sport": "500"
-      },
-      {
-        "proto": "50"
-      }
-    ],
-    "desc": "IPsec traffic"
-  },
-  "IPsecah": {
-    "code": [
-      {
-        "dport": "500",
-        "proto": "udp",
-        "sport": "500"
-      },
-      {
-        "proto": "51"
-      }
-    ],
-    "desc": "IPsec authentication (AH) traffic"
-  },
-  "IPsecnat": {
-    "code": [
-      {
-        "dport": "500",
-        "proto": "udp"
-      },
-      {
-        "dport": "4500",
-        "proto": "udp"
-      },
-      {
-        "proto": "50"
-      }
-    ],
-    "desc": "IPsec traffic and Nat-Traversal"
-  },
-  "IRC": {
-    "code": [
-      {
-        "dport": "6667",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Internet Relay Chat traffic"
-  },
-  "Jetdirect": {
-    "code": [
-      {
-        "dport": "9100",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "HP Jetdirect printing"
-  },
-  "L2TP": {
-    "code": [
-      {
-        "dport": "1701",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Layer 2 Tunneling Protocol traffic"
-  },
-  "LDAP": {
-    "code": [
-      {
-        "dport": "389",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Lightweight Directory Access Protocol traffic"
-  },
-  "LDAPS": {
-    "code": [
-      {
-        "dport": "636",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Secure Lightweight Directory Access Protocol traffic"
-  },
-  "MDNS": {
-    "code": [
-      {
-        "dport": "5353",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Multicast DNS"
-  },
-  "MSNP": {
-    "code": [
-      {
-        "dport": "1863",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Microsoft Notification Protocol"
-  },
-  "MSSQL": {
-    "code": [
-      {
-        "dport": "1433",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Microsoft SQL Server"
-  },
-  "Mail": {
-    "code": [
-      {
-        "dport": "25",
-        "proto": "tcp"
-      },
-      {
-        "dport": "465",
-        "proto": "tcp"
-      },
-      {
-        "dport": "587",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Mail traffic (SMTP, SMTPS, Submission)"
-  },
-  "Munin": {
-    "code": [
-      {
-        "dport": "4949",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Munin networked resource monitoring traffic"
-  },
-  "MySQL": {
-    "code": [
-      {
-        "dport": "3306",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "MySQL server"
-  },
-  "NNTP": {
-    "code": [
-      {
-        "dport": "119",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "NNTP traffic (Usenet)."
-  },
-  "NNTPS": {
-    "code": [
-      {
-        "dport": "563",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Encrypted NNTP traffic (Usenet)"
-  },
-  "NTP": {
-    "code": [
-      {
-        "dport": "123",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Network Time Protocol (ntpd)"
-  },
-  "NeighborDiscovery": {
-    "code": [
-      {
-        "dport": "nd-router-solicit",
-        "proto": "icmpv6"
-      },
-      {
-        "dport": "nd-router-advert",
-        "proto": "icmpv6"
-      },
-      {
-        "dport": "nd-neighbor-solicit",
-        "proto": "icmpv6"
-      },
-      {
-        "dport": "nd-neighbor-advert",
-        "proto": "icmpv6"
-      }
-    ],
-    "desc": "IPv6 neighbor solicitation, neighbor and router advertisement"
-  },
-  "OSPF": {
-    "code": [
-      {
-        "proto": "89"
-      }
-    ],
-    "desc": "OSPF multicast traffic"
-  },
-  "OpenVPN": {
-    "code": [
-      {
-        "dport": "1194",
-        "proto": "udp"
-      }
-    ],
-    "desc": "OpenVPN traffic"
-  },
-  "PBS": {
-    "code": [
-      {
-        "dport": "8007",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Proxmox Backup Server"
-  },
-  "PCA": {
-    "code": [
-      {
-        "dport": "5632",
-        "proto": "udp"
-      },
-      {
-        "dport": "5631",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Symantec PCAnywere (tm)"
-  },
-  "PMG": {
-    "code": [
-      {
-        "dport": "8006",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Proxmox Mail Gateway web interface"
-  },
-  "POP3": {
-    "code": [
-      {
-        "dport": "110",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "POP3 traffic"
-  },
-  "POP3S": {
-    "code": [
-      {
-        "dport": "995",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Encrypted POP3 traffic"
-  },
-  "PPtP": {
-    "code": [
-      {
-        "proto": "47"
-      },
-      {
-        "dport": "1723",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Point-to-Point Tunneling Protocol"
-  },
-  "Ping": {
-    "code": [
-      {
-        "dport": "echo-request",
-        "proto": "icmp"
-      }
-    ],
-    "desc": "ICMP echo request"
-  },
-  "PostgreSQL": {
-    "code": [
-      {
-        "dport": "5432",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "PostgreSQL server"
-  },
-  "Printer": {
-    "code": [
-      {
-        "dport": "515",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Line Printer protocol printing"
-  },
-  "RDP": {
-    "code": [
-      {
-        "dport": "3389",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Microsoft Remote Desktop Protocol traffic"
-  },
-  "RIP": {
-    "code": [
-      {
-        "dport": "520",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Routing Information Protocol (bidirectional)"
-  },
-  "RNDC": {
-    "code": [
-      {
-        "dport": "953",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "BIND remote management protocol"
-  },
-  "Razor": {
-    "code": [
-      {
-        "dport": "2703",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Razor Antispam System"
-  },
-  "Rdate": {
-    "code": [
-      {
-        "dport": "37",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Remote time retrieval (rdate)"
-  },
-  "Rsync": {
-    "code": [
-      {
-        "dport": "873",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Rsync server"
-  },
-  "SANE": {
-    "code": [
-      {
-        "dport": "6566",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "SANE network scanning"
-  },
-  "SMB": {
-    "code": [
-      {
-        "dport": "135,445",
-        "proto": "udp"
-      },
-      {
-        "dport": "137:139",
-        "proto": "udp"
-      },
-      {
-        "dport": "1024:65535",
-        "proto": "udp",
-        "sport": "137"
-      },
-      {
-        "dport": "135,139,445",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Microsoft SMB traffic"
-  },
-  "SMBswat": {
-    "code": [
-      {
-        "dport": "901",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Samba Web Administration Tool"
-  },
-  "SMTP": {
-    "code": [
-      {
-        "dport": "25",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Simple Mail Transfer Protocol"
-  },
-  "SMTPS": {
-    "code": [
-      {
-        "dport": "465",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Encrypted Simple Mail Transfer Protocol"
-  },
-  "SNMP": {
-    "code": [
-      {
-        "dport": "161:162",
-        "proto": "udp"
-      },
-      {
-        "dport": "161",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Simple Network Management Protocol"
-  },
-  "SPAMD": {
-    "code": [
-      {
-        "dport": "783",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Spam Assassin SPAMD traffic"
-  },
-  "SPICEproxy": {
-    "code": [
-      {
-        "dport": "3128",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Proxmox VE SPICE display proxy traffic"
-  },
-  "SSH": {
-    "code": [
-      {
-        "dport": "22",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Secure shell traffic"
-  },
-  "SVN": {
-    "code": [
-      {
-        "dport": "3690",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Subversion server (svnserve)"
-  },
-  "SixXS": {
-    "code": [
-      {
-        "dport": "3874",
-        "proto": "tcp"
-      },
-      {
-        "dport": "3740",
-        "proto": "udp"
-      },
-      {
-        "proto": "41"
-      },
-      {
-        "dport": "5072,8374",
-        "proto": "udp"
-      }
-    ],
-    "desc": "SixXS IPv6 Deployment and Tunnel Broker"
-  },
-  "Squid": {
-    "code": [
-      {
-        "dport": "3128",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Squid web proxy traffic"
-  },
-  "Submission": {
-    "code": [
-      {
-        "dport": "587",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Mail message submission traffic"
-  },
-  "Syslog": {
-    "code": [
-      {
-        "dport": "514",
-        "proto": "udp"
-      },
-      {
-        "dport": "514",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Syslog protocol (RFC 5424) traffic"
-  },
-  "TFTP": {
-    "code": [
-      {
-        "dport": "69",
-        "proto": "udp"
-      }
-    ],
-    "desc": "Trivial File Transfer Protocol traffic"
-  },
-  "Telnet": {
-    "code": [
-      {
-        "dport": "23",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Telnet traffic"
-  },
-  "Telnets": {
-    "code": [
-      {
-        "dport": "992",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Telnet over SSL"
-  },
-  "Time": {
-    "code": [
-      {
-        "dport": "37",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "RFC 868 Time protocol"
-  },
-  "Trcrt": {
-    "code": [
-      {
-        "dport": "33434:33524",
-        "proto": "udp"
-      },
-      {
-        "dport": "echo-request",
-        "proto": "icmp"
-      }
-    ],
-    "desc": "Traceroute (for up to 30 hops) traffic"
-  },
-  "VNC": {
-    "code": [
-      {
-        "dport": "5900:5999",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "VNC traffic for VNC display's 0 - 99"
-  },
-  "VNCL": {
-    "code": [
-      {
-        "dport": "5500",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "VNC traffic from Vncservers to Vncviewers in listen mode"
-  },
-  "Web": {
-    "code": [
-      {
-        "dport": "80",
-        "proto": "tcp"
-      },
-      {
-        "dport": "443",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "WWW traffic (HTTP and HTTPS)"
-  },
-  "Webcache": {
-    "code": [
-      {
-        "dport": "8080",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Web Cache/Proxy traffic (port 8080)"
-  },
-  "Webmin": {
-    "code": [
-      {
-        "dport": "10000",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Webmin traffic"
-  },
-  "Whois": {
-    "code": [
-      {
-        "dport": "43",
-        "proto": "tcp"
-      }
-    ],
-    "desc": "Whois (nicname, RFC 3912) traffic"
-  }
-}
diff --git a/proxmox-ve-config/src/firewall/cluster.rs b/proxmox-ve-config/src/firewall/cluster.rs
deleted file mode 100644
index 223124b..0000000
--- a/proxmox-ve-config/src/firewall/cluster.rs
+++ /dev/null
@@ -1,374 +0,0 @@
-use std::collections::BTreeMap;
-use std::io;
-
-use anyhow::Error;
-use serde::Deserialize;
-
-use crate::firewall::common::ParserConfig;
-use crate::firewall::types::ipset::{Ipset, IpsetScope};
-use crate::firewall::types::log::LogRateLimit;
-use crate::firewall::types::rule::{Direction, Verdict};
-use crate::firewall::types::{Alias, Group, Rule};
-
-use crate::firewall::parse::{serde_option_bool, serde_option_log_ratelimit};
-
-#[derive(Debug, Default)]
-pub struct Config {
-    pub(crate) config: super::common::Config<Options>,
-}
-
-/// default setting for [`Config::is_enabled()`]
-pub const CLUSTER_ENABLED_DEFAULT: bool = false;
-/// default setting for [`Config::ebtables()`]
-pub const CLUSTER_EBTABLES_DEFAULT: bool = false;
-/// default setting for [`Config::default_policy()`]
-pub const CLUSTER_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
-/// default setting for [`Config::default_policy()`]
-pub const CLUSTER_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
-
-impl Config {
-    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
-        let parser_config = ParserConfig {
-            guest_iface_names: false,
-            ipset_scope: Some(IpsetScope::Datacenter),
-        };
-
-        Ok(Self {
-            config: super::common::Config::parse(input, &parser_config)?,
-        })
-    }
-
-    pub fn rules(&self) -> &Vec<Rule> {
-        &self.config.rules
-    }
-
-    pub fn groups(&self) -> &BTreeMap<String, Group> {
-        &self.config.groups
-    }
-
-    pub fn ipsets(&self) -> &BTreeMap<String, Ipset> {
-        &self.config.ipsets
-    }
-
-    pub fn alias(&self, name: &str) -> Option<&Alias> {
-        self.config.alias(name)
-    }
-
-    pub fn is_enabled(&self) -> bool {
-        self.config
-            .options
-            .enable
-            .unwrap_or(CLUSTER_ENABLED_DEFAULT)
-    }
-
-    /// returns the ebtables option from the cluster config or [`CLUSTER_EBTABLES_DEFAULT`] if
-    /// unset
-    ///
-    /// this setting is leftover from the old firewall, but has no effect on the nftables firewall
-    pub fn ebtables(&self) -> bool {
-        self.config
-            .options
-            .ebtables
-            .unwrap_or(CLUSTER_EBTABLES_DEFAULT)
-    }
-
-    /// returns policy_in / out or [`CLUSTER_POLICY_IN_DEFAULT`] / [`CLUSTER_POLICY_OUT_DEFAULT`] if
-    /// unset
-    pub fn default_policy(&self, dir: Direction) -> Verdict {
-        match dir {
-            Direction::In => self
-                .config
-                .options
-                .policy_in
-                .unwrap_or(CLUSTER_POLICY_IN_DEFAULT),
-            Direction::Out => self
-                .config
-                .options
-                .policy_out
-                .unwrap_or(CLUSTER_POLICY_OUT_DEFAULT),
-        }
-    }
-
-    /// returns the rate_limit for logs or [`None`] if rate limiting is disabled
-    ///
-    /// If there is no rate limit set, then [`LogRateLimit::default`] is used
-    pub fn log_ratelimit(&self) -> Option<LogRateLimit> {
-        let rate_limit = self
-            .config
-            .options
-            .log_ratelimit
-            .clone()
-            .unwrap_or_default();
-
-        match rate_limit.enabled() {
-            true => Some(rate_limit),
-            false => None,
-        }
-    }
-}
-
-#[derive(Debug, Default, Deserialize)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Options {
-    #[serde(default, with = "serde_option_bool")]
-    enable: Option<bool>,
-
-    #[serde(default, with = "serde_option_bool")]
-    ebtables: Option<bool>,
-
-    #[serde(default, with = "serde_option_log_ratelimit")]
-    log_ratelimit: Option<LogRateLimit>,
-
-    policy_in: Option<Verdict>,
-    policy_out: Option<Verdict>,
-}
-
-#[cfg(test)]
-mod tests {
-    use crate::firewall::types::{
-        address::IpList,
-        alias::{AliasName, AliasScope},
-        ipset::{IpsetAddress, IpsetEntry},
-        log::{LogLevel, LogRateLimitTimescale},
-        rule::{Kind, RuleGroup},
-        rule_match::{
-            Icmpv6, Icmpv6Code, IpAddrMatch, IpMatch, Ports, Protocol, RuleMatch, Tcp, Udp,
-        },
-        Cidr,
-    };
-
-    use super::*;
-
-    #[test]
-    fn test_parse_config() {
-        const CONFIG: &str = r#"
-[OPTIONS]
-enable: 1
-log_ratelimit: 1,rate=10/second,burst=20
-ebtables: 0
-policy_in: REJECT
-policy_out: REJECT
-
-[ALIASES]
-
-another 8.8.8.18
-analias 7.7.0.0/16 # much
-wide cccc::/64
-
-[IPSET a-set]
-
-!5.5.5.5
-1.2.3.4/30
-dc/analias # a comment
-dc/wide
-dddd::/96
-
-[RULES]
-
-GROUP tgr -i eth0 # acomm
-IN ACCEPT -p udp -dport 33 -sport 22 -log warning
-
-[group tgr] # comment for tgr
-
-|OUT ACCEPT -source fe80::1/48 -dest dddd:3:3::9/64 -p icmpv6 -log nolog -icmp-type port-unreachable
-OUT ACCEPT -p tcp -sport 33 -log nolog
-IN BGP(REJECT) -log crit -source 1.2.3.4
-"#;
-
-        let mut config = CONFIG.as_bytes();
-        let config = Config::parse(&mut config).unwrap();
-
-        assert_eq!(
-            config.config.options,
-            Options {
-                ebtables: Some(false),
-                enable: Some(true),
-                log_ratelimit: Some(LogRateLimit::new(
-                    true,
-                    10,
-                    LogRateLimitTimescale::Second,
-                    20
-                )),
-                policy_in: Some(Verdict::Reject),
-                policy_out: Some(Verdict::Reject),
-            }
-        );
-
-        assert_eq!(config.config.aliases.len(), 3);
-
-        assert_eq!(
-            config.config.aliases["another"],
-            Alias::new("another", Cidr::new_v4([8, 8, 8, 18], 32).unwrap(), None),
-        );
-
-        assert_eq!(
-            config.config.aliases["analias"],
-            Alias::new(
-                "analias",
-                Cidr::new_v4([7, 7, 0, 0], 16).unwrap(),
-                "much".to_string()
-            ),
-        );
-
-        assert_eq!(
-            config.config.aliases["wide"],
-            Alias::new(
-                "wide",
-                Cidr::new_v6(
-                    [0xCCCC, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x000],
-                    64
-                )
-                .unwrap(),
-                None
-            ),
-        );
-
-        assert_eq!(config.config.ipsets.len(), 1);
-
-        let mut ipset_elements = vec![
-            IpsetEntry {
-                nomatch: true,
-                address: Cidr::new_v4([5, 5, 5, 5], 32).unwrap().into(),
-                comment: None,
-            },
-            IpsetEntry {
-                nomatch: false,
-                address: Cidr::new_v4([1, 2, 3, 4], 30).unwrap().into(),
-                comment: None,
-            },
-            IpsetEntry {
-                nomatch: false,
-                address: IpsetAddress::Alias(AliasName::new(AliasScope::Datacenter, "analias")),
-                comment: Some("a comment".to_string()),
-            },
-            IpsetEntry {
-                nomatch: false,
-                address: IpsetAddress::Alias(AliasName::new(AliasScope::Datacenter, "wide")),
-                comment: None,
-            },
-            IpsetEntry {
-                nomatch: false,
-                address: Cidr::new_v6([0xdd, 0xdd, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 96)
-                    .unwrap()
-                    .into(),
-                comment: None,
-            },
-        ];
-
-        let mut ipset = Ipset::from_parts(IpsetScope::Datacenter, "a-set");
-        ipset.append(&mut ipset_elements);
-
-        assert_eq!(config.config.ipsets["a-set"], ipset,);
-
-        assert_eq!(config.config.rules.len(), 2);
-
-        assert_eq!(
-            config.config.rules[0],
-            Rule {
-                disabled: false,
-                comment: Some("acomm".to_string()),
-                kind: Kind::Group(RuleGroup {
-                    group: "tgr".to_string(),
-                    iface: Some("eth0".to_string()),
-                }),
-            },
-        );
-
-        assert_eq!(
-            config.config.rules[1],
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Accept,
-                    proto: Some(Protocol::Udp(Udp::new(Ports::from_u16(22, 33)))),
-                    log: Some(LogLevel::Warning),
-                    ..Default::default()
-                }),
-            },
-        );
-
-        assert_eq!(config.config.groups.len(), 1);
-
-        let entry = &config.config.groups["tgr"];
-        assert_eq!(entry.comment(), Some("comment for tgr"));
-        assert_eq!(entry.rules().len(), 3);
-
-        assert_eq!(
-            entry.rules()[0],
-            Rule {
-                disabled: true,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::Out,
-                    verdict: Verdict::Accept,
-                    ip: Some(IpMatch {
-                        src: Some(IpAddrMatch::Ip(IpList::from(
-                            Cidr::new_v6(
-                                [0xfe, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],
-                                48
-                            )
-                            .unwrap()
-                        ))),
-                        dst: Some(IpAddrMatch::Ip(IpList::from(
-                            Cidr::new_v6(
-                                [0xdd, 0xdd, 0, 3, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9],
-                                64
-                            )
-                            .unwrap()
-                        ))),
-                    }),
-                    proto: Some(Protocol::Icmpv6(Icmpv6::new_code(Icmpv6Code::Named(
-                        "port-unreachable"
-                    )))),
-                    log: Some(LogLevel::Nolog),
-                    ..Default::default()
-                }),
-            },
-        );
-        assert_eq!(
-            entry.rules()[1],
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::Out,
-                    verdict: Verdict::Accept,
-                    proto: Some(Protocol::Tcp(Tcp::new(Ports::from_u16(33, None)))),
-                    log: Some(LogLevel::Nolog),
-                    ..Default::default()
-                }),
-            },
-        );
-
-        assert_eq!(
-            entry.rules()[2],
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Reject,
-                    log: Some(LogLevel::Critical),
-                    fw_macro: Some("BGP".to_string()),
-                    ip: Some(IpMatch {
-                        src: Some(IpAddrMatch::Ip(IpList::from(
-                            Cidr::new_v4([1, 2, 3, 4], 32).unwrap()
-                        ))),
-                        dst: None,
-                    }),
-                    ..Default::default()
-                }),
-            },
-        );
-
-        let empty_config = Config::parse("".as_bytes()).expect("empty config is invalid");
-
-        assert_eq!(empty_config.config.options, Options::default());
-        assert!(empty_config.config.rules.is_empty());
-        assert!(empty_config.config.aliases.is_empty());
-        assert!(empty_config.config.ipsets.is_empty());
-        assert!(empty_config.config.groups.is_empty());
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/common.rs b/proxmox-ve-config/src/firewall/common.rs
deleted file mode 100644
index a08f19c..0000000
--- a/proxmox-ve-config/src/firewall/common.rs
+++ /dev/null
@@ -1,184 +0,0 @@
-use std::collections::{BTreeMap, HashMap};
-use std::io;
-
-use anyhow::{bail, format_err, Error};
-use serde::de::IntoDeserializer;
-
-use crate::firewall::parse::{parse_named_section_tail, split_key_value, SomeString};
-use crate::firewall::types::ipset::{IpsetName, IpsetScope};
-use crate::firewall::types::{Alias, Group, Ipset, Rule};
-
-#[derive(Debug, Default)]
-pub struct Config<O>
-where
-    O: Default + std::fmt::Debug + serde::de::DeserializeOwned,
-{
-    pub(crate) options: O,
-    pub(crate) rules: Vec<Rule>,
-    pub(crate) aliases: BTreeMap<String, Alias>,
-    pub(crate) ipsets: BTreeMap<String, Ipset>,
-    pub(crate) groups: BTreeMap<String, Group>,
-}
-
-enum Sec {
-    None,
-    Options,
-    Aliases,
-    Rules,
-    Ipset(String, Ipset),
-    Group(String, Group),
-}
-
-#[derive(Default)]
-pub struct ParserConfig {
-    /// Network interfaces must be of the form `netX`.
-    pub guest_iface_names: bool,
-    pub ipset_scope: Option<IpsetScope>,
-}
-
-impl<O> Config<O>
-where
-    O: Default + std::fmt::Debug + serde::de::DeserializeOwned,
-{
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn parse<R: io::BufRead>(input: R, parser_cfg: &ParserConfig) -> Result<Self, Error> {
-        let mut section = Sec::None;
-
-        let mut this = Self::new();
-        let mut options = HashMap::new();
-
-        for line in input.lines() {
-            let line = line?;
-            let line = line.trim();
-
-            if line.is_empty() || line.starts_with('#') {
-                continue;
-            }
-
-            log::trace!("parsing config line {line}");
-
-            if line.eq_ignore_ascii_case("[OPTIONS]") {
-                this.set_section(&mut section, Sec::Options)?;
-            } else if line.eq_ignore_ascii_case("[ALIASES]") {
-                this.set_section(&mut section, Sec::Aliases)?;
-            } else if line.eq_ignore_ascii_case("[RULES]") {
-                this.set_section(&mut section, Sec::Rules)?;
-            } else if let Some(line) = line.strip_prefix("[IPSET") {
-                let (name, comment) = parse_named_section_tail("ipset", line)?;
-
-                let scope = parser_cfg.ipset_scope.ok_or_else(|| {
-                    format_err!("IPSET in config, but no scope set in parser config")
-                })?;
-
-                let ipset_name = IpsetName::new(scope, name.to_string());
-                let mut ipset = Ipset::new(ipset_name);
-                ipset.comment = comment.map(str::to_owned);
-
-                this.set_section(&mut section, Sec::Ipset(name.to_string(), ipset))?;
-            } else if let Some(line) = line.strip_prefix("[group") {
-                let (name, comment) = parse_named_section_tail("group", line)?;
-                let mut group = Group::new();
-
-                group.set_comment(comment.map(str::to_owned));
-
-                this.set_section(&mut section, Sec::Group(name.to_owned(), group))?;
-            } else if line.starts_with('[') {
-                bail!("invalid section {line:?}");
-            } else {
-                match &mut section {
-                    Sec::None => bail!("config line with no section: {line:?}"),
-                    Sec::Options => Self::parse_option(line, &mut options)?,
-                    Sec::Aliases => this.parse_alias(line)?,
-                    Sec::Rules => this.parse_rule(line, parser_cfg)?,
-                    Sec::Ipset(_name, ipset) => ipset.parse_entry(line)?,
-                    Sec::Group(_name, group) => group.parse_entry(line)?,
-                }
-            }
-        }
-        this.set_section(&mut section, Sec::None)?;
-
-        this.options = O::deserialize(IntoDeserializer::<
-            '_,
-            crate::firewall::parse::SerdeStringError,
-        >::into_deserializer(options))?;
-
-        Ok(this)
-    }
-
-    fn parse_option(line: &str, options: &mut HashMap<String, SomeString>) -> Result<(), Error> {
-        let (key, value) = split_key_value(line)
-            .ok_or_else(|| format_err!("expected colon separated key and value, found {line:?}"))?;
-
-        if options.insert(key.to_string(), value.into()).is_some() {
-            bail!("duplicate option {key:?}");
-        }
-
-        Ok(())
-    }
-
-    fn parse_alias(&mut self, line: &str) -> Result<(), Error> {
-        let alias: Alias = line.parse()?;
-
-        if self
-            .aliases
-            .insert(alias.name().to_string(), alias)
-            .is_some()
-        {
-            bail!("duplicate alias: {line}");
-        }
-
-        Ok(())
-    }
-
-    fn parse_rule(&mut self, line: &str, parser_cfg: &ParserConfig) -> Result<(), Error> {
-        let rule: Rule = line.parse()?;
-
-        if parser_cfg.guest_iface_names {
-            if let Some(iface) = rule.iface() {
-                let _ = iface
-                    .strip_prefix("net")
-                    .ok_or_else(|| {
-                        format_err!("interface name must be of the form \"net<number>\"")
-                    })?
-                    .parse::<u16>()
-                    .map_err(|_| {
-                        format_err!("interface name must be of the form \"net<number>\"")
-                    })?;
-            }
-        }
-
-        self.rules.push(rule);
-        Ok(())
-    }
-
-    fn set_section(&mut self, sec: &mut Sec, to: Sec) -> Result<(), Error> {
-        let prev = std::mem::replace(sec, to);
-
-        match prev {
-            Sec::Ipset(name, ipset) => {
-                if self.ipsets.insert(name.clone(), ipset).is_some() {
-                    bail!("duplicate ipset: {name:?}");
-                }
-            }
-            Sec::Group(name, group) => {
-                if self.groups.insert(name.clone(), group).is_some() {
-                    bail!("duplicate group: {name:?}");
-                }
-            }
-            _ => (),
-        }
-
-        Ok(())
-    }
-
-    pub fn ipsets(&self) -> &BTreeMap<String, Ipset> {
-        &self.ipsets
-    }
-
-    pub fn alias(&self, name: &str) -> Option<&Alias> {
-        self.aliases.get(name)
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/ct_helper.rs b/proxmox-ve-config/src/firewall/ct_helper.rs
deleted file mode 100644
index 40e4fee..0000000
--- a/proxmox-ve-config/src/firewall/ct_helper.rs
+++ /dev/null
@@ -1,115 +0,0 @@
-use anyhow::{bail, Error};
-use serde::Deserialize;
-use std::collections::HashMap;
-use std::sync::OnceLock;
-
-use crate::firewall::types::address::Family;
-use crate::firewall::types::rule_match::{Ports, Protocol, Tcp, Udp};
-
-#[derive(Clone, Debug, Deserialize)]
-pub struct CtHelperMacroJson {
-    pub v4: Option<bool>,
-    pub v6: Option<bool>,
-    pub name: String,
-    pub tcp: Option<u16>,
-    pub udp: Option<u16>,
-}
-
-impl TryFrom<CtHelperMacroJson> for CtHelperMacro {
-    type Error = Error;
-
-    fn try_from(value: CtHelperMacroJson) -> Result<Self, Self::Error> {
-        if value.tcp.is_none() && value.udp.is_none() {
-            bail!("Neither TCP nor UDP port set in CT helper!");
-        }
-
-        let family = match (value.v4, value.v6) {
-            (Some(true), Some(true)) => None,
-            (Some(true), _) => Some(Family::V4),
-            (_, Some(true)) => Some(Family::V6),
-            _ => bail!("Neither v4 nor v6 set in CT Helper Macro!"),
-        };
-
-        let mut ct_helper = CtHelperMacro {
-            family,
-            name: value.name,
-            tcp: None,
-            udp: None,
-        };
-
-        if let Some(dport) = value.tcp {
-            let ports = Ports::from_u16(None, dport);
-            ct_helper.tcp = Some(Tcp::new(ports).into());
-        }
-
-        if let Some(dport) = value.udp {
-            let ports = Ports::from_u16(None, dport);
-            ct_helper.udp = Some(Udp::new(ports).into());
-        }
-
-        Ok(ct_helper)
-    }
-}
-
-#[derive(Clone, Debug, Deserialize)]
-#[serde(try_from = "CtHelperMacroJson")]
-pub struct CtHelperMacro {
-    family: Option<Family>,
-    name: String,
-    tcp: Option<Protocol>,
-    udp: Option<Protocol>,
-}
-
-impl CtHelperMacro {
-    fn helper_name(&self, protocol: &str) -> String {
-        format!("helper-{}-{protocol}", self.name)
-    }
-
-    pub fn tcp_helper_name(&self) -> String {
-        self.helper_name("tcp")
-    }
-
-    pub fn udp_helper_name(&self) -> String {
-        self.helper_name("udp")
-    }
-
-    pub fn family(&self) -> Option<Family> {
-        self.family
-    }
-
-    pub fn name(&self) -> &str {
-        self.name.as_ref()
-    }
-
-    pub fn tcp(&self) -> Option<&Protocol> {
-        self.tcp.as_ref()
-    }
-
-    pub fn udp(&self) -> Option<&Protocol> {
-        self.udp.as_ref()
-    }
-}
-
-fn hashmap() -> &'static HashMap<String, CtHelperMacro> {
-    const MACROS: &str = include_str!("../../resources/ct_helper.json");
-    static HASHMAP: OnceLock<HashMap<String, CtHelperMacro>> = OnceLock::new();
-
-    HASHMAP.get_or_init(|| {
-        let macro_data: Vec<CtHelperMacro> = match serde_json::from_str(MACROS) {
-            Ok(data) => data,
-            Err(err) => {
-                log::error!("could not load data for ct helpers: {err}");
-                Vec::new()
-            }
-        };
-
-        macro_data
-            .into_iter()
-            .map(|elem| (elem.name.clone(), elem))
-            .collect()
-    })
-}
-
-pub fn get_cthelper(name: &str) -> Option<&'static CtHelperMacro> {
-    hashmap().get(name)
-}
diff --git a/proxmox-ve-config/src/firewall/fw_macros.rs b/proxmox-ve-config/src/firewall/fw_macros.rs
deleted file mode 100644
index 5fa8dab..0000000
--- a/proxmox-ve-config/src/firewall/fw_macros.rs
+++ /dev/null
@@ -1,69 +0,0 @@
-use std::collections::HashMap;
-
-use serde::Deserialize;
-use std::sync::OnceLock;
-
-use crate::firewall::types::rule_match::Protocol;
-
-use super::types::rule_match::RuleOptions;
-
-#[derive(Clone, Debug, Default, Deserialize)]
-struct FwMacroData {
-    #[serde(rename = "desc")]
-    pub description: &'static str,
-    pub code: Vec<RuleOptions>,
-}
-
-#[derive(Clone, Debug, Default)]
-pub struct FwMacro {
-    pub _description: &'static str,
-    pub code: Vec<Protocol>,
-}
-
-fn macros() -> &'static HashMap<String, FwMacro> {
-    const MACROS: &str = include_str!("../../resources/macros.json");
-    static HASHMAP: OnceLock<HashMap<String, FwMacro>> = OnceLock::new();
-
-    HASHMAP.get_or_init(|| {
-        let macro_data: HashMap<String, FwMacroData> = match serde_json::from_str(MACROS) {
-            Ok(m) => m,
-            Err(err) => {
-                log::error!("could not load data for macros: {err}");
-                HashMap::new()
-            }
-        };
-
-        let mut macros = HashMap::new();
-
-        'outer: for (name, data) in macro_data {
-            let mut code = Vec::new();
-
-            for c in data.code {
-                match Protocol::from_options(&c) {
-                    Ok(Some(p)) => code.push(p),
-                    Ok(None) => {
-                        continue 'outer;
-                    }
-                    Err(err) => {
-                        log::error!("could not parse data for macro {name}: {err}");
-                        continue 'outer;
-                    }
-                }
-            }
-
-            macros.insert(
-                name,
-                FwMacro {
-                    _description: data.description,
-                    code,
-                },
-            );
-        }
-
-        macros
-    })
-}
-
-pub fn get_macro(name: &str) -> Option<&'static FwMacro> {
-    macros().get(name)
-}
diff --git a/proxmox-ve-config/src/firewall/guest.rs b/proxmox-ve-config/src/firewall/guest.rs
deleted file mode 100644
index c7e282f..0000000
--- a/proxmox-ve-config/src/firewall/guest.rs
+++ /dev/null
@@ -1,237 +0,0 @@
-use std::collections::BTreeMap;
-use std::io;
-
-use crate::guest::types::Vmid;
-use crate::guest::vm::NetworkConfig;
-
-use crate::firewall::types::alias::{Alias, AliasName};
-use crate::firewall::types::ipset::IpsetScope;
-use crate::firewall::types::log::LogLevel;
-use crate::firewall::types::rule::{Direction, Rule, Verdict};
-use crate::firewall::types::Ipset;
-
-use anyhow::{bail, Error};
-use serde::Deserialize;
-
-use crate::firewall::parse::serde_option_bool;
-
-/// default return value for [`Config::is_enabled()`]
-pub const GUEST_ENABLED_DEFAULT: bool = false;
-/// default return value for [`Config::allow_ndp()`]
-pub const GUEST_ALLOW_NDP_DEFAULT: bool = true;
-/// default return value for [`Config::allow_dhcp()`]
-pub const GUEST_ALLOW_DHCP_DEFAULT: bool = true;
-/// default return value for [`Config::allow_ra()`]
-pub const GUEST_ALLOW_RA_DEFAULT: bool = false;
-/// default return value for [`Config::macfilter()`]
-pub const GUEST_MACFILTER_DEFAULT: bool = true;
-/// default return value for [`Config::ipfilter()`]
-pub const GUEST_IPFILTER_DEFAULT: bool = false;
-/// default return value for [`Config::default_policy()`]
-pub const GUEST_POLICY_IN_DEFAULT: Verdict = Verdict::Drop;
-/// default return value for [`Config::default_policy()`]
-pub const GUEST_POLICY_OUT_DEFAULT: Verdict = Verdict::Accept;
-
-#[derive(Debug, Default, Deserialize)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Options {
-    #[serde(default, with = "serde_option_bool")]
-    dhcp: Option<bool>,
-
-    #[serde(default, with = "serde_option_bool")]
-    enable: Option<bool>,
-
-    #[serde(default, with = "serde_option_bool")]
-    ipfilter: Option<bool>,
-
-    #[serde(default, with = "serde_option_bool")]
-    ndp: Option<bool>,
-
-    #[serde(default, with = "serde_option_bool")]
-    radv: Option<bool>,
-
-    log_level_in: Option<LogLevel>,
-    log_level_out: Option<LogLevel>,
-
-    #[serde(default, with = "serde_option_bool")]
-    macfilter: Option<bool>,
-
-    #[serde(rename = "policy_in")]
-    policy_in: Option<Verdict>,
-
-    #[serde(rename = "policy_out")]
-    policy_out: Option<Verdict>,
-}
-
-#[derive(Debug)]
-pub struct Config {
-    vmid: Vmid,
-
-    /// The interface prefix: "veth" for containers, "tap" for VMs.
-    iface_prefix: &'static str,
-
-    network_config: NetworkConfig,
-    config: super::common::Config<Options>,
-}
-
-impl Config {
-    pub fn parse<T: io::BufRead, U: io::BufRead>(
-        vmid: &Vmid,
-        iface_prefix: &'static str,
-        firewall_input: T,
-        network_input: U,
-    ) -> Result<Self, Error> {
-        let parser_cfg = super::common::ParserConfig {
-            guest_iface_names: true,
-            ipset_scope: Some(IpsetScope::Guest),
-        };
-
-        let config = super::common::Config::parse(firewall_input, &parser_cfg)?;
-        if !config.groups.is_empty() {
-            bail!("guest firewall config cannot declare groups");
-        }
-
-        let network_config = NetworkConfig::parse(network_input)?;
-
-        Ok(Self {
-            vmid: *vmid,
-            iface_prefix,
-            config,
-            network_config,
-        })
-    }
-
-    pub fn vmid(&self) -> Vmid {
-        self.vmid
-    }
-
-    pub fn alias(&self, name: &AliasName) -> Option<&Alias> {
-        self.config.alias(name.name())
-    }
-
-    pub fn iface_name_by_key(&self, key: &str) -> Result<String, Error> {
-        let index = NetworkConfig::index_from_net_key(key)?;
-        Ok(format!("{}{}i{index}", self.iface_prefix, self.vmid))
-    }
-
-    pub fn iface_name_by_index(&self, index: i64) -> String {
-        format!("{}{}i{index}", self.iface_prefix, self.vmid)
-    }
-
-    /// returns the value of the enabled config key or [`GUEST_ENABLED_DEFAULT`] if unset
-    pub fn is_enabled(&self) -> bool {
-        self.config.options.enable.unwrap_or(GUEST_ENABLED_DEFAULT)
-    }
-
-    pub fn rules(&self) -> &[Rule] {
-        &self.config.rules
-    }
-
-    pub fn log_level(&self, dir: Direction) -> LogLevel {
-        match dir {
-            Direction::In => self.config.options.log_level_in.unwrap_or_default(),
-            Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
-        }
-    }
-
-    /// returns the value of the ndp config key or [`GUEST_ALLOW_NDP_DEFAULT`] if unset
-    pub fn allow_ndp(&self) -> bool {
-        self.config.options.ndp.unwrap_or(GUEST_ALLOW_NDP_DEFAULT)
-    }
-
-    /// returns the value of the dhcp config key or [`GUEST_ALLOW_DHCP_DEFAULT`] if unset
-    pub fn allow_dhcp(&self) -> bool {
-        self.config.options.dhcp.unwrap_or(GUEST_ALLOW_DHCP_DEFAULT)
-    }
-
-    /// returns the value of the radv config key or [`GUEST_ALLOW_RA_DEFAULT`] if unset
-    pub fn allow_ra(&self) -> bool {
-        self.config.options.radv.unwrap_or(GUEST_ALLOW_RA_DEFAULT)
-    }
-
-    /// returns the value of the macfilter config key or [`GUEST_MACFILTER_DEFAULT`] if unset
-    pub fn macfilter(&self) -> bool {
-        self.config
-            .options
-            .macfilter
-            .unwrap_or(GUEST_MACFILTER_DEFAULT)
-    }
-
-    /// returns the value of the ipfilter config key or [`GUEST_IPFILTER_DEFAULT`] if unset
-    pub fn ipfilter(&self) -> bool {
-        self.config
-            .options
-            .ipfilter
-            .unwrap_or(GUEST_IPFILTER_DEFAULT)
-    }
-
-    /// returns the value of the policy_in/out config key or
-    /// [`GUEST_POLICY_IN_DEFAULT`] / [`GUEST_POLICY_OUT_DEFAULT`] if unset
-    pub fn default_policy(&self, dir: Direction) -> Verdict {
-        match dir {
-            Direction::In => self
-                .config
-                .options
-                .policy_in
-                .unwrap_or(GUEST_POLICY_IN_DEFAULT),
-            Direction::Out => self
-                .config
-                .options
-                .policy_out
-                .unwrap_or(GUEST_POLICY_OUT_DEFAULT),
-        }
-    }
-
-    pub fn network_config(&self) -> &NetworkConfig {
-        &self.network_config
-    }
-
-    pub fn ipsets(&self) -> &BTreeMap<String, Ipset> {
-        self.config.ipsets()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_config() {
-        // most of the stuff is already tested in cluster parsing, only testing
-        // guest specific options here
-        const CONFIG: &str = r#"
-[OPTIONS]
-enable: 1
-dhcp: 1
-ipfilter: 0
-log_level_in: emerg
-log_level_out: crit
-macfilter: 0
-ndp:1
-radv:1
-policy_in: REJECT
-policy_out: REJECT
-"#;
-
-        let config = CONFIG.as_bytes();
-        let network_config: Vec<u8> = Vec::new();
-        let config =
-            Config::parse(&Vmid::new(100), "tap", config, network_config.as_slice()).unwrap();
-
-        assert_eq!(
-            config.config.options,
-            Options {
-                dhcp: Some(true),
-                enable: Some(true),
-                ipfilter: Some(false),
-                ndp: Some(true),
-                radv: Some(true),
-                log_level_in: Some(LogLevel::Emergency),
-                log_level_out: Some(LogLevel::Critical),
-                macfilter: Some(false),
-                policy_in: Some(Verdict::Reject),
-                policy_out: Some(Verdict::Reject),
-            }
-        );
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/host.rs b/proxmox-ve-config/src/firewall/host.rs
deleted file mode 100644
index 3de6fad..0000000
--- a/proxmox-ve-config/src/firewall/host.rs
+++ /dev/null
@@ -1,372 +0,0 @@
-use std::io;
-use std::net::IpAddr;
-
-use anyhow::{bail, Error};
-use serde::Deserialize;
-
-use crate::host::utils::{host_ips, network_interface_cidrs};
-use proxmox_sys::nodename;
-
-use crate::firewall::parse;
-use crate::firewall::types::log::LogLevel;
-use crate::firewall::types::rule::Direction;
-use crate::firewall::types::{Alias, Cidr, Rule};
-
-/// default setting for the enabled key
-pub const HOST_ENABLED_DEFAULT: bool = true;
-/// default setting for the nftables key
-pub const HOST_NFTABLES_DEFAULT: bool = false;
-/// default return value for [`Config::allow_ndp()`]
-pub const HOST_ALLOW_NDP_DEFAULT: bool = true;
-/// default return value for [`Config::block_smurfs()`]
-pub const HOST_BLOCK_SMURFS_DEFAULT: bool = true;
-/// default return value for [`Config::block_synflood()`]
-pub const HOST_BLOCK_SYNFLOOD_DEFAULT: bool = false;
-/// default rate limit for synflood rule (packets / second)
-pub const HOST_BLOCK_SYNFLOOD_RATE_DEFAULT: i64 = 200;
-/// default rate limit for synflood rule (packets / second)
-pub const HOST_BLOCK_SYNFLOOD_BURST_DEFAULT: i64 = 1000;
-/// default return value for [`Config::block_invalid_tcp()`]
-pub const HOST_BLOCK_INVALID_TCP_DEFAULT: bool = false;
-/// default return value for [`Config::block_invalid_conntrack()`]
-pub const HOST_BLOCK_INVALID_CONNTRACK: bool = false;
-/// default setting for logging of invalid conntrack entries
-pub const HOST_LOG_INVALID_CONNTRACK: bool = false;
-
-#[derive(Debug, Default, Deserialize)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Options {
-    #[serde(default, with = "parse::serde_option_bool")]
-    enable: Option<bool>,
-
-    #[serde(default, with = "parse::serde_option_bool")]
-    nftables: Option<bool>,
-
-    log_level_in: Option<LogLevel>,
-    log_level_out: Option<LogLevel>,
-
-    #[serde(default, with = "parse::serde_option_bool")]
-    log_nf_conntrack: Option<bool>,
-    #[serde(default, with = "parse::serde_option_bool")]
-    ndp: Option<bool>,
-
-    #[serde(default, with = "parse::serde_option_bool")]
-    nf_conntrack_allow_invalid: Option<bool>,
-
-    // is Option<Vec<>> for easier deserialization
-    #[serde(default, with = "parse::serde_option_conntrack_helpers")]
-    nf_conntrack_helpers: Option<Vec<String>>,
-
-    #[serde(default, with = "parse::serde_option_number")]
-    nf_conntrack_max: Option<i64>,
-    #[serde(default, with = "parse::serde_option_number")]
-    nf_conntrack_tcp_timeout_established: Option<i64>,
-    #[serde(default, with = "parse::serde_option_number")]
-    nf_conntrack_tcp_timeout_syn_recv: Option<i64>,
-
-    #[serde(default, with = "parse::serde_option_bool")]
-    nosmurfs: Option<bool>,
-
-    #[serde(default, with = "parse::serde_option_bool")]
-    protection_synflood: Option<bool>,
-    #[serde(default, with = "parse::serde_option_number")]
-    protection_synflood_burst: Option<i64>,
-    #[serde(default, with = "parse::serde_option_number")]
-    protection_synflood_rate: Option<i64>,
-
-    smurf_log_level: Option<LogLevel>,
-    tcp_flags_log_level: Option<LogLevel>,
-
-    #[serde(default, with = "parse::serde_option_bool")]
-    tcpflags: Option<bool>,
-}
-
-#[derive(Debug, Default)]
-pub struct Config {
-    pub(crate) config: super::common::Config<Options>,
-}
-
-impl Config {
-    pub fn new() -> Self {
-        Self {
-            config: Default::default(),
-        }
-    }
-
-    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
-        let config = super::common::Config::parse(input, &Default::default())?;
-
-        if !config.groups.is_empty() {
-            bail!("host firewall config cannot declare groups");
-        }
-
-        if !config.aliases.is_empty() {
-            bail!("host firewall config cannot declare aliases");
-        }
-
-        if !config.ipsets.is_empty() {
-            bail!("host firewall config cannot declare ipsets");
-        }
-
-        Ok(Self { config })
-    }
-
-    pub fn rules(&self) -> &[Rule] {
-        &self.config.rules
-    }
-
-    pub fn management_ips() -> Result<Vec<Cidr>, Error> {
-        let mut management_cidrs = Vec::new();
-
-        for host_ip in host_ips() {
-            for network_interface_cidr in network_interface_cidrs() {
-                match (host_ip, network_interface_cidr) {
-                    (IpAddr::V4(ip), Cidr::Ipv4(cidr)) => {
-                        if cidr.contains_address(&ip) {
-                            management_cidrs.push(network_interface_cidr);
-                        }
-                    }
-                    (IpAddr::V6(ip), Cidr::Ipv6(cidr)) => {
-                        if cidr.contains_address(&ip) {
-                            management_cidrs.push(network_interface_cidr);
-                        }
-                    }
-                    _ => continue,
-                };
-            }
-        }
-
-        Ok(management_cidrs)
-    }
-
-    pub fn hostname() -> &'static str {
-        nodename()
-    }
-
-    pub fn get_alias(&self, name: &str) -> Option<&Alias> {
-        self.config.alias(name)
-    }
-
-    /// returns value of enabled key or [`HOST_ENABLED_DEFAULT`] if unset
-    pub fn is_enabled(&self) -> bool {
-        self.config.options.enable.unwrap_or(HOST_ENABLED_DEFAULT)
-    }
-
-    /// returns value of nftables key or [`HOST_NFTABLES_DEFAULT`] if unset
-    pub fn nftables(&self) -> bool {
-        self.config
-            .options
-            .nftables
-            .unwrap_or(HOST_NFTABLES_DEFAULT)
-    }
-
-    /// returns value of ndp key or [`HOST_ALLOW_NDP_DEFAULT`] if unset
-    pub fn allow_ndp(&self) -> bool {
-        self.config.options.ndp.unwrap_or(HOST_ALLOW_NDP_DEFAULT)
-    }
-
-    /// returns value of nosmurfs key or [`HOST_BLOCK_SMURFS_DEFAULT`] if unset
-    pub fn block_smurfs(&self) -> bool {
-        self.config
-            .options
-            .nosmurfs
-            .unwrap_or(HOST_BLOCK_SMURFS_DEFAULT)
-    }
-
-    /// returns the log level for the smurf protection rule
-    ///
-    /// If there is no log level set, it returns [`LogLevel::default()`]
-    pub fn block_smurfs_log_level(&self) -> LogLevel {
-        self.config.options.smurf_log_level.unwrap_or_default()
-    }
-
-    /// returns value of protection_synflood key or [`HOST_BLOCK_SYNFLOOD_DEFAULT`] if unset
-    pub fn block_synflood(&self) -> bool {
-        self.config
-            .options
-            .protection_synflood
-            .unwrap_or(HOST_BLOCK_SYNFLOOD_DEFAULT)
-    }
-
-    /// returns value of protection_synflood_rate key or [`HOST_BLOCK_SYNFLOOD_RATE_DEFAULT`] if
-    /// unset
-    pub fn synflood_rate(&self) -> i64 {
-        self.config
-            .options
-            .protection_synflood_rate
-            .unwrap_or(HOST_BLOCK_SYNFLOOD_RATE_DEFAULT)
-    }
-
-    /// returns value of protection_synflood_burst key or [`HOST_BLOCK_SYNFLOOD_BURST_DEFAULT`] if
-    /// unset
-    pub fn synflood_burst(&self) -> i64 {
-        self.config
-            .options
-            .protection_synflood_burst
-            .unwrap_or(HOST_BLOCK_SYNFLOOD_BURST_DEFAULT)
-    }
-
-    /// returns value of tcpflags key or [`HOST_BLOCK_INVALID_TCP_DEFAULT`] if unset
-    pub fn block_invalid_tcp(&self) -> bool {
-        self.config
-            .options
-            .tcpflags
-            .unwrap_or(HOST_BLOCK_INVALID_TCP_DEFAULT)
-    }
-
-    /// returns the log level for the block invalid TCP packets rule
-    ///
-    /// If there is no log level set, it returns [`LogLevel::default()`]
-    pub fn block_invalid_tcp_log_level(&self) -> LogLevel {
-        self.config.options.tcp_flags_log_level.unwrap_or_default()
-    }
-
-    /// returns value of nf_conntrack_allow_invalid key or [`HOST_BLOCK_INVALID_CONNTRACK`] if
-    /// unset
-    pub fn block_invalid_conntrack(&self) -> bool {
-        !self
-            .config
-            .options
-            .nf_conntrack_allow_invalid
-            .unwrap_or(HOST_BLOCK_INVALID_CONNTRACK)
-    }
-
-    pub fn nf_conntrack_max(&self) -> Option<i64> {
-        self.config.options.nf_conntrack_max
-    }
-
-    pub fn nf_conntrack_tcp_timeout_established(&self) -> Option<i64> {
-        self.config.options.nf_conntrack_tcp_timeout_established
-    }
-
-    pub fn nf_conntrack_tcp_timeout_syn_recv(&self) -> Option<i64> {
-        self.config.options.nf_conntrack_tcp_timeout_syn_recv
-    }
-
-    /// returns value of log_nf_conntrack key or [`HOST_LOG_INVALID_CONNTRACK`] if unset
-    pub fn log_nf_conntrack(&self) -> bool {
-        self.config
-            .options
-            .log_nf_conntrack
-            .unwrap_or(HOST_LOG_INVALID_CONNTRACK)
-    }
-
-    pub fn conntrack_helpers(&self) -> Option<&Vec<String>> {
-        self.config.options.nf_conntrack_helpers.as_ref()
-    }
-
-    /// returns the log level for the given direction
-    ///
-    /// If there is no log level set it returns [`LogLevel::default()`]
-    pub fn log_level(&self, dir: Direction) -> LogLevel {
-        match dir {
-            Direction::In => self.config.options.log_level_in.unwrap_or_default(),
-            Direction::Out => self.config.options.log_level_out.unwrap_or_default(),
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use crate::firewall::types::{
-        log::LogLevel,
-        rule::{Kind, RuleGroup, Verdict},
-        rule_match::{Ports, Protocol, RuleMatch, Udp},
-    };
-
-    use super::*;
-
-    #[test]
-    fn test_parse_config() {
-        const CONFIG: &str = r#"
-[OPTIONS]
-enable: 1
-nftables: 1
-log_level_in: debug
-log_level_out: emerg
-log_nf_conntrack: 0
-ndp: 1
-nf_conntrack_allow_invalid: yes
-nf_conntrack_helpers: ftp
-nf_conntrack_max: 44000
-nf_conntrack_tcp_timeout_established: 500000
-nf_conntrack_tcp_timeout_syn_recv: 44
-nosmurfs: no
-protection_synflood: 1
-protection_synflood_burst: 2500
-protection_synflood_rate: 300
-smurf_log_level: notice
-tcp_flags_log_level: nolog
-tcpflags: yes
-
-[RULES]
-
-GROUP tgr -i eth0 # acomm
-IN ACCEPT -p udp -dport 33 -sport 22 -log warning
-
-"#;
-
-        let mut config = CONFIG.as_bytes();
-        let config = Config::parse(&mut config).unwrap();
-
-        assert_eq!(
-            config.config.options,
-            Options {
-                enable: Some(true),
-                nftables: Some(true),
-                log_level_in: Some(LogLevel::Debug),
-                log_level_out: Some(LogLevel::Emergency),
-                log_nf_conntrack: Some(false),
-                ndp: Some(true),
-                nf_conntrack_allow_invalid: Some(true),
-                nf_conntrack_helpers: Some(vec!["ftp".to_string()]),
-                nf_conntrack_max: Some(44000),
-                nf_conntrack_tcp_timeout_established: Some(500000),
-                nf_conntrack_tcp_timeout_syn_recv: Some(44),
-                nosmurfs: Some(false),
-                protection_synflood: Some(true),
-                protection_synflood_burst: Some(2500),
-                protection_synflood_rate: Some(300),
-                smurf_log_level: Some(LogLevel::Notice),
-                tcp_flags_log_level: Some(LogLevel::Nolog),
-                tcpflags: Some(true),
-            }
-        );
-
-        assert_eq!(config.config.rules.len(), 2);
-
-        assert_eq!(
-            config.config.rules[0],
-            Rule {
-                disabled: false,
-                comment: Some("acomm".to_string()),
-                kind: Kind::Group(RuleGroup {
-                    group: "tgr".to_string(),
-                    iface: Some("eth0".to_string()),
-                }),
-            },
-        );
-
-        assert_eq!(
-            config.config.rules[1],
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Accept,
-                    proto: Some(Protocol::Udp(Udp::new(Ports::from_u16(22, 33)))),
-                    log: Some(LogLevel::Warning),
-                    ..Default::default()
-                }),
-            },
-        );
-
-        Config::parse("[ALIASES]\ntest 127.0.0.1".as_bytes())
-            .expect_err("host config cannot contain aliases");
-
-        Config::parse("[GROUP test]".as_bytes()).expect_err("host config cannot contain groups");
-
-        Config::parse("[IPSET test]".as_bytes()).expect_err("host config cannot contain ipsets");
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/mod.rs b/proxmox-ve-config/src/firewall/mod.rs
deleted file mode 100644
index 2cf57e2..0000000
--- a/proxmox-ve-config/src/firewall/mod.rs
+++ /dev/null
@@ -1,10 +0,0 @@
-pub mod cluster;
-pub mod common;
-pub mod ct_helper;
-pub mod fw_macros;
-pub mod guest;
-pub mod host;
-pub mod ports;
-pub mod types;
-
-pub(crate) mod parse;
diff --git a/proxmox-ve-config/src/firewall/parse.rs b/proxmox-ve-config/src/firewall/parse.rs
deleted file mode 100644
index 7bf00c0..0000000
--- a/proxmox-ve-config/src/firewall/parse.rs
+++ /dev/null
@@ -1,494 +0,0 @@
-use std::fmt;
-
-use anyhow::{bail, format_err, Error};
-
-const NAME_SPECIAL_CHARACTERS: [u8; 2] = [b'-', b'_'];
-
-/// Parses out a "name" which can be alphanumeric and include dashes.
-///
-/// Returns `None` if the name part would be empty.
-///
-/// Returns a tuple with the name and the remainder (not trimmed).
-///
-/// # Examples
-/// ```ignore
-/// assert_eq!(match_name("some-name someremainder"), Some(("some-name", " someremainder")));
-/// assert_eq!(match_name("some-name@someremainder"), Some(("some-name", "@someremainder")));
-/// assert_eq!(match_name(""), None);
-/// assert_eq!(match_name(" someremainder"), None);
-/// ```
-pub fn match_name(line: &str) -> Option<(&str, &str)> {
-    if !line.starts_with(|c: char| c.is_ascii_alphabetic()) {
-        return None;
-    }
-
-    let end = line
-        .as_bytes()
-        .iter()
-        .position(|&b| !(b.is_ascii_alphanumeric() || NAME_SPECIAL_CHARACTERS.contains(&b)));
-
-    let (name, rest) = match end {
-        Some(end) => line.split_at(end),
-        None => (line, ""),
-    };
-
-    if name.is_empty() {
-        None
-    } else {
-        Some((name, rest))
-    }
-}
-
-/// Parses up to the next whitespace character or end of the string.
-///
-/// Returns `None` if the non-whitespace part would be empty.
-///
-/// Returns a tuple containing the parsed section and the *trimmed* remainder.
-pub fn match_non_whitespace(line: &str) -> Option<(&str, &str)> {
-    let (text, rest) = line
-        .as_bytes()
-        .iter()
-        .position(|&b| b.is_ascii_whitespace())
-        .map(|pos| {
-            let (a, b) = line.split_at(pos);
-            (a, b.trim_start())
-        })
-        .unwrap_or((line, ""));
-    if text.is_empty() {
-        None
-    } else {
-        Some((text, rest))
-    }
-}
-
-/// parses out all digits and returns the remainder
-///
-/// returns [`None`] if the digit part would be empty
-///
-/// Returns a tuple with the digits and the remainder (not trimmed).
-pub fn match_digits(line: &str) -> Option<(&str, &str)> {
-    let split_position = line.as_bytes().iter().position(|&b| !b.is_ascii_digit());
-
-    let (digits, rest) = match split_position {
-        Some(pos) => line.split_at(pos),
-        None => (line, ""),
-    };
-
-    if !digits.is_empty() {
-        return Some((digits, rest));
-    }
-
-    None
-}
-
-/// Separate a `key: value` line, trimming whitespace.
-///
-/// Returns `None` if the `key` would be empty.
-pub fn split_key_value(line: &str) -> Option<(&str, &str)> {
-    line.split_once(':')
-        .map(|(key, value)| (key.trim(), value.trim()))
-}
-
-/// Parse a boolean.
-///
-/// values that parse as [`false`]: 0, false, off, no
-/// values that parse as [`true`]: 1, true, on, yes
-///
-/// # Examples
-/// ```ignore
-/// assert_eq!(parse_bool("false"), Ok(false));
-/// assert_eq!(parse_bool("on"), Ok(true));
-/// assert!(parse_bool("proxmox").is_err());
-/// ```
-pub fn parse_bool(value: &str) -> Result<bool, Error> {
-    Ok(
-        if value == "0"
-            || value.eq_ignore_ascii_case("false")
-            || value.eq_ignore_ascii_case("off")
-            || value.eq_ignore_ascii_case("no")
-        {
-            false
-        } else if value == "1"
-            || value.eq_ignore_ascii_case("true")
-            || value.eq_ignore_ascii_case("on")
-            || value.eq_ignore_ascii_case("yes")
-        {
-            true
-        } else {
-            bail!("not a boolean: {value:?}");
-        },
-    )
-}
-
-/// Parse the *remainder* of a section line, that is `<whitespace>NAME] #optional comment`.
-/// The `kind` parameter is used for error messages and should be the section type.
-///
-/// Return the name and the optional comment.
-pub fn parse_named_section_tail<'a>(
-    kind: &'static str,
-    line: &'a str,
-) -> Result<(&'a str, Option<&'a str>), Error> {
-    if line.is_empty() || !line.as_bytes()[0].is_ascii_whitespace() {
-        bail!("incomplete {kind} section");
-    }
-
-    let line = line.trim_start();
-    let (name, line) = match_name(line)
-        .ok_or_else(|| format_err!("expected a name for the {kind} at {line:?}"))?;
-
-    let line = line
-        .strip_prefix(']')
-        .ok_or_else(|| format_err!("expected closing ']' in {kind} section header"))?
-        .trim_start();
-
-    Ok(match line.strip_prefix('#') {
-        Some(comment) => (name, Some(comment.trim())),
-        None if !line.is_empty() => bail!("trailing characters after {kind} section: {line:?}"),
-        None => (name, None),
-    })
-}
-
-// parses a number from a string OR number
-pub mod serde_option_number {
-    use std::fmt;
-
-    use serde::de::{Deserializer, Error, Visitor};
-
-    pub fn deserialize<'de, D: Deserializer<'de>>(
-        deserializer: D,
-    ) -> Result<Option<i64>, D::Error> {
-        struct V;
-
-        impl<'de> Visitor<'de> for V {
-            type Value = Option<i64>;
-
-            fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
-                f.write_str("a numerical value")
-            }
-
-            fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
-                v.parse().map_err(E::custom).map(Some)
-            }
-
-            fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
-                Ok(None)
-            }
-
-            fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
-            where
-                D: Deserializer<'de>,
-            {
-                deserializer.deserialize_any(self)
-            }
-        }
-
-        deserializer.deserialize_any(V)
-    }
-}
-
-// parses a bool from a string OR bool
-pub mod serde_option_bool {
-    use std::fmt;
-
-    use serde::de::{Deserializer, Error, Visitor};
-
-    pub fn deserialize<'de, D: Deserializer<'de>>(
-        deserializer: D,
-    ) -> Result<Option<bool>, D::Error> {
-        struct V;
-
-        impl<'de> Visitor<'de> for V {
-            type Value = Option<bool>;
-
-            fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
-                f.write_str("a boolean-like value")
-            }
-
-            fn visit_bool<E: Error>(self, v: bool) -> Result<Self::Value, E> {
-                Ok(Some(v))
-            }
-
-            fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
-                super::parse_bool(v).map_err(E::custom).map(Some)
-            }
-
-            fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
-                Ok(None)
-            }
-
-            fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
-            where
-                D: Deserializer<'de>,
-            {
-                deserializer.deserialize_any(self)
-            }
-        }
-
-        deserializer.deserialize_any(V)
-    }
-}
-
-// parses a comma_separated list of strings
-pub mod serde_option_conntrack_helpers {
-    use std::fmt;
-
-    use serde::de::{Deserializer, Error, Visitor};
-
-    pub fn deserialize<'de, D: Deserializer<'de>>(
-        deserializer: D,
-    ) -> Result<Option<Vec<String>>, D::Error> {
-        struct V;
-
-        impl<'de> Visitor<'de> for V {
-            type Value = Option<Vec<String>>;
-
-            fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
-                f.write_str("A list of conntrack helpers")
-            }
-
-            fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
-                if v.is_empty() {
-                    return Ok(None);
-                }
-
-                Ok(Some(v.split(',').map(String::from).collect()))
-            }
-
-            fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
-                Ok(None)
-            }
-
-            fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
-            where
-                D: Deserializer<'de>,
-            {
-                deserializer.deserialize_any(self)
-            }
-        }
-
-        deserializer.deserialize_any(V)
-    }
-}
-
-// parses a log_ratelimit string: '[enable=]<1|0> [,burst=<integer>] [,rate=<rate>]'
-pub mod serde_option_log_ratelimit {
-    use std::fmt;
-
-    use serde::de::{Deserializer, Error, Visitor};
-
-    use crate::firewall::types::log::LogRateLimit;
-
-    pub fn deserialize<'de, D: Deserializer<'de>>(
-        deserializer: D,
-    ) -> Result<Option<LogRateLimit>, D::Error> {
-        struct V;
-
-        impl<'de> Visitor<'de> for V {
-            type Value = Option<LogRateLimit>;
-
-            fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
-                f.write_str("a boolean-like value")
-            }
-
-            fn visit_str<E: Error>(self, v: &str) -> Result<Self::Value, E> {
-                v.parse().map_err(E::custom).map(Some)
-            }
-
-            fn visit_none<E: Error>(self) -> Result<Self::Value, E> {
-                Ok(None)
-            }
-
-            fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
-            where
-                D: Deserializer<'de>,
-            {
-                deserializer.deserialize_any(self)
-            }
-        }
-
-        deserializer.deserialize_any(V)
-    }
-}
-
-/// `&str` deserializer which also accepts an `Option`.
-///
-/// Serde's `StringDeserializer` does not.
-#[derive(Clone, Copy, Debug)]
-pub struct SomeStrDeserializer<'a, E>(serde::de::value::StrDeserializer<'a, E>);
-
-impl<'de, 'a, E> serde::de::Deserializer<'de> for SomeStrDeserializer<'a, E>
-where
-    E: serde::de::Error,
-{
-    type Error = E;
-
-    fn deserialize_any<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        self.0.deserialize_any(visitor)
-    }
-
-    fn deserialize_option<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        visitor.visit_some(self.0)
-    }
-
-    fn deserialize_str<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        self.0.deserialize_str(visitor)
-    }
-
-    fn deserialize_string<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        self.0.deserialize_string(visitor)
-    }
-
-    fn deserialize_enum<V>(
-        self,
-        _name: &str,
-        _variants: &'static [&'static str],
-        visitor: V,
-    ) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        visitor.visit_enum(self.0)
-    }
-
-    serde::forward_to_deserialize_any! {
-        bool i8 i16 i32 i64 i128 u8 u16 u32 u64 u128 f32 f64 char
-        bytes byte_buf unit unit_struct newtype_struct seq tuple
-        tuple_struct map struct identifier ignored_any
-    }
-}
-
-/// `&str` wrapper which implements `IntoDeserializer` via `SomeStrDeserializer`.
-#[derive(Clone, Debug)]
-pub struct SomeStr<'a>(pub &'a str);
-
-impl<'a> From<&'a str> for SomeStr<'a> {
-    fn from(s: &'a str) -> Self {
-        Self(s)
-    }
-}
-
-impl<'de, 'a, E> serde::de::IntoDeserializer<'de, E> for SomeStr<'a>
-where
-    E: serde::de::Error,
-{
-    type Deserializer = SomeStrDeserializer<'a, E>;
-
-    fn into_deserializer(self) -> Self::Deserializer {
-        SomeStrDeserializer(self.0.into_deserializer())
-    }
-}
-
-/// `String` deserializer which also accepts an `Option`.
-///
-/// Serde's `StringDeserializer` does not.
-#[derive(Clone, Debug)]
-pub struct SomeStringDeserializer<E>(serde::de::value::StringDeserializer<E>);
-
-impl<'de, E> serde::de::Deserializer<'de> for SomeStringDeserializer<E>
-where
-    E: serde::de::Error,
-{
-    type Error = E;
-
-    fn deserialize_any<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        self.0.deserialize_any(visitor)
-    }
-
-    fn deserialize_option<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        visitor.visit_some(self.0)
-    }
-
-    fn deserialize_str<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        self.0.deserialize_str(visitor)
-    }
-
-    fn deserialize_string<V>(self, visitor: V) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        self.0.deserialize_string(visitor)
-    }
-
-    fn deserialize_enum<V>(
-        self,
-        _name: &str,
-        _variants: &'static [&'static str],
-        visitor: V,
-    ) -> Result<V::Value, Self::Error>
-    where
-        V: serde::de::Visitor<'de>,
-    {
-        visitor.visit_enum(self.0)
-    }
-
-    serde::forward_to_deserialize_any! {
-        bool i8 i16 i32 i64 i128 u8 u16 u32 u64 u128 f32 f64 char
-        bytes byte_buf unit unit_struct newtype_struct seq tuple
-        tuple_struct map struct identifier ignored_any
-    }
-}
-
-/// `&str` wrapper which implements `IntoDeserializer` via `SomeStringDeserializer`.
-#[derive(Clone, Debug)]
-pub struct SomeString(pub String);
-
-impl From<&str> for SomeString {
-    fn from(s: &str) -> Self {
-        Self::from(s.to_string())
-    }
-}
-
-impl From<String> for SomeString {
-    fn from(s: String) -> Self {
-        Self(s)
-    }
-}
-
-impl<'de, E> serde::de::IntoDeserializer<'de, E> for SomeString
-where
-    E: serde::de::Error,
-{
-    type Deserializer = SomeStringDeserializer<E>;
-
-    fn into_deserializer(self) -> Self::Deserializer {
-        SomeStringDeserializer(self.0.into_deserializer())
-    }
-}
-
-#[derive(Debug)]
-pub struct SerdeStringError(String);
-
-impl std::error::Error for SerdeStringError {}
-
-impl fmt::Display for SerdeStringError {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        f.write_str(&self.0)
-    }
-}
-
-impl serde::de::Error for SerdeStringError {
-    fn custom<T: fmt::Display>(msg: T) -> Self {
-        Self(msg.to_string())
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/ports.rs b/proxmox-ve-config/src/firewall/ports.rs
deleted file mode 100644
index 9d5d1be..0000000
--- a/proxmox-ve-config/src/firewall/ports.rs
+++ /dev/null
@@ -1,80 +0,0 @@
-use anyhow::{format_err, Error};
-use std::sync::OnceLock;
-
-#[derive(Default)]
-struct NamedPorts {
-    ports: std::collections::HashMap<String, u16>,
-}
-
-impl NamedPorts {
-    fn new() -> Self {
-        use std::io::BufRead;
-
-        log::trace!("loading /etc/services");
-
-        let mut this = Self::default();
-
-        let file = match std::fs::File::open("/etc/services") {
-            Ok(file) => file,
-            Err(_) => return this,
-        };
-
-        for line in std::io::BufReader::new(file).lines() {
-            let line = match line {
-                Ok(line) => line,
-                Err(_) => break,
-            };
-
-            let line = line.trim_start();
-
-            if line.is_empty() || line.starts_with('#') {
-                continue;
-            }
-
-            let mut parts = line.split_ascii_whitespace();
-
-            let name = match parts.next() {
-                None => continue,
-                Some(name) => name.to_string(),
-            };
-
-            let proto: u16 = match parts.next() {
-                None => continue,
-                Some(proto) => match proto.split('/').next() {
-                    None => continue,
-                    Some(num) => match num.parse() {
-                        Ok(num) => num,
-                        Err(_) => continue,
-                    },
-                },
-            };
-
-            this.ports.insert(name, proto);
-            for alias in parts {
-                if alias.starts_with('#') {
-                    break;
-                }
-                this.ports.insert(alias.to_string(), proto);
-            }
-        }
-
-        this
-    }
-
-    fn find(&self, name: &str) -> Option<u16> {
-        self.ports.get(name).copied()
-    }
-}
-
-fn named_ports() -> &'static NamedPorts {
-    static NAMED_PORTS: OnceLock<NamedPorts> = OnceLock::new();
-
-    NAMED_PORTS.get_or_init(NamedPorts::new)
-}
-
-/// Parse a named port with the help of `/etc/services`.
-pub fn parse_named_port(name: &str) -> Result<u16, Error> {
-    named_ports()
-        .find(name)
-        .ok_or_else(|| format_err!("unknown port name {name:?}"))
-}
diff --git a/proxmox-ve-config/src/firewall/types/address.rs b/proxmox-ve-config/src/firewall/types/address.rs
deleted file mode 100644
index e48ac1b..0000000
--- a/proxmox-ve-config/src/firewall/types/address.rs
+++ /dev/null
@@ -1,615 +0,0 @@
-use std::fmt;
-use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
-use std::ops::Deref;
-
-use anyhow::{bail, format_err, Error};
-use serde_with::DeserializeFromStr;
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq)]
-pub enum Family {
-    V4,
-    V6,
-}
-
-impl fmt::Display for Family {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Family::V4 => f.write_str("Ipv4"),
-            Family::V6 => f.write_str("Ipv6"),
-        }
-    }
-}
-
-#[derive(Clone, Copy, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum Cidr {
-    Ipv4(Ipv4Cidr),
-    Ipv6(Ipv6Cidr),
-}
-
-impl Cidr {
-    pub fn new_v4(addr: impl Into<Ipv4Addr>, mask: u8) -> Result<Self, Error> {
-        Ok(Cidr::Ipv4(Ipv4Cidr::new(addr, mask)?))
-    }
-
-    pub fn new_v6(addr: impl Into<Ipv6Addr>, mask: u8) -> Result<Self, Error> {
-        Ok(Cidr::Ipv6(Ipv6Cidr::new(addr, mask)?))
-    }
-
-    pub const fn family(&self) -> Family {
-        match self {
-            Cidr::Ipv4(_) => Family::V4,
-            Cidr::Ipv6(_) => Family::V6,
-        }
-    }
-
-    pub fn is_ipv4(&self) -> bool {
-        matches!(self, Cidr::Ipv4(_))
-    }
-
-    pub fn is_ipv6(&self) -> bool {
-        matches!(self, Cidr::Ipv6(_))
-    }
-}
-
-impl fmt::Display for Cidr {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Self::Ipv4(ip) => f.write_str(ip.to_string().as_str()),
-            Self::Ipv6(ip) => f.write_str(ip.to_string().as_str()),
-        }
-    }
-}
-
-impl std::str::FromStr for Cidr {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if let Ok(ip) = s.parse::<Ipv4Cidr>() {
-            return Ok(Cidr::Ipv4(ip));
-        }
-
-        if let Ok(ip) = s.parse::<Ipv6Cidr>() {
-            return Ok(Cidr::Ipv6(ip));
-        }
-
-        bail!("invalid ip address or CIDR: {s:?}");
-    }
-}
-
-impl From<Ipv4Cidr> for Cidr {
-    fn from(cidr: Ipv4Cidr) -> Self {
-        Cidr::Ipv4(cidr)
-    }
-}
-
-impl From<Ipv6Cidr> for Cidr {
-    fn from(cidr: Ipv6Cidr) -> Self {
-        Cidr::Ipv6(cidr)
-    }
-}
-
-const IPV4_LENGTH: u8 = 32;
-
-#[derive(Clone, Copy, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Ipv4Cidr {
-    addr: Ipv4Addr,
-    mask: u8,
-}
-
-impl Ipv4Cidr {
-    pub fn new(addr: impl Into<Ipv4Addr>, mask: u8) -> Result<Self, Error> {
-        if mask > 32 {
-            bail!("mask out of range for ipv4 cidr ({mask})");
-        }
-
-        Ok(Self {
-            addr: addr.into(),
-            mask,
-        })
-    }
-
-    pub fn contains_address(&self, other: &Ipv4Addr) -> bool {
-        let bits = u32::from_be_bytes(self.addr.octets());
-        let other_bits = u32::from_be_bytes(other.octets());
-
-        let shift_amount: u32 = IPV4_LENGTH.saturating_sub(self.mask).into();
-
-        bits.checked_shr(shift_amount).unwrap_or(0)
-            == other_bits.checked_shr(shift_amount).unwrap_or(0)
-    }
-
-    pub fn address(&self) -> &Ipv4Addr {
-        &self.addr
-    }
-
-    pub fn mask(&self) -> u8 {
-        self.mask
-    }
-}
-
-impl<T: Into<Ipv4Addr>> From<T> for Ipv4Cidr {
-    fn from(value: T) -> Self {
-        Self {
-            addr: value.into(),
-            mask: 32,
-        }
-    }
-}
-
-impl std::str::FromStr for Ipv4Cidr {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        Ok(match s.find('/') {
-            None => Self {
-                addr: s.parse()?,
-                mask: 32,
-            },
-            Some(pos) => {
-                let mask: u8 = s[(pos + 1)..]
-                    .parse()
-                    .map_err(|_| format_err!("invalid mask in ipv4 cidr: {s:?}"))?;
-
-                Self::new(s[..pos].parse::<Ipv4Addr>()?, mask)?
-            }
-        })
-    }
-}
-
-impl fmt::Display for Ipv4Cidr {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        write!(f, "{}/{}", &self.addr, self.mask)
-    }
-}
-
-const IPV6_LENGTH: u8 = 128;
-
-#[derive(Clone, Copy, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Ipv6Cidr {
-    addr: Ipv6Addr,
-    mask: u8,
-}
-
-impl Ipv6Cidr {
-    pub fn new(addr: impl Into<Ipv6Addr>, mask: u8) -> Result<Self, Error> {
-        if mask > IPV6_LENGTH {
-            bail!("mask out of range for ipv6 cidr");
-        }
-
-        Ok(Self {
-            addr: addr.into(),
-            mask,
-        })
-    }
-
-    pub fn contains_address(&self, other: &Ipv6Addr) -> bool {
-        let bits = u128::from_be_bytes(self.addr.octets());
-        let other_bits = u128::from_be_bytes(other.octets());
-
-        let shift_amount: u32 = IPV6_LENGTH.saturating_sub(self.mask).into();
-
-        bits.checked_shr(shift_amount).unwrap_or(0)
-            == other_bits.checked_shr(shift_amount).unwrap_or(0)
-    }
-
-    pub fn address(&self) -> &Ipv6Addr {
-        &self.addr
-    }
-
-    pub fn mask(&self) -> u8 {
-        self.mask
-    }
-}
-
-impl std::str::FromStr for Ipv6Cidr {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        Ok(match s.find('/') {
-            None => Self {
-                addr: s.parse()?,
-                mask: 128,
-            },
-            Some(pos) => {
-                let mask: u8 = s[(pos + 1)..]
-                    .parse()
-                    .map_err(|_| format_err!("invalid mask in ipv6 cidr: {s:?}"))?;
-
-                Self::new(s[..pos].parse::<Ipv6Addr>()?, mask)?
-            }
-        })
-    }
-}
-
-impl fmt::Display for Ipv6Cidr {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        write!(f, "{}/{}", &self.addr, self.mask)
-    }
-}
-
-impl<T: Into<Ipv6Addr>> From<T> for Ipv6Cidr {
-    fn from(addr: T) -> Self {
-        Self {
-            addr: addr.into(),
-            mask: 128,
-        }
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum IpEntry {
-    Cidr(Cidr),
-    Range(IpAddr, IpAddr),
-}
-
-impl std::str::FromStr for IpEntry {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if s.is_empty() {
-            bail!("Empty IP specification!")
-        }
-
-        let entries: Vec<&str> = s
-            .split('-')
-            .take(3) // so we can check whether there are too many
-            .collect();
-
-        match entries.as_slice() {
-            [cidr] => Ok(IpEntry::Cidr(cidr.parse()?)),
-            [beg, end] => {
-                if let Ok(beg) = beg.parse::<Ipv4Addr>() {
-                    if let Ok(end) = end.parse::<Ipv4Addr>() {
-                        if beg < end {
-                            return Ok(IpEntry::Range(beg.into(), end.into()));
-                        }
-
-                        bail!("start address is greater than end address!");
-                    }
-                }
-
-                if let Ok(beg) = beg.parse::<Ipv6Addr>() {
-                    if let Ok(end) = end.parse::<Ipv6Addr>() {
-                        if beg < end {
-                            return Ok(IpEntry::Range(beg.into(), end.into()));
-                        }
-
-                        bail!("start address is greater than end address!");
-                    }
-                }
-
-                bail!("start and end are not valid IP addresses of the same type!")
-            }
-            _ => bail!("Invalid amount of elements in IpEntry!"),
-        }
-    }
-}
-
-impl fmt::Display for IpEntry {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Self::Cidr(ip) => write!(f, "{ip}"),
-            Self::Range(beg, end) => write!(f, "{beg}-{end}"),
-        }
-    }
-}
-
-impl IpEntry {
-    fn family(&self) -> Family {
-        match self {
-            Self::Cidr(cidr) => cidr.family(),
-            Self::Range(start, end) => {
-                if start.is_ipv4() && end.is_ipv4() {
-                    return Family::V4;
-                }
-
-                if start.is_ipv6() && end.is_ipv6() {
-                    return Family::V6;
-                }
-
-                // should never be reached due to constructors validating that
-                // start type == end type
-                unreachable!("invalid IP entry")
-            }
-        }
-    }
-}
-
-impl From<Cidr> for IpEntry {
-    fn from(value: Cidr) -> Self {
-        IpEntry::Cidr(value)
-    }
-}
-
-#[derive(Clone, Debug, DeserializeFromStr)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct IpList {
-    // guaranteed to have the same family
-    entries: Vec<IpEntry>,
-    family: Family,
-}
-
-impl Deref for IpList {
-    type Target = Vec<IpEntry>;
-
-    fn deref(&self) -> &Self::Target {
-        &self.entries
-    }
-}
-
-impl<T: Into<IpEntry>> From<T> for IpList {
-    fn from(value: T) -> Self {
-        let entry = value.into();
-
-        Self {
-            family: entry.family(),
-            entries: vec![entry],
-        }
-    }
-}
-
-impl std::str::FromStr for IpList {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if s.is_empty() {
-            bail!("Empty IP specification!")
-        }
-
-        let mut entries = Vec::new();
-        let mut current_family = None;
-
-        for element in s.split(',') {
-            let entry: IpEntry = element.parse()?;
-
-            if let Some(family) = current_family {
-                if family != entry.family() {
-                    bail!("Incompatible families in IPList!")
-                }
-            } else {
-                current_family = Some(entry.family());
-            }
-
-            entries.push(entry);
-        }
-
-        if entries.is_empty() {
-            bail!("empty ip list")
-        }
-
-        Ok(IpList {
-            entries,
-            family: current_family.unwrap(), // must be set due to length check above
-        })
-    }
-}
-
-impl IpList {
-    pub fn new(entries: Vec<IpEntry>) -> Result<Self, Error> {
-        let family = entries.iter().try_fold(None, |result, entry| {
-            if let Some(family) = result {
-                if entry.family() != family {
-                    bail!("non-matching families in entries list");
-                }
-
-                Ok(Some(family))
-            } else {
-                Ok(Some(entry.family()))
-            }
-        })?;
-
-        if let Some(family) = family {
-            return Ok(Self { entries, family });
-        }
-
-        bail!("no elements in ip list entries");
-    }
-
-    pub fn family(&self) -> Family {
-        self.family
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::net::{Ipv4Addr, Ipv6Addr};
-
-    #[test]
-    fn test_v4_cidr() {
-        let mut cidr: Ipv4Cidr = "0.0.0.0/0".parse().expect("valid IPv4 CIDR");
-
-        assert_eq!(cidr.addr, Ipv4Addr::new(0, 0, 0, 0));
-        assert_eq!(cidr.mask, 0);
-
-        assert!(cidr.contains_address(&Ipv4Addr::new(0, 0, 0, 0)));
-        assert!(cidr.contains_address(&Ipv4Addr::new(255, 255, 255, 255)));
-
-        cidr = "192.168.100.1".parse().expect("valid IPv4 CIDR");
-
-        assert_eq!(cidr.addr, Ipv4Addr::new(192, 168, 100, 1));
-        assert_eq!(cidr.mask, 32);
-
-        assert!(cidr.contains_address(&Ipv4Addr::new(192, 168, 100, 1)));
-        assert!(!cidr.contains_address(&Ipv4Addr::new(192, 168, 100, 2)));
-        assert!(!cidr.contains_address(&Ipv4Addr::new(192, 168, 100, 0)));
-
-        cidr = "10.100.5.0/24".parse().expect("valid IPv4 CIDR");
-
-        assert_eq!(cidr.mask, 24);
-
-        assert!(cidr.contains_address(&Ipv4Addr::new(10, 100, 5, 0)));
-        assert!(cidr.contains_address(&Ipv4Addr::new(10, 100, 5, 1)));
-        assert!(cidr.contains_address(&Ipv4Addr::new(10, 100, 5, 100)));
-        assert!(cidr.contains_address(&Ipv4Addr::new(10, 100, 5, 255)));
-        assert!(!cidr.contains_address(&Ipv4Addr::new(10, 100, 4, 255)));
-        assert!(!cidr.contains_address(&Ipv4Addr::new(10, 100, 6, 0)));
-
-        "0.0.0.0/-1".parse::<Ipv4Cidr>().unwrap_err();
-        "0.0.0.0/33".parse::<Ipv4Cidr>().unwrap_err();
-        "256.256.256.256/10".parse::<Ipv4Cidr>().unwrap_err();
-
-        "fe80::1/64".parse::<Ipv4Cidr>().unwrap_err();
-        "qweasd".parse::<Ipv4Cidr>().unwrap_err();
-        "".parse::<Ipv4Cidr>().unwrap_err();
-    }
-
-    #[test]
-    fn test_v6_cidr() {
-        let mut cidr: Ipv6Cidr = "abab::1/64".parse().expect("valid IPv6 CIDR");
-
-        assert_eq!(cidr.addr, Ipv6Addr::new(0xABAB, 0, 0, 0, 0, 0, 0, 1));
-        assert_eq!(cidr.mask, 64);
-
-        assert!(cidr.contains_address(&Ipv6Addr::new(0xABAB, 0, 0, 0, 0, 0, 0, 0)));
-        assert!(cidr.contains_address(&Ipv6Addr::new(
-            0xABAB, 0, 0, 0, 0xAAAA, 0xAAAA, 0xAAAA, 0xAAAA
-        )));
-        assert!(cidr.contains_address(&Ipv6Addr::new(
-            0xABAB, 0, 0, 0, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF
-        )));
-        assert!(!cidr.contains_address(&Ipv6Addr::new(0xABAB, 0, 0, 1, 0, 0, 0, 0)));
-        assert!(!cidr.contains_address(&Ipv6Addr::new(
-            0xABAA, 0, 0, 0, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF
-        )));
-
-        cidr = "eeee::1".parse().expect("valid IPv6 CIDR");
-
-        assert_eq!(cidr.mask, 128);
-
-        assert!(cidr.contains_address(&Ipv6Addr::new(0xEEEE, 0, 0, 0, 0, 0, 0, 1)));
-        assert!(!cidr.contains_address(&Ipv6Addr::new(
-            0xEEED, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF
-        )));
-        assert!(!cidr.contains_address(&Ipv6Addr::new(0xEEEE, 0, 0, 0, 0, 0, 0, 0)));
-
-        "eeee::1/-1".parse::<Ipv6Cidr>().unwrap_err();
-        "eeee::1/129".parse::<Ipv6Cidr>().unwrap_err();
-        "gggg::1/64".parse::<Ipv6Cidr>().unwrap_err();
-
-        "192.168.0.1".parse::<Ipv6Cidr>().unwrap_err();
-        "qweasd".parse::<Ipv6Cidr>().unwrap_err();
-        "".parse::<Ipv6Cidr>().unwrap_err();
-    }
-
-    #[test]
-    fn test_parse_ip_entry() {
-        let mut entry: IpEntry = "10.0.0.1".parse().expect("valid IP entry");
-
-        assert_eq!(entry, Cidr::new_v4([10, 0, 0, 1], 32).unwrap().into());
-
-        entry = "10.0.0.0/16".parse().expect("valid IP entry");
-
-        assert_eq!(entry, Cidr::new_v4([10, 0, 0, 0], 16).unwrap().into());
-
-        entry = "192.168.0.1-192.168.99.255"
-            .parse()
-            .expect("valid IP entry");
-
-        assert_eq!(
-            entry,
-            IpEntry::Range([192, 168, 0, 1].into(), [192, 168, 99, 255].into())
-        );
-
-        entry = "fe80::1".parse().expect("valid IP entry");
-
-        assert_eq!(
-            entry,
-            Cidr::new_v6([0xFE80, 0, 0, 0, 0, 0, 0, 1], 128)
-                .unwrap()
-                .into()
-        );
-
-        entry = "fe80::1/48".parse().expect("valid IP entry");
-
-        assert_eq!(
-            entry,
-            Cidr::new_v6([0xFE80, 0, 0, 0, 0, 0, 0, 1], 48)
-                .unwrap()
-                .into()
-        );
-
-        entry = "fd80::1-fd80::ffff".parse().expect("valid IP entry");
-
-        assert_eq!(
-            entry,
-            IpEntry::Range(
-                [0xFD80, 0, 0, 0, 0, 0, 0, 1].into(),
-                [0xFD80, 0, 0, 0, 0, 0, 0, 0xFFFF].into(),
-            )
-        );
-
-        "192.168.100.0-192.168.99.255"
-            .parse::<IpEntry>()
-            .unwrap_err();
-        "192.168.100.0-fe80::1".parse::<IpEntry>().unwrap_err();
-        "192.168.100.0-192.168.200.0/16"
-            .parse::<IpEntry>()
-            .unwrap_err();
-        "192.168.100.0-192.168.200.0-192.168.250.0"
-            .parse::<IpEntry>()
-            .unwrap_err();
-        "qweasd".parse::<IpEntry>().unwrap_err();
-    }
-
-    #[test]
-    fn test_parse_ip_list() {
-        let mut ip_list: IpList = "192.168.0.1,192.168.100.0/24,172.16.0.0-172.32.255.255"
-            .parse()
-            .expect("valid IP list");
-
-        assert_eq!(
-            ip_list,
-            IpList {
-                entries: vec![
-                    IpEntry::Cidr(Cidr::new_v4([192, 168, 0, 1], 32).unwrap()),
-                    IpEntry::Cidr(Cidr::new_v4([192, 168, 100, 0], 24).unwrap()),
-                    IpEntry::Range([172, 16, 0, 0].into(), [172, 32, 255, 255].into()),
-                ],
-                family: Family::V4,
-            }
-        );
-
-        ip_list = "fe80::1/64".parse().expect("valid IP list");
-
-        assert_eq!(
-            ip_list,
-            IpList {
-                entries: vec![IpEntry::Cidr(
-                    Cidr::new_v6([0xFE80, 0, 0, 0, 0, 0, 0, 1], 64).unwrap()
-                ),],
-                family: Family::V6,
-            }
-        );
-
-        "192.168.0.1,fe80::1".parse::<IpList>().unwrap_err();
-
-        "".parse::<IpList>().unwrap_err();
-        "proxmox".parse::<IpList>().unwrap_err();
-    }
-
-    #[test]
-    fn test_construct_ip_list() {
-        let mut ip_list = IpList::new(vec![Cidr::new_v4([10, 0, 0, 0], 8).unwrap().into()])
-            .expect("valid ip list");
-
-        assert_eq!(ip_list.family(), Family::V4);
-
-        ip_list =
-            IpList::new(vec![Cidr::new_v6([0x000; 8], 8).unwrap().into()]).expect("valid ip list");
-
-        assert_eq!(ip_list.family(), Family::V6);
-
-        IpList::new(vec![]).expect_err("empty ip list is invalid");
-
-        IpList::new(vec![
-            Cidr::new_v4([10, 0, 0, 0], 8).unwrap().into(),
-            Cidr::new_v6([0x0000; 8], 8).unwrap().into(),
-        ])
-        .expect_err("cannot mix ip families in ip list");
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/alias.rs b/proxmox-ve-config/src/firewall/types/alias.rs
deleted file mode 100644
index e6aa30d..0000000
--- a/proxmox-ve-config/src/firewall/types/alias.rs
+++ /dev/null
@@ -1,174 +0,0 @@
-use std::fmt::Display;
-use std::str::FromStr;
-
-use anyhow::{bail, format_err, Error};
-use serde_with::DeserializeFromStr;
-
-use crate::firewall::parse::{match_name, match_non_whitespace};
-use crate::firewall::types::address::Cidr;
-
-#[derive(Debug, Clone)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum AliasScope {
-    Datacenter,
-    Guest,
-}
-
-impl FromStr for AliasScope {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(match s {
-            "dc" => AliasScope::Datacenter,
-            "guest" => AliasScope::Guest,
-            _ => bail!("invalid scope for alias: {s}"),
-        })
-    }
-}
-
-impl Display for AliasScope {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_str(match self {
-            AliasScope::Datacenter => "dc",
-            AliasScope::Guest => "guest",
-        })
-    }
-}
-
-#[derive(Debug, Clone, DeserializeFromStr)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct AliasName {
-    scope: AliasScope,
-    name: String,
-}
-
-impl Display for AliasName {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_fmt(format_args!("{}/{}", self.scope, self.name))
-    }
-}
-
-impl FromStr for AliasName {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s.split_once('/') {
-            Some((prefix, name)) if !name.is_empty() => Ok(Self {
-                scope: prefix.parse()?,
-                name: name.to_string(),
-            }),
-            _ => {
-                bail!("Invalid Alias name!")
-            }
-        }
-    }
-}
-
-impl AliasName {
-    pub fn new(scope: AliasScope, name: impl Into<String>) -> Self {
-        Self {
-            scope,
-            name: name.into(),
-        }
-    }
-
-    pub fn name(&self) -> &str {
-        &self.name
-    }
-
-    pub fn scope(&self) -> &AliasScope {
-        &self.scope
-    }
-}
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Alias {
-    name: String,
-    address: Cidr,
-    comment: Option<String>,
-}
-
-impl Alias {
-    pub fn new(
-        name: impl Into<String>,
-        address: impl Into<Cidr>,
-        comment: impl Into<Option<String>>,
-    ) -> Self {
-        Self {
-            name: name.into(),
-            address: address.into(),
-            comment: comment.into(),
-        }
-    }
-
-    pub fn name(&self) -> &str {
-        &self.name
-    }
-
-    pub fn address(&self) -> &Cidr {
-        &self.address
-    }
-
-    pub fn comment(&self) -> Option<&str> {
-        self.comment.as_deref()
-    }
-}
-
-impl FromStr for Alias {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let (name, line) =
-            match_name(s.trim_start()).ok_or_else(|| format_err!("expected an alias name"))?;
-
-        let (address, line) = match_non_whitespace(line.trim_start())
-            .ok_or_else(|| format_err!("expected a value for alias {name:?}"))?;
-
-        let address: Cidr = address.parse()?;
-
-        let line = line.trim_start();
-
-        let comment = match line.strip_prefix('#') {
-            Some(comment) => Some(comment.trim().to_string()),
-            None if !line.is_empty() => bail!("trailing characters in alias: {line:?}"),
-            None => None,
-        };
-
-        Ok(Alias {
-            name: name.to_string(),
-            address,
-            comment,
-        })
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_alias() {
-        for alias in [
-            "local_network 10.0.0.0/32",
-            "test-_123-___-a---- 10.0.0.1/32",
-        ] {
-            alias.parse::<Alias>().expect("valid alias");
-        }
-
-        for alias in ["-- 10.0.0.1/32", "0asd 10.0.0.1/32", "__test 10.0.0.0/32"] {
-            alias.parse::<Alias>().expect_err("invalid alias");
-        }
-    }
-
-    #[test]
-    fn test_parse_alias_name() {
-        for name in ["dc/proxmox_123", "guest/proxmox-123"] {
-            name.parse::<AliasName>().expect("valid alias name");
-        }
-
-        for name in ["proxmox/proxmox_123", "guests/proxmox-123", "dc/", "/name"] {
-            name.parse::<AliasName>().expect_err("invalid alias name");
-        }
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/group.rs b/proxmox-ve-config/src/firewall/types/group.rs
deleted file mode 100644
index 7455268..0000000
--- a/proxmox-ve-config/src/firewall/types/group.rs
+++ /dev/null
@@ -1,36 +0,0 @@
-use anyhow::Error;
-
-use crate::firewall::types::Rule;
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Group {
-    rules: Vec<Rule>,
-    comment: Option<String>,
-}
-
-impl Group {
-    pub const fn new() -> Self {
-        Self {
-            rules: Vec::new(),
-            comment: None,
-        }
-    }
-
-    pub fn rules(&self) -> &Vec<Rule> {
-        &self.rules
-    }
-
-    pub fn comment(&self) -> Option<&str> {
-        self.comment.as_deref()
-    }
-
-    pub fn set_comment(&mut self, comment: Option<String>) {
-        self.comment = comment;
-    }
-
-    pub(crate) fn parse_entry(&mut self, line: &str) -> Result<(), Error> {
-        self.rules.push(line.parse()?);
-        Ok(())
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/ipset.rs b/proxmox-ve-config/src/firewall/types/ipset.rs
deleted file mode 100644
index c1af642..0000000
--- a/proxmox-ve-config/src/firewall/types/ipset.rs
+++ /dev/null
@@ -1,349 +0,0 @@
-use core::fmt::Display;
-use std::ops::{Deref, DerefMut};
-use std::str::FromStr;
-
-use anyhow::{bail, format_err, Error};
-use serde_with::DeserializeFromStr;
-
-use crate::firewall::parse::match_non_whitespace;
-use crate::firewall::types::address::Cidr;
-use crate::firewall::types::alias::AliasName;
-use crate::guest::vm::NetworkConfig;
-
-#[derive(Debug, Clone, Copy, Eq, PartialEq)]
-pub enum IpsetScope {
-    Datacenter,
-    Guest,
-}
-
-impl FromStr for IpsetScope {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(match s {
-            "+dc" => IpsetScope::Datacenter,
-            "+guest" => IpsetScope::Guest,
-            _ => bail!("invalid scope for ipset: {s}"),
-        })
-    }
-}
-
-impl Display for IpsetScope {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        let prefix = match self {
-            Self::Datacenter => "dc",
-            Self::Guest => "guest",
-        };
-
-        f.write_str(prefix)
-    }
-}
-
-#[derive(Debug, Clone, DeserializeFromStr)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct IpsetName {
-    pub scope: IpsetScope,
-    pub name: String,
-}
-
-impl IpsetName {
-    pub fn new(scope: IpsetScope, name: impl Into<String>) -> Self {
-        Self {
-            scope,
-            name: name.into(),
-        }
-    }
-
-    pub fn name(&self) -> &str {
-        &self.name
-    }
-
-    pub fn scope(&self) -> IpsetScope {
-        self.scope
-    }
-}
-
-impl FromStr for IpsetName {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s.split_once('/') {
-            Some((prefix, name)) if !name.is_empty() => Ok(Self {
-                scope: prefix.parse()?,
-                name: name.to_string(),
-            }),
-            _ => {
-                bail!("Invalid IPSet name: {s}")
-            }
-        }
-    }
-}
-
-impl Display for IpsetName {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "{}/{}", self.scope, self.name)
-    }
-}
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum IpsetAddress {
-    Alias(AliasName),
-    Cidr(Cidr),
-}
-
-impl FromStr for IpsetAddress {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if let Ok(cidr) = s.parse() {
-            return Ok(IpsetAddress::Cidr(cidr));
-        }
-
-        if let Ok(name) = s.parse() {
-            return Ok(IpsetAddress::Alias(name));
-        }
-
-        bail!("Invalid address in IPSet: {s}")
-    }
-}
-
-impl<T: Into<Cidr>> From<T> for IpsetAddress {
-    fn from(cidr: T) -> Self {
-        IpsetAddress::Cidr(cidr.into())
-    }
-}
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct IpsetEntry {
-    pub nomatch: bool,
-    pub address: IpsetAddress,
-    pub comment: Option<String>,
-}
-
-impl<T: Into<IpsetAddress>> From<T> for IpsetEntry {
-    fn from(value: T) -> Self {
-        Self {
-            nomatch: false,
-            address: value.into(),
-            comment: None,
-        }
-    }
-}
-
-impl FromStr for IpsetEntry {
-    type Err = Error;
-
-    fn from_str(line: &str) -> Result<Self, Error> {
-        let line = line.trim_start();
-
-        let (nomatch, line) = match line.strip_prefix('!') {
-            Some(line) => (true, line),
-            None => (false, line),
-        };
-
-        let (address, line) =
-            match_non_whitespace(line.trim_start()).ok_or_else(|| format_err!("missing value"))?;
-
-        let address: IpsetAddress = address.parse()?;
-        let line = line.trim_start();
-
-        let comment = match line.strip_prefix('#') {
-            Some(comment) => Some(comment.trim().to_string()),
-            None if !line.is_empty() => bail!("trailing characters in ipset entry: {line:?}"),
-            None => None,
-        };
-
-        Ok(Self {
-            nomatch,
-            address,
-            comment,
-        })
-    }
-}
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Ipfilter<'a> {
-    index: i64,
-    ipset: &'a Ipset,
-}
-
-impl Ipfilter<'_> {
-    pub fn index(&self) -> i64 {
-        self.index
-    }
-
-    pub fn ipset(&self) -> &Ipset {
-        self.ipset
-    }
-
-    pub fn name_for_index(index: i64) -> String {
-        format!("ipfilter-net{index}")
-    }
-}
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Ipset {
-    pub name: IpsetName,
-    set: Vec<IpsetEntry>,
-    pub comment: Option<String>,
-}
-
-impl Ipset {
-    pub const fn new(name: IpsetName) -> Self {
-        Self {
-            name,
-            set: Vec::new(),
-            comment: None,
-        }
-    }
-
-    pub fn name(&self) -> &IpsetName {
-        &self.name
-    }
-
-    pub fn from_parts(scope: IpsetScope, name: impl Into<String>) -> Self {
-        Self::new(IpsetName::new(scope, name))
-    }
-
-    pub(crate) fn parse_entry(&mut self, line: &str) -> Result<(), Error> {
-        self.set.push(line.parse()?);
-        Ok(())
-    }
-
-    pub fn ipfilter(&self) -> Option<Ipfilter> {
-        if self.name.scope() != IpsetScope::Guest {
-            return None;
-        }
-
-        let name = self.name.name();
-
-        if let Some(key) = name.strip_prefix("ipfilter-") {
-            let id = NetworkConfig::index_from_net_key(key);
-
-            if let Ok(id) = id {
-                return Some(Ipfilter {
-                    index: id,
-                    ipset: self,
-                });
-            }
-        }
-
-        None
-    }
-}
-
-impl Deref for Ipset {
-    type Target = Vec<IpsetEntry>;
-
-    #[inline]
-    fn deref(&self) -> &Self::Target {
-        &self.set
-    }
-}
-
-impl DerefMut for Ipset {
-    #[inline]
-    fn deref_mut(&mut self) -> &mut Vec<IpsetEntry> {
-        &mut self.set
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_ipset_name() {
-        for test_case in [
-            ("+dc/proxmox-123", IpsetScope::Datacenter, "proxmox-123"),
-            ("+guest/proxmox_123", IpsetScope::Guest, "proxmox_123"),
-        ] {
-            let ipset_name = test_case.0.parse::<IpsetName>().expect("valid ipset name");
-
-            assert_eq!(
-                ipset_name,
-                IpsetName {
-                    scope: test_case.1,
-                    name: test_case.2.to_string(),
-                }
-            )
-        }
-
-        for name in ["+dc/", "+guests/proxmox_123", "guest/proxmox_123"] {
-            name.parse::<IpsetName>().expect_err("invalid ipset name");
-        }
-    }
-
-    #[test]
-    fn test_parse_ipset_address() {
-        let mut ipset_address = "10.0.0.1"
-            .parse::<IpsetAddress>()
-            .expect("valid ipset address");
-        assert!(matches!(ipset_address, IpsetAddress::Cidr(Cidr::Ipv4(..))));
-
-        ipset_address = "fe80::1/64"
-            .parse::<IpsetAddress>()
-            .expect("valid ipset address");
-        assert!(matches!(ipset_address, IpsetAddress::Cidr(Cidr::Ipv6(..))));
-
-        ipset_address = "dc/proxmox-123"
-            .parse::<IpsetAddress>()
-            .expect("valid ipset address");
-        assert!(matches!(ipset_address, IpsetAddress::Alias(..)));
-
-        ipset_address = "guest/proxmox_123"
-            .parse::<IpsetAddress>()
-            .expect("valid ipset address");
-        assert!(matches!(ipset_address, IpsetAddress::Alias(..)));
-    }
-
-    #[test]
-    fn test_ipfilter() {
-        let mut ipset = Ipset::from_parts(IpsetScope::Guest, "ipfilter-net0");
-        ipset.ipfilter().expect("is an ipfilter");
-
-        ipset = Ipset::from_parts(IpsetScope::Guest, "ipfilter-qwe");
-        assert!(ipset.ipfilter().is_none());
-
-        ipset = Ipset::from_parts(IpsetScope::Guest, "proxmox");
-        assert!(ipset.ipfilter().is_none());
-
-        ipset = Ipset::from_parts(IpsetScope::Datacenter, "ipfilter-net0");
-        assert!(ipset.ipfilter().is_none());
-    }
-
-    #[test]
-    fn test_parse_ipset_entry() {
-        let mut entry = "!10.0.0.1 # qweqweasd"
-            .parse::<IpsetEntry>()
-            .expect("valid ipset entry");
-
-        assert_eq!(
-            entry,
-            IpsetEntry {
-                nomatch: true,
-                comment: Some("qweqweasd".to_string()),
-                address: IpsetAddress::Cidr(Cidr::new_v4([10, 0, 0, 1], 32).unwrap())
-            }
-        );
-
-        entry = "fe80::1/48"
-            .parse::<IpsetEntry>()
-            .expect("valid ipset entry");
-
-        assert_eq!(
-            entry,
-            IpsetEntry {
-                nomatch: false,
-                comment: None,
-                address: IpsetAddress::Cidr(
-                    Cidr::new_v6([0xFE80, 0, 0, 0, 0, 0, 0, 1], 48).unwrap()
-                )
-            }
-        )
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/log.rs b/proxmox-ve-config/src/firewall/types/log.rs
deleted file mode 100644
index 72344e4..0000000
--- a/proxmox-ve-config/src/firewall/types/log.rs
+++ /dev/null
@@ -1,222 +0,0 @@
-use std::fmt;
-use std::str::FromStr;
-
-use crate::firewall::parse::parse_bool;
-use anyhow::{bail, Error};
-use serde::{Deserialize, Serialize};
-
-#[derive(Copy, Clone, Debug, Deserialize, Serialize, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-#[serde(rename_all = "lowercase")]
-pub enum LogRateLimitTimescale {
-    #[default]
-    Second,
-    Minute,
-    Hour,
-    Day,
-}
-
-impl FromStr for LogRateLimitTimescale {
-    type Err = Error;
-
-    fn from_str(str: &str) -> Result<Self, Error> {
-        match str {
-            "second" => Ok(LogRateLimitTimescale::Second),
-            "minute" => Ok(LogRateLimitTimescale::Minute),
-            "hour" => Ok(LogRateLimitTimescale::Hour),
-            "day" => Ok(LogRateLimitTimescale::Day),
-            _ => bail!("Invalid time scale provided"),
-        }
-    }
-}
-
-#[derive(Debug, Deserialize, Clone)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct LogRateLimit {
-    enabled: bool,
-    rate: i64, // in packets
-    per: LogRateLimitTimescale,
-    burst: i64, // in packets
-}
-
-impl LogRateLimit {
-    pub fn new(enabled: bool, rate: i64, per: LogRateLimitTimescale, burst: i64) -> Self {
-        Self {
-            enabled,
-            rate,
-            per,
-            burst,
-        }
-    }
-
-    pub fn enabled(&self) -> bool {
-        self.enabled
-    }
-
-    pub fn rate(&self) -> i64 {
-        self.rate
-    }
-
-    pub fn burst(&self) -> i64 {
-        self.burst
-    }
-
-    pub fn per(&self) -> LogRateLimitTimescale {
-        self.per
-    }
-}
-
-impl Default for LogRateLimit {
-    fn default() -> Self {
-        Self {
-            enabled: true,
-            rate: 1,
-            burst: 5,
-            per: LogRateLimitTimescale::Second,
-        }
-    }
-}
-
-impl FromStr for LogRateLimit {
-    type Err = Error;
-
-    fn from_str(str: &str) -> Result<Self, Error> {
-        let mut limit = Self::default();
-
-        for element in str.split(',') {
-            match element.split_once('=') {
-                None => {
-                    limit.enabled = parse_bool(element)?;
-                }
-                Some((key, value)) if !key.is_empty() && !value.is_empty() => match key {
-                    "enable" => limit.enabled = parse_bool(value)?,
-                    "burst" => limit.burst = i64::from_str(value)?,
-                    "rate" => match value.split_once('/') {
-                        None => {
-                            limit.rate = i64::from_str(value)?;
-                        }
-                        Some((rate, unit)) => {
-                            if unit.is_empty() {
-                                bail!("empty unit specification")
-                            }
-
-                            limit.rate = i64::from_str(rate)?;
-                            limit.per = LogRateLimitTimescale::from_str(unit)?;
-                        }
-                    },
-                    _ => bail!("Invalid value for Key found in log_ratelimit!"),
-                },
-                _ => bail!("invalid value in log_ratelimit"),
-            }
-        }
-
-        Ok(limit)
-    }
-}
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq, Default)]
-pub enum LogLevel {
-    #[default]
-    Nolog,
-    Emergency,
-    Alert,
-    Critical,
-    Error,
-    Warning,
-    Notice,
-    Info,
-    Debug,
-}
-
-impl std::str::FromStr for LogLevel {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        Ok(match s {
-            "nolog" => LogLevel::Nolog,
-            "emerg" => LogLevel::Emergency,
-            "alert" => LogLevel::Alert,
-            "crit" => LogLevel::Critical,
-            "err" => LogLevel::Error,
-            "warn" => LogLevel::Warning,
-            "warning" => LogLevel::Warning,
-            "notice" => LogLevel::Notice,
-            "info" => LogLevel::Info,
-            "debug" => LogLevel::Debug,
-            _ => bail!("invalid log level {s:?}"),
-        })
-    }
-}
-
-impl fmt::Display for LogLevel {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        f.write_str(match self {
-            LogLevel::Nolog => "nolog",
-            LogLevel::Emergency => "emerg",
-            LogLevel::Alert => "alert",
-            LogLevel::Critical => "crit",
-            LogLevel::Error => "err",
-            LogLevel::Warning => "warn",
-            LogLevel::Notice => "notice",
-            LogLevel::Info => "info",
-            LogLevel::Debug => "debug",
-        })
-    }
-}
-
-serde_plain::derive_deserialize_from_fromstr!(LogLevel, "valid log level");
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_rate_limit() {
-        let mut parsed_rate_limit = "1,burst=123,rate=44"
-            .parse::<LogRateLimit>()
-            .expect("valid rate limit");
-
-        assert_eq!(
-            parsed_rate_limit,
-            LogRateLimit {
-                enabled: true,
-                burst: 123,
-                rate: 44,
-                per: LogRateLimitTimescale::Second,
-            }
-        );
-
-        parsed_rate_limit = "1".parse::<LogRateLimit>().expect("valid rate limit");
-
-        assert_eq!(parsed_rate_limit, LogRateLimit::default());
-
-        parsed_rate_limit = "enable=0,rate=123/hour"
-            .parse::<LogRateLimit>()
-            .expect("valid rate limit");
-
-        assert_eq!(
-            parsed_rate_limit,
-            LogRateLimit {
-                enabled: false,
-                burst: 5,
-                rate: 123,
-                per: LogRateLimitTimescale::Hour,
-            }
-        );
-
-        "2".parse::<LogRateLimit>()
-            .expect_err("invalid value for enable");
-
-        "enabled=0,rate=123"
-            .parse::<LogRateLimit>()
-            .expect_err("invalid key in log ratelimit");
-
-        "enable=0,rate=123,"
-            .parse::<LogRateLimit>()
-            .expect_err("trailing comma in log rate limit specification");
-
-        "enable=0,rate=123/proxmox,"
-            .parse::<LogRateLimit>()
-            .expect_err("invalid unit for rate");
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/mod.rs b/proxmox-ve-config/src/firewall/types/mod.rs
deleted file mode 100644
index 8fd551e..0000000
--- a/proxmox-ve-config/src/firewall/types/mod.rs
+++ /dev/null
@@ -1,14 +0,0 @@
-pub mod address;
-pub mod alias;
-pub mod group;
-pub mod ipset;
-pub mod log;
-pub mod port;
-pub mod rule;
-pub mod rule_match;
-
-pub use address::Cidr;
-pub use alias::Alias;
-pub use group::Group;
-pub use ipset::Ipset;
-pub use rule::Rule;
diff --git a/proxmox-ve-config/src/firewall/types/port.rs b/proxmox-ve-config/src/firewall/types/port.rs
deleted file mode 100644
index c1252d9..0000000
--- a/proxmox-ve-config/src/firewall/types/port.rs
+++ /dev/null
@@ -1,181 +0,0 @@
-use std::fmt;
-use std::ops::Deref;
-
-use anyhow::{bail, Error};
-use serde_with::DeserializeFromStr;
-
-use crate::firewall::ports::parse_named_port;
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum PortEntry {
-    Port(u16),
-    Range(u16, u16),
-}
-
-impl fmt::Display for PortEntry {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Self::Port(p) => write!(f, "{p}"),
-            Self::Range(beg, end) => write!(f, "{beg}-{end}"),
-        }
-    }
-}
-
-fn parse_port(port: &str) -> Result<u16, Error> {
-    if let Ok(port) = port.parse::<u16>() {
-        return Ok(port);
-    }
-
-    if let Ok(port) = parse_named_port(port) {
-        return Ok(port);
-    }
-
-    bail!("invalid port specification: {port}")
-}
-
-impl std::str::FromStr for PortEntry {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(match s.trim().split_once(':') {
-            None => PortEntry::from(parse_port(s)?),
-            Some((first, second)) => {
-                PortEntry::try_from((parse_port(first)?, parse_port(second)?))?
-            }
-        })
-    }
-}
-
-impl From<u16> for PortEntry {
-    fn from(port: u16) -> Self {
-        PortEntry::Port(port)
-    }
-}
-
-impl TryFrom<(u16, u16)> for PortEntry {
-    type Error = Error;
-
-    fn try_from(ports: (u16, u16)) -> Result<Self, Error> {
-        if ports.0 > ports.1 {
-            bail!("start port is greater than end port!");
-        }
-
-        Ok(PortEntry::Range(ports.0, ports.1))
-    }
-}
-
-#[derive(Clone, Debug, DeserializeFromStr)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct PortList(pub(crate) Vec<PortEntry>);
-
-impl FromIterator<PortEntry> for PortList {
-    fn from_iter<T: IntoIterator<Item = PortEntry>>(iter: T) -> Self {
-        Self(iter.into_iter().collect())
-    }
-}
-
-impl<T: Into<PortEntry>> From<T> for PortList {
-    fn from(value: T) -> Self {
-        Self(vec![value.into()])
-    }
-}
-
-impl Deref for PortList {
-    type Target = Vec<PortEntry>;
-
-    fn deref(&self) -> &Self::Target {
-        &self.0
-    }
-}
-
-impl std::str::FromStr for PortList {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if s.is_empty() {
-            bail!("empty port specification");
-        }
-
-        let mut entries = Vec::new();
-
-        for entry in s.trim().split(',') {
-            entries.push(entry.parse()?);
-        }
-
-        if entries.is_empty() {
-            bail!("invalid empty port list");
-        }
-
-        Ok(Self(entries))
-    }
-}
-
-impl fmt::Display for PortList {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        use fmt::Write;
-        if self.0.len() > 1 {
-            f.write_char('{')?;
-        }
-
-        let mut comma = '\0';
-        for entry in &self.0 {
-            if std::mem::replace(&mut comma, ',') != '\0' {
-                f.write_char(comma)?;
-            }
-            fmt::Display::fmt(entry, f)?;
-        }
-
-        if self.0.len() > 1 {
-            f.write_char('}')?;
-        }
-
-        Ok(())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_port_entry() {
-        let mut port_entry: PortEntry = "12345".parse().expect("valid port entry");
-        assert_eq!(port_entry, PortEntry::from(12345));
-
-        port_entry = "0:65535".parse().expect("valid port entry");
-        assert_eq!(port_entry, PortEntry::try_from((0, 65535)).unwrap());
-
-        "65536".parse::<PortEntry>().unwrap_err();
-        "100:100000".parse::<PortEntry>().unwrap_err();
-        "qweasd".parse::<PortEntry>().unwrap_err();
-        "".parse::<PortEntry>().unwrap_err();
-    }
-
-    #[test]
-    fn test_parse_port_list() {
-        let mut port_list: PortList = "12345".parse().expect("valid port list");
-        assert_eq!(port_list, PortList::from(12345));
-
-        port_list = "12345,0:65535,1337,ssh:80,https"
-            .parse()
-            .expect("valid port list");
-
-        assert_eq!(
-            port_list,
-            PortList(vec![
-                PortEntry::from(12345),
-                PortEntry::try_from((0, 65535)).unwrap(),
-                PortEntry::from(1337),
-                PortEntry::try_from((22, 80)).unwrap(),
-                PortEntry::from(443),
-            ])
-        );
-
-        "0::1337".parse::<PortList>().unwrap_err();
-        "0:1337,".parse::<PortList>().unwrap_err();
-        "70000".parse::<PortList>().unwrap_err();
-        "qweasd".parse::<PortList>().unwrap_err();
-        "".parse::<PortList>().unwrap_err();
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/rule.rs b/proxmox-ve-config/src/firewall/types/rule.rs
deleted file mode 100644
index 20deb3a..0000000
--- a/proxmox-ve-config/src/firewall/types/rule.rs
+++ /dev/null
@@ -1,412 +0,0 @@
-use core::fmt::Display;
-use std::fmt;
-use std::str::FromStr;
-
-use anyhow::{bail, ensure, format_err, Error};
-
-use crate::firewall::parse::match_name;
-use crate::firewall::types::rule_match::RuleMatch;
-use crate::firewall::types::rule_match::RuleOptions;
-
-#[derive(Clone, Copy, Debug, Default, Eq, PartialEq)]
-pub enum Direction {
-    #[default]
-    In,
-    Out,
-}
-
-impl std::str::FromStr for Direction {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        for (name, dir) in [("IN", Direction::In), ("OUT", Direction::Out)] {
-            if s.eq_ignore_ascii_case(name) {
-                return Ok(dir);
-            }
-        }
-
-        bail!("invalid direction: {s:?}, expect 'IN' or 'OUT'");
-    }
-}
-
-serde_plain::derive_deserialize_from_fromstr!(Direction, "valid packet direction");
-
-impl fmt::Display for Direction {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Direction::In => f.write_str("in"),
-            Direction::Out => f.write_str("out"),
-        }
-    }
-}
-
-#[derive(Clone, Copy, Debug, Default, Eq, PartialEq)]
-pub enum Verdict {
-    Accept,
-    Reject,
-    #[default]
-    Drop,
-}
-
-impl std::str::FromStr for Verdict {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        for (name, verdict) in [
-            ("ACCEPT", Verdict::Accept),
-            ("REJECT", Verdict::Reject),
-            ("DROP", Verdict::Drop),
-        ] {
-            if s.eq_ignore_ascii_case(name) {
-                return Ok(verdict);
-            }
-        }
-        bail!("invalid verdict {s:?}, expected one of 'ACCEPT', 'REJECT' or 'DROP'");
-    }
-}
-
-impl Display for Verdict {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        let string = match self {
-            Verdict::Accept => "ACCEPT",
-            Verdict::Drop => "DROP",
-            Verdict::Reject => "REJECT",
-        };
-
-        write!(f, "{string}")
-    }
-}
-
-serde_plain::derive_deserialize_from_fromstr!(Verdict, "valid verdict");
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Rule {
-    pub(crate) disabled: bool,
-    pub(crate) kind: Kind,
-    pub(crate) comment: Option<String>,
-}
-
-impl std::ops::Deref for Rule {
-    type Target = Kind;
-
-    fn deref(&self) -> &Self::Target {
-        &self.kind
-    }
-}
-
-impl std::ops::DerefMut for Rule {
-    fn deref_mut(&mut self) -> &mut Self::Target {
-        &mut self.kind
-    }
-}
-
-impl FromStr for Rule {
-    type Err = Error;
-
-    fn from_str(input: &str) -> Result<Self, Self::Err> {
-        if input.contains(['\n', '\r']) {
-            bail!("rule must not contain any newlines!");
-        }
-
-        let (line, comment) = match input.rsplit_once('#') {
-            Some((line, comment)) if !comment.is_empty() => (line.trim(), Some(comment.trim())),
-            _ => (input.trim(), None),
-        };
-
-        let (disabled, line) = match line.strip_prefix('|') {
-            Some(line) => (true, line.trim_start()),
-            None => (false, line),
-        };
-
-        // todo: case insensitive?
-        let kind = if line.starts_with("GROUP") {
-            Kind::from(line.parse::<RuleGroup>()?)
-        } else {
-            Kind::from(line.parse::<RuleMatch>()?)
-        };
-
-        Ok(Self {
-            disabled,
-            comment: comment.map(str::to_string),
-            kind,
-        })
-    }
-}
-
-impl Rule {
-    pub fn iface(&self) -> Option<&str> {
-        match &self.kind {
-            Kind::Group(group) => group.iface(),
-            Kind::Match(rule) => rule.iface(),
-        }
-    }
-
-    pub fn disabled(&self) -> bool {
-        self.disabled
-    }
-
-    pub fn kind(&self) -> &Kind {
-        &self.kind
-    }
-
-    pub fn comment(&self) -> Option<&str> {
-        self.comment.as_deref()
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum Kind {
-    Group(RuleGroup),
-    Match(RuleMatch),
-}
-
-impl Kind {
-    pub fn is_group(&self) -> bool {
-        matches!(self, Kind::Group(_))
-    }
-
-    pub fn is_match(&self) -> bool {
-        matches!(self, Kind::Match(_))
-    }
-}
-
-impl From<RuleGroup> for Kind {
-    fn from(value: RuleGroup) -> Self {
-        Kind::Group(value)
-    }
-}
-
-impl From<RuleMatch> for Kind {
-    fn from(value: RuleMatch) -> Self {
-        Kind::Match(value)
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct RuleGroup {
-    pub(crate) group: String,
-    pub(crate) iface: Option<String>,
-}
-
-impl RuleGroup {
-    pub(crate) fn from_options(group: String, options: RuleOptions) -> Result<Self, Error> {
-        ensure!(
-            options.proto.is_none()
-                && options.dport.is_none()
-                && options.sport.is_none()
-                && options.dest.is_none()
-                && options.source.is_none()
-                && options.log.is_none()
-                && options.icmp_type.is_none(),
-            "only interface parameter is permitted for group rules"
-        );
-
-        Ok(Self {
-            group,
-            iface: options.iface,
-        })
-    }
-
-    pub fn group(&self) -> &str {
-        &self.group
-    }
-
-    pub fn iface(&self) -> Option<&str> {
-        self.iface.as_deref()
-    }
-}
-
-impl FromStr for RuleGroup {
-    type Err = Error;
-
-    fn from_str(input: &str) -> Result<Self, Self::Err> {
-        let (keyword, rest) = match_name(input)
-            .ok_or_else(|| format_err!("expected a leading keyword in rule group"))?;
-
-        if !keyword.eq_ignore_ascii_case("group") {
-            bail!("Expected keyword GROUP")
-        }
-
-        let (name, rest) =
-            match_name(rest.trim()).ok_or_else(|| format_err!("expected a name for rule group"))?;
-
-        let options = rest.trim_start().parse()?;
-
-        Self::from_options(name.to_string(), options)
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use crate::firewall::types::{
-        address::{IpEntry, IpList},
-        alias::{AliasName, AliasScope},
-        ipset::{IpsetName, IpsetScope},
-        log::LogLevel,
-        rule_match::{Icmp, IcmpCode, IpAddrMatch, IpMatch, Ports, Protocol, Udp},
-        Cidr,
-    };
-
-    use super::*;
-
-    #[test]
-    fn test_parse_rule() {
-        let mut rule: Rule = "|GROUP tgr -i eth0 # acomm".parse().expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: true,
-                comment: Some("acomm".to_string()),
-                kind: Kind::Group(RuleGroup {
-                    group: "tgr".to_string(),
-                    iface: Some("eth0".to_string()),
-                }),
-            },
-        );
-
-        rule = "IN ACCEPT -p udp -dport 33 -sport 22 -log warning"
-            .parse()
-            .expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Accept,
-                    proto: Some(Udp::new(Ports::from_u16(22, 33)).into()),
-                    log: Some(LogLevel::Warning),
-                    ..Default::default()
-                }),
-            }
-        );
-
-        rule = "IN ACCEPT --proto udp -i eth0".parse().expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Accept,
-                    proto: Some(Udp::new(Ports::new(None, None)).into()),
-                    iface: Some("eth0".to_string()),
-                    ..Default::default()
-                }),
-            }
-        );
-
-        rule = " OUT DROP \
-          -source 10.0.0.0/24 -dest 20.0.0.0-20.255.255.255,192.168.0.0/16 \
-          -p icmp -log nolog -icmp-type port-unreachable "
-            .parse()
-            .expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::Out,
-                    verdict: Verdict::Drop,
-                    ip: IpMatch::new(
-                        IpAddrMatch::Ip(IpList::from(Cidr::new_v4([10, 0, 0, 0], 24).unwrap())),
-                        IpAddrMatch::Ip(
-                            IpList::new(vec![
-                                IpEntry::Range([20, 0, 0, 0].into(), [20, 255, 255, 255].into()),
-                                IpEntry::Cidr(Cidr::new_v4([192, 168, 0, 0], 16).unwrap()),
-                            ])
-                            .unwrap()
-                        ),
-                    )
-                    .ok(),
-                    proto: Some(Protocol::Icmp(Icmp::new_code(IcmpCode::Named(
-                        "port-unreachable"
-                    )))),
-                    log: Some(LogLevel::Nolog),
-                    ..Default::default()
-                }),
-            }
-        );
-
-        rule = "IN BGP(ACCEPT) --log crit --iface eth0"
-            .parse()
-            .expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Accept,
-                    log: Some(LogLevel::Critical),
-                    fw_macro: Some("BGP".to_string()),
-                    iface: Some("eth0".to_string()),
-                    ..Default::default()
-                }),
-            }
-        );
-
-        rule = "IN ACCEPT --source dc/test --dest +dc/test"
-            .parse()
-            .expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Accept,
-                    ip: Some(
-                        IpMatch::new(
-                            IpAddrMatch::Alias(AliasName::new(AliasScope::Datacenter, "test")),
-                            IpAddrMatch::Set(IpsetName::new(IpsetScope::Datacenter, "test"),),
-                        )
-                        .unwrap()
-                    ),
-                    ..Default::default()
-                }),
-            }
-        );
-
-        rule = "IN REJECT".parse().expect("valid rule");
-
-        assert_eq!(
-            rule,
-            Rule {
-                disabled: false,
-                comment: None,
-                kind: Kind::Match(RuleMatch {
-                    dir: Direction::In,
-                    verdict: Verdict::Reject,
-                    ..Default::default()
-                }),
-            }
-        );
-
-        "IN DROP ---log crit"
-            .parse::<Rule>()
-            .expect_err("too many dashes in option");
-
-        "IN DROP --log --iface eth0"
-            .parse::<Rule>()
-            .expect_err("no value for option");
-
-        "IN DROP --log crit --iface"
-            .parse::<Rule>()
-            .expect_err("no value for option");
-    }
-}
diff --git a/proxmox-ve-config/src/firewall/types/rule_match.rs b/proxmox-ve-config/src/firewall/types/rule_match.rs
deleted file mode 100644
index 94d8624..0000000
--- a/proxmox-ve-config/src/firewall/types/rule_match.rs
+++ /dev/null
@@ -1,977 +0,0 @@
-use std::collections::HashMap;
-use std::fmt;
-use std::str::FromStr;
-
-use serde::Deserialize;
-
-use anyhow::{bail, format_err, Error};
-use serde::de::IntoDeserializer;
-
-use proxmox_sortable_macro::sortable;
-
-use crate::firewall::parse::{match_name, match_non_whitespace, SomeStr};
-use crate::firewall::types::address::{Family, IpList};
-use crate::firewall::types::alias::AliasName;
-use crate::firewall::types::ipset::IpsetName;
-use crate::firewall::types::log::LogLevel;
-use crate::firewall::types::port::PortList;
-use crate::firewall::types::rule::{Direction, Verdict};
-
-#[derive(Clone, Debug, Default, Deserialize)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-#[serde(deny_unknown_fields, rename_all = "kebab-case")]
-pub(crate) struct RuleOptions {
-    #[serde(alias = "p")]
-    pub(crate) proto: Option<String>,
-
-    pub(crate) dport: Option<String>,
-    pub(crate) sport: Option<String>,
-
-    pub(crate) dest: Option<String>,
-    pub(crate) source: Option<String>,
-
-    #[serde(alias = "i")]
-    pub(crate) iface: Option<String>,
-
-    pub(crate) log: Option<LogLevel>,
-    pub(crate) icmp_type: Option<String>,
-}
-
-impl FromStr for RuleOptions {
-    type Err = Error;
-
-    fn from_str(mut line: &str) -> Result<Self, Self::Err> {
-        let mut options = HashMap::new();
-
-        loop {
-            line = line.trim_start();
-
-            if line.is_empty() {
-                break;
-            }
-
-            line = line
-                .strip_prefix('-')
-                .ok_or_else(|| format_err!("expected an option starting with '-'"))?;
-
-            // second dash is optional
-            line = line.strip_prefix('-').unwrap_or(line);
-
-            let param;
-            (param, line) = match_name(line)
-                .ok_or_else(|| format_err!("expected a parameter name after '-'"))?;
-
-            let value;
-            (value, line) = match_non_whitespace(line.trim_start())
-                .ok_or_else(|| format_err!("expected a value for {param:?}"))?;
-
-            if options.insert(param, SomeStr(value)).is_some() {
-                bail!("duplicate option in rule: {param}")
-            }
-        }
-
-        Ok(RuleOptions::deserialize(IntoDeserializer::<
-            '_,
-            crate::firewall::parse::SerdeStringError,
-        >::into_deserializer(
-            options
-        ))?)
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct RuleMatch {
-    pub(crate) dir: Direction,
-    pub(crate) verdict: Verdict,
-    pub(crate) fw_macro: Option<String>,
-
-    pub(crate) iface: Option<String>,
-    pub(crate) log: Option<LogLevel>,
-    pub(crate) ip: Option<IpMatch>,
-    pub(crate) proto: Option<Protocol>,
-}
-
-impl RuleMatch {
-    pub(crate) fn from_options(
-        dir: Direction,
-        verdict: Verdict,
-        fw_macro: impl Into<Option<String>>,
-        options: RuleOptions,
-    ) -> Result<Self, Error> {
-        if options.dport.is_some() && options.icmp_type.is_some() {
-            bail!("dport and icmp-type are mutually exclusive");
-        }
-
-        let ip = IpMatch::from_options(&options)?;
-        let proto = Protocol::from_options(&options)?;
-
-        // todo: check protocol & IP Version compatibility
-
-        Ok(Self {
-            dir,
-            verdict,
-            fw_macro: fw_macro.into(),
-            iface: options.iface,
-            log: options.log,
-            ip,
-            proto,
-        })
-    }
-
-    pub fn direction(&self) -> Direction {
-        self.dir
-    }
-
-    pub fn iface(&self) -> Option<&str> {
-        self.iface.as_deref()
-    }
-
-    pub fn verdict(&self) -> Verdict {
-        self.verdict
-    }
-
-    pub fn fw_macro(&self) -> Option<&str> {
-        self.fw_macro.as_deref()
-    }
-
-    pub fn log(&self) -> Option<LogLevel> {
-        self.log
-    }
-
-    pub fn ip(&self) -> Option<&IpMatch> {
-        self.ip.as_ref()
-    }
-
-    pub fn proto(&self) -> Option<&Protocol> {
-        self.proto.as_ref()
-    }
-}
-
-/// Returns `(Macro name, Verdict, RestOfTheLine)`.
-fn parse_action(line: &str) -> Result<(Option<&str>, Verdict, &str), Error> {
-    let (verdict, line) =
-        match_name(line).ok_or_else(|| format_err!("expected a verdict or macro name"))?;
-
-    Ok(if let Some(line) = line.strip_prefix('(') {
-        // <macro>(<verdict>)
-
-        let macro_name = verdict;
-        let (verdict, line) = match_name(line).ok_or_else(|| format_err!("expected a verdict"))?;
-        let line = line
-            .strip_prefix(')')
-            .ok_or_else(|| format_err!("expected closing ')' after verdict"))?;
-
-        let verdict: Verdict = verdict.parse()?;
-
-        (Some(macro_name), verdict, line.trim_start())
-    } else {
-        (None, verdict.parse()?, line.trim_start())
-    })
-}
-
-impl FromStr for RuleMatch {
-    type Err = Error;
-
-    fn from_str(line: &str) -> Result<Self, Self::Err> {
-        let (dir, rest) = match_name(line).ok_or_else(|| format_err!("expected a direction"))?;
-
-        let direction: Direction = dir.parse()?;
-
-        let (fw_macro, verdict, rest) = parse_action(rest.trim_start())?;
-
-        let options: RuleOptions = rest.trim_start().parse()?;
-
-        Self::from_options(direction, verdict, fw_macro.map(str::to_string), options)
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct IpMatch {
-    pub(crate) src: Option<IpAddrMatch>,
-    pub(crate) dst: Option<IpAddrMatch>,
-}
-
-impl IpMatch {
-    pub fn new(
-        src: impl Into<Option<IpAddrMatch>>,
-        dst: impl Into<Option<IpAddrMatch>>,
-    ) -> Result<Self, Error> {
-        let source = src.into();
-        let dest = dst.into();
-
-        if source.is_none() && dest.is_none() {
-            bail!("either src or dst must be set")
-        }
-
-        if let (Some(IpAddrMatch::Ip(src)), Some(IpAddrMatch::Ip(dst))) = (&source, &dest) {
-            if src.family() != dst.family() {
-                bail!("src and dst family must be equal")
-            }
-        }
-
-        let ip_match = Self {
-            src: source,
-            dst: dest,
-        };
-
-        Ok(ip_match)
-    }
-
-    fn from_options(options: &RuleOptions) -> Result<Option<Self>, Error> {
-        let src = options
-            .source
-            .as_ref()
-            .map(|elem| elem.parse::<IpAddrMatch>())
-            .transpose()?;
-
-        let dst = options
-            .dest
-            .as_ref()
-            .map(|elem| elem.parse::<IpAddrMatch>())
-            .transpose()?;
-
-        if src.is_some() || dst.is_some() {
-            Ok(Some(IpMatch::new(src, dst)?))
-        } else {
-            Ok(None)
-        }
-    }
-
-    pub fn src(&self) -> Option<&IpAddrMatch> {
-        self.src.as_ref()
-    }
-
-    pub fn dst(&self) -> Option<&IpAddrMatch> {
-        self.dst.as_ref()
-    }
-}
-
-#[derive(Clone, Debug, Deserialize)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum IpAddrMatch {
-    Ip(IpList),
-    Set(IpsetName),
-    Alias(AliasName),
-}
-
-impl IpAddrMatch {
-    pub fn family(&self) -> Option<Family> {
-        if let IpAddrMatch::Ip(list) = self {
-            return Some(list.family());
-        }
-
-        None
-    }
-}
-
-impl FromStr for IpAddrMatch {
-    type Err = Error;
-
-    fn from_str(value: &str) -> Result<Self, Error> {
-        if value.is_empty() {
-            bail!("empty IP specification");
-        }
-
-        if let Ok(ip_list) = value.parse() {
-            return Ok(IpAddrMatch::Ip(ip_list));
-        }
-
-        if let Ok(ipset) = value.parse() {
-            return Ok(IpAddrMatch::Set(ipset));
-        }
-
-        if let Ok(name) = value.parse() {
-            return Ok(IpAddrMatch::Alias(name));
-        }
-
-        bail!("invalid IP specification: {value}")
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum Protocol {
-    Dccp(Ports),
-    Sctp(Sctp),
-    Tcp(Tcp),
-    Udp(Udp),
-    UdpLite(Ports),
-    Icmp(Icmp),
-    Icmpv6(Icmpv6),
-    Named(String),
-    Numeric(u8),
-}
-
-impl Protocol {
-    pub(crate) fn from_options(options: &RuleOptions) -> Result<Option<Self>, Error> {
-        let proto = match options.proto.as_deref() {
-            Some(p) => p,
-            None => return Ok(None),
-        };
-
-        Ok(Some(match proto {
-            "dccp" | "33" => Protocol::Dccp(Ports::from_options(options)?),
-            "sctp" | "132" => Protocol::Sctp(Sctp::from_options(options)?),
-            "tcp" | "6" => Protocol::Tcp(Tcp::from_options(options)?),
-            "udp" | "17" => Protocol::Udp(Udp::from_options(options)?),
-            "udplite" | "136" => Protocol::UdpLite(Ports::from_options(options)?),
-            "icmp" | "1" => Protocol::Icmp(Icmp::from_options(options)?),
-            "ipv6-icmp" | "icmpv6" | "58" => Protocol::Icmpv6(Icmpv6::from_options(options)?),
-            other => match other.parse::<u8>() {
-                Ok(num) => Protocol::Numeric(num),
-                Err(_) => Protocol::Named(other.to_string()),
-            },
-        }))
-    }
-
-    pub fn family(&self) -> Option<Family> {
-        match self {
-            Self::Icmp(_) => Some(Family::V4),
-            Self::Icmpv6(_) => Some(Family::V6),
-            _ => None,
-        }
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Udp {
-    ports: Ports,
-}
-
-impl Udp {
-    fn from_options(options: &RuleOptions) -> Result<Self, Error> {
-        Ok(Self {
-            ports: Ports::from_options(options)?,
-        })
-    }
-
-    pub fn new(ports: Ports) -> Self {
-        Self { ports }
-    }
-
-    pub fn ports(&self) -> &Ports {
-        &self.ports
-    }
-}
-
-impl From<Udp> for Protocol {
-    fn from(value: Udp) -> Self {
-        Protocol::Udp(value)
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Ports {
-    sport: Option<PortList>,
-    dport: Option<PortList>,
-}
-
-impl Ports {
-    pub fn new(sport: impl Into<Option<PortList>>, dport: impl Into<Option<PortList>>) -> Self {
-        Self {
-            sport: sport.into(),
-            dport: dport.into(),
-        }
-    }
-
-    fn from_options(options: &RuleOptions) -> Result<Self, Error> {
-        Ok(Self {
-            sport: options.sport.as_deref().map(|s| s.parse()).transpose()?,
-            dport: options.dport.as_deref().map(|s| s.parse()).transpose()?,
-        })
-    }
-
-    pub fn from_u16(sport: impl Into<Option<u16>>, dport: impl Into<Option<u16>>) -> Self {
-        Self::new(
-            sport.into().map(PortList::from),
-            dport.into().map(PortList::from),
-        )
-    }
-
-    pub fn sport(&self) -> Option<&PortList> {
-        self.sport.as_ref()
-    }
-
-    pub fn dport(&self) -> Option<&PortList> {
-        self.dport.as_ref()
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Tcp {
-    ports: Ports,
-}
-
-impl Tcp {
-    pub fn new(ports: Ports) -> Self {
-        Self { ports }
-    }
-
-    fn from_options(options: &RuleOptions) -> Result<Self, Error> {
-        Ok(Self {
-            ports: Ports::from_options(options)?,
-        })
-    }
-
-    pub fn ports(&self) -> &Ports {
-        &self.ports
-    }
-}
-
-impl From<Tcp> for Protocol {
-    fn from(value: Tcp) -> Self {
-        Protocol::Tcp(value)
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Sctp {
-    ports: Ports,
-}
-
-impl Sctp {
-    fn from_options(options: &RuleOptions) -> Result<Self, Error> {
-        Ok(Self {
-            ports: Ports::from_options(options)?,
-        })
-    }
-
-    pub fn ports(&self) -> &Ports {
-        &self.ports
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Icmp {
-    ty: Option<IcmpType>,
-    code: Option<IcmpCode>,
-}
-
-impl Icmp {
-    pub fn new_ty(ty: IcmpType) -> Self {
-        Self {
-            ty: Some(ty),
-            ..Default::default()
-        }
-    }
-
-    pub fn new_code(code: IcmpCode) -> Self {
-        Self {
-            code: Some(code),
-            ..Default::default()
-        }
-    }
-
-    fn from_options(options: &RuleOptions) -> Result<Self, Error> {
-        if let Some(ty) = &options.icmp_type {
-            return ty.parse();
-        }
-
-        Ok(Self::default())
-    }
-
-    pub fn ty(&self) -> Option<&IcmpType> {
-        self.ty.as_ref()
-    }
-
-    pub fn code(&self) -> Option<&IcmpCode> {
-        self.code.as_ref()
-    }
-}
-
-impl FromStr for Icmp {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let mut this = Self::default();
-
-        if let Ok(ty) = s.parse() {
-            this.ty = Some(ty);
-            return Ok(this);
-        }
-
-        if let Ok(code) = s.parse() {
-            this.code = Some(code);
-            return Ok(this);
-        }
-
-        bail!("supplied string is neither a valid icmp type nor code");
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum IcmpType {
-    Numeric(u8),
-    Named(&'static str),
-    Any,
-}
-
-#[sortable]
-const ICMP_TYPES: [(&str, u8); 15] = sorted!([
-    ("address-mask-reply", 18),
-    ("address-mask-request", 17),
-    ("destination-unreachable", 3),
-    ("echo-reply", 0),
-    ("echo-request", 8),
-    ("info-reply", 16),
-    ("info-request", 15),
-    ("parameter-problem", 12),
-    ("redirect", 5),
-    ("router-advertisement", 9),
-    ("router-solicitation", 10),
-    ("source-quench", 4),
-    ("time-exceeded", 11),
-    ("timestamp-reply", 14),
-    ("timestamp-request", 13),
-]);
-
-impl std::str::FromStr for IcmpType {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if s.eq_ignore_ascii_case("any") {
-            return Ok(Self::Any);
-        }
-
-        if let Ok(ty) = s.trim().parse::<u8>() {
-            return Ok(Self::Numeric(ty));
-        }
-
-        if let Ok(index) = ICMP_TYPES.binary_search_by(|v| v.0.cmp(s)) {
-            return Ok(Self::Named(ICMP_TYPES[index].0));
-        }
-
-        bail!("{s:?} is not a valid icmp type");
-    }
-}
-
-impl fmt::Display for IcmpType {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            IcmpType::Numeric(ty) => write!(f, "{ty}"),
-            IcmpType::Named(ty) => write!(f, "{ty}"),
-            IcmpType::Any => write!(f, "any"),
-        }
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum IcmpCode {
-    Numeric(u8),
-    Named(&'static str),
-}
-
-#[sortable]
-const ICMP_CODES: [(&str, u8); 7] = sorted!([
-    ("admin-prohibited", 13),
-    ("host-prohibited", 10),
-    ("host-unreachable", 1),
-    ("net-prohibited", 9),
-    ("net-unreachable", 0),
-    ("port-unreachable", 3),
-    ("prot-unreachable", 2),
-]);
-
-impl std::str::FromStr for IcmpCode {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if let Ok(code) = s.trim().parse::<u8>() {
-            return Ok(Self::Numeric(code));
-        }
-
-        if let Ok(index) = ICMP_CODES.binary_search_by(|v| v.0.cmp(s)) {
-            return Ok(Self::Named(ICMP_CODES[index].0));
-        }
-
-        bail!("{s:?} is not a valid icmp code");
-    }
-}
-
-impl fmt::Display for IcmpCode {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            IcmpCode::Numeric(code) => write!(f, "{code}"),
-            IcmpCode::Named(code) => write!(f, "{code}"),
-        }
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct Icmpv6 {
-    pub ty: Option<Icmpv6Type>,
-    pub code: Option<Icmpv6Code>,
-}
-
-impl Icmpv6 {
-    pub fn new_ty(ty: Icmpv6Type) -> Self {
-        Self {
-            ty: Some(ty),
-            ..Default::default()
-        }
-    }
-
-    pub fn new_code(code: Icmpv6Code) -> Self {
-        Self {
-            code: Some(code),
-            ..Default::default()
-        }
-    }
-
-    fn from_options(options: &RuleOptions) -> Result<Self, Error> {
-        if let Some(ty) = &options.icmp_type {
-            return ty.parse();
-        }
-
-        Ok(Self::default())
-    }
-
-    pub fn ty(&self) -> Option<&Icmpv6Type> {
-        self.ty.as_ref()
-    }
-
-    pub fn code(&self) -> Option<&Icmpv6Code> {
-        self.code.as_ref()
-    }
-}
-
-impl FromStr for Icmpv6 {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let mut this = Self::default();
-
-        if let Ok(ty) = s.parse() {
-            this.ty = Some(ty);
-            return Ok(this);
-        }
-
-        if let Ok(code) = s.parse() {
-            this.code = Some(code);
-            return Ok(this);
-        }
-
-        bail!("supplied string is neither a valid icmpv6 type nor code");
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum Icmpv6Type {
-    Numeric(u8),
-    Named(&'static str),
-    Any,
-}
-
-#[sortable]
-const ICMPV6_TYPES: [(&str, u8); 19] = sorted!([
-    ("destination-unreachable", 1),
-    ("echo-reply", 129),
-    ("echo-request", 128),
-    ("ind-neighbor-advert", 142),
-    ("ind-neighbor-solicit", 141),
-    ("mld-listener-done", 132),
-    ("mld-listener-query", 130),
-    ("mld-listener-reduction", 132),
-    ("mld-listener-report", 131),
-    ("mld2-listener-report", 143),
-    ("nd-neighbor-advert", 136),
-    ("nd-neighbor-solicit", 135),
-    ("nd-redirect", 137),
-    ("nd-router-advert", 134),
-    ("nd-router-solicit", 133),
-    ("packet-too-big", 2),
-    ("parameter-problem", 4),
-    ("router-renumbering", 138),
-    ("time-exceeded", 3),
-]);
-
-impl std::str::FromStr for Icmpv6Type {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if s.eq_ignore_ascii_case("any") {
-            return Ok(Self::Any);
-        }
-
-        if let Ok(ty) = s.trim().parse::<u8>() {
-            return Ok(Self::Numeric(ty));
-        }
-
-        if let Ok(index) = ICMPV6_TYPES.binary_search_by(|v| v.0.cmp(s)) {
-            return Ok(Self::Named(ICMPV6_TYPES[index].0));
-        }
-
-        bail!("{s:?} is not a valid icmpv6 type");
-    }
-}
-
-impl fmt::Display for Icmpv6Type {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Icmpv6Type::Numeric(ty) => write!(f, "{ty}"),
-            Icmpv6Type::Named(ty) => write!(f, "{ty}"),
-            Icmpv6Type::Any => write!(f, "any"),
-        }
-    }
-}
-
-#[derive(Clone, Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum Icmpv6Code {
-    Numeric(u8),
-    Named(&'static str),
-}
-
-#[sortable]
-const ICMPV6_CODES: [(&str, u8); 6] = sorted!([
-    ("addr-unreachable", 3),
-    ("admin-prohibited", 1),
-    ("no-route", 0),
-    ("policy-fail", 5),
-    ("port-unreachable", 4),
-    ("reject-route", 6),
-]);
-
-impl std::str::FromStr for Icmpv6Code {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Error> {
-        if let Ok(code) = s.trim().parse::<u8>() {
-            return Ok(Self::Numeric(code));
-        }
-
-        if let Ok(index) = ICMPV6_CODES.binary_search_by(|v| v.0.cmp(s)) {
-            return Ok(Self::Named(ICMPV6_CODES[index].0));
-        }
-
-        bail!("{s:?} is not a valid icmpv6 code");
-    }
-}
-
-impl fmt::Display for Icmpv6Code {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        match self {
-            Icmpv6Code::Numeric(code) => write!(f, "{code}"),
-            Icmpv6Code::Named(code) => write!(f, "{code}"),
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use crate::firewall::types::{alias::AliasScope::Guest, Cidr};
-
-    use super::*;
-
-    #[test]
-    fn test_parse_action() {
-        assert_eq!(parse_action("REJECT").unwrap(), (None, Verdict::Reject, ""));
-
-        assert_eq!(
-            parse_action("SSH(ACCEPT) qweasd").unwrap(),
-            (Some("SSH"), Verdict::Accept, "qweasd")
-        );
-    }
-
-    #[test]
-    fn test_parse_ip_addr_match() {
-        for input in [
-            "10.0.0.0/8",
-            "10.0.0.0/8,192.168.0.0-192.168.255.255,172.16.0.1",
-            "dc/test",
-            "+guest/proxmox",
-        ] {
-            input.parse::<IpAddrMatch>().expect("valid ip match");
-        }
-
-        for input in [
-            "10.0.0.0/",
-            "10.0.0.0/8,192.168.256.0-192.168.255.255,172.16.0.1",
-            "dcc/test",
-            "+guest/",
-            "",
-        ] {
-            input.parse::<IpAddrMatch>().expect_err("invalid ip match");
-        }
-    }
-
-    #[test]
-    fn test_parse_options() {
-        let mut options: RuleOptions =
-            "-p udp --sport 123 --dport 234 -source 127.0.0.1 --dest 127.0.0.1 -i ens1 --log crit"
-                .parse()
-                .expect("valid option string");
-
-        assert_eq!(
-            options,
-            RuleOptions {
-                proto: Some("udp".to_string()),
-                sport: Some("123".to_string()),
-                dport: Some("234".to_string()),
-                source: Some("127.0.0.1".to_string()),
-                dest: Some("127.0.0.1".to_string()),
-                iface: Some("ens1".to_string()),
-                log: Some(LogLevel::Critical),
-                icmp_type: None,
-            }
-        );
-
-        options = "".parse().expect("valid option string");
-
-        assert_eq!(options, RuleOptions::default(),);
-    }
-
-    #[test]
-    fn test_construct_ip_match() {
-        IpMatch::new(
-            IpAddrMatch::Ip(IpList::from(Cidr::new_v4([10, 0, 0, 0], 8).unwrap())),
-            IpAddrMatch::Ip(IpList::from(Cidr::new_v4([10, 0, 0, 0], 8).unwrap())),
-        )
-        .expect("valid ip match");
-
-        IpMatch::new(
-            IpAddrMatch::Ip(IpList::from(Cidr::new_v4([10, 0, 0, 0], 8).unwrap())),
-            IpAddrMatch::Alias(AliasName::new(Guest, "test")),
-        )
-        .expect("valid ip match");
-
-        IpMatch::new(
-            IpAddrMatch::Ip(IpList::from(Cidr::new_v4([10, 0, 0, 0], 8).unwrap())),
-            IpAddrMatch::Ip(IpList::from(Cidr::new_v6([0x0000; 8], 8).unwrap())),
-        )
-        .expect_err("cannot mix ip families");
-
-        IpMatch::new(None, None).expect_err("at least one ip must be set");
-    }
-
-    #[test]
-    fn test_from_options() {
-        let mut options = RuleOptions {
-            proto: Some("tcp".to_string()),
-            sport: Some("123".to_string()),
-            dport: Some("234".to_string()),
-            source: Some("192.168.0.1".to_string()),
-            dest: Some("10.0.0.1".to_string()),
-            iface: Some("eth123".to_string()),
-            log: Some(LogLevel::Error),
-            ..Default::default()
-        };
-
-        assert_eq!(
-            Protocol::from_options(&options).unwrap().unwrap(),
-            Protocol::Tcp(Tcp::new(Ports::from_u16(123, 234))),
-        );
-
-        assert_eq!(
-            IpMatch::from_options(&options).unwrap().unwrap(),
-            IpMatch::new(
-                IpAddrMatch::Ip(IpList::from(Cidr::new_v4([192, 168, 0, 1], 32).unwrap()),),
-                IpAddrMatch::Ip(IpList::from(Cidr::new_v4([10, 0, 0, 1], 32).unwrap()),)
-            )
-            .unwrap(),
-        );
-
-        options = RuleOptions::default();
-
-        assert_eq!(Protocol::from_options(&options).unwrap(), None,);
-
-        assert_eq!(IpMatch::from_options(&options).unwrap(), None,);
-
-        options = RuleOptions {
-            proto: Some("tcp".to_string()),
-            sport: Some("qwe".to_string()),
-            source: Some("qwe".to_string()),
-            ..Default::default()
-        };
-
-        Protocol::from_options(&options).expect_err("invalid source port");
-
-        IpMatch::from_options(&options).expect_err("invalid source address");
-
-        options = RuleOptions {
-            icmp_type: Some("port-unreachable".to_string()),
-            dport: Some("123".to_string()),
-            ..Default::default()
-        };
-
-        RuleMatch::from_options(Direction::In, Verdict::Drop, None, options)
-            .expect_err("cannot mix dport and icmp-type");
-    }
-
-    #[test]
-    fn test_parse_icmp() {
-        let mut icmp: Icmp = "info-request".parse().expect("valid icmp type");
-
-        assert_eq!(
-            icmp,
-            Icmp {
-                ty: Some(IcmpType::Named("info-request")),
-                code: None
-            }
-        );
-
-        icmp = "12".parse().expect("valid icmp type");
-
-        assert_eq!(
-            icmp,
-            Icmp {
-                ty: Some(IcmpType::Numeric(12)),
-                code: None
-            }
-        );
-
-        icmp = "port-unreachable".parse().expect("valid icmp code");
-
-        assert_eq!(
-            icmp,
-            Icmp {
-                ty: None,
-                code: Some(IcmpCode::Named("port-unreachable"))
-            }
-        );
-    }
-
-    #[test]
-    fn test_parse_icmp6() {
-        let mut icmp: Icmpv6 = "echo-reply".parse().expect("valid icmpv6 type");
-
-        assert_eq!(
-            icmp,
-            Icmpv6 {
-                ty: Some(Icmpv6Type::Named("echo-reply")),
-                code: None
-            }
-        );
-
-        icmp = "12".parse().expect("valid icmpv6 type");
-
-        assert_eq!(
-            icmp,
-            Icmpv6 {
-                ty: Some(Icmpv6Type::Numeric(12)),
-                code: None
-            }
-        );
-
-        icmp = "admin-prohibited".parse().expect("valid icmpv6 code");
-
-        assert_eq!(
-            icmp,
-            Icmpv6 {
-                ty: None,
-                code: Some(Icmpv6Code::Named("admin-prohibited"))
-            }
-        );
-    }
-}
diff --git a/proxmox-ve-config/src/guest/mod.rs b/proxmox-ve-config/src/guest/mod.rs
deleted file mode 100644
index 74fd8ab..0000000
--- a/proxmox-ve-config/src/guest/mod.rs
+++ /dev/null
@@ -1,115 +0,0 @@
-use core::ops::Deref;
-use std::collections::HashMap;
-
-use anyhow::{Context, Error};
-use serde::Deserialize;
-
-use proxmox_sys::nodename;
-use types::Vmid;
-
-pub mod types;
-pub mod vm;
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize)]
-pub enum GuestType {
-    #[serde(rename = "qemu")]
-    Vm,
-    #[serde(rename = "lxc")]
-    Ct,
-}
-
-impl GuestType {
-    pub fn iface_prefix(self) -> &'static str {
-        match self {
-            GuestType::Vm => "tap",
-            GuestType::Ct => "veth",
-        }
-    }
-
-    fn config_folder(&self) -> &'static str {
-        match self {
-            GuestType::Vm => "qemu-server",
-            GuestType::Ct => "lxc",
-        }
-    }
-}
-
-#[derive(Deserialize)]
-pub struct GuestEntry {
-    node: String,
-
-    #[serde(rename = "type")]
-    ty: GuestType,
-
-    #[serde(rename = "version")]
-    _version: usize,
-}
-
-impl GuestEntry {
-    pub fn new(node: String, ty: GuestType) -> Self {
-        Self {
-            node,
-            ty,
-            _version: Default::default(),
-        }
-    }
-
-    pub fn is_local(&self) -> bool {
-        nodename() == self.node
-    }
-
-    pub fn ty(&self) -> &GuestType {
-        &self.ty
-    }
-}
-
-const VMLIST_CONFIG_PATH: &str = "/etc/pve/.vmlist";
-
-#[derive(Deserialize)]
-pub struct GuestMap {
-    #[serde(rename = "version")]
-    _version: usize,
-    #[serde(rename = "ids", default)]
-    guests: HashMap<Vmid, GuestEntry>,
-}
-
-impl From<HashMap<Vmid, GuestEntry>> for GuestMap {
-    fn from(guests: HashMap<Vmid, GuestEntry>) -> Self {
-        Self {
-            guests,
-            _version: Default::default(),
-        }
-    }
-}
-
-impl Deref for GuestMap {
-    type Target = HashMap<Vmid, GuestEntry>;
-
-    fn deref(&self) -> &Self::Target {
-        &self.guests
-    }
-}
-
-impl GuestMap {
-    pub fn new() -> Result<Self, Error> {
-        let data = std::fs::read(VMLIST_CONFIG_PATH)
-            .with_context(|| format!("failed to read guest map from {VMLIST_CONFIG_PATH}"))?;
-
-        serde_json::from_slice(&data).with_context(|| "failed to parse guest map".to_owned())
-    }
-
-    pub fn firewall_config_path(vmid: &Vmid) -> String {
-        format!("/etc/pve/firewall/{}.fw", vmid)
-    }
-
-    /// returns the local configuration path for a given Vmid.
-    ///
-    /// The caller must ensure that the given Vmid exists and is local to the node
-    pub fn config_path(vmid: &Vmid, entry: &GuestEntry) -> String {
-        format!(
-            "/etc/pve/local/{}/{}.conf",
-            entry.ty().config_folder(),
-            vmid
-        )
-    }
-}
diff --git a/proxmox-ve-config/src/guest/types.rs b/proxmox-ve-config/src/guest/types.rs
deleted file mode 100644
index 217c537..0000000
--- a/proxmox-ve-config/src/guest/types.rs
+++ /dev/null
@@ -1,38 +0,0 @@
-use std::fmt;
-use std::str::FromStr;
-
-use anyhow::{format_err, Error};
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord, Hash)]
-pub struct Vmid(u32);
-
-impl Vmid {
-    pub fn new(id: u32) -> Self {
-        Vmid(id)
-    }
-}
-
-impl From<u32> for Vmid {
-    fn from(value: u32) -> Self {
-        Self::new(value)
-    }
-}
-
-impl fmt::Display for Vmid {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        fmt::Display::fmt(&self.0, f)
-    }
-}
-
-impl FromStr for Vmid {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(Self(
-            s.parse()
-                .map_err(|_| format_err!("not a valid vmid: {s:?}"))?,
-        ))
-    }
-}
-
-serde_plain::derive_deserialize_from_fromstr!(Vmid, "valid vmid");
diff --git a/proxmox-ve-config/src/guest/vm.rs b/proxmox-ve-config/src/guest/vm.rs
deleted file mode 100644
index 5b5866a..0000000
--- a/proxmox-ve-config/src/guest/vm.rs
+++ /dev/null
@@ -1,510 +0,0 @@
-use anyhow::{bail, Error};
-use core::fmt::Display;
-use std::io;
-use std::str::FromStr;
-use std::{collections::HashMap, net::Ipv6Addr};
-
-use proxmox_schema::property_string::PropertyIterator;
-
-use crate::firewall::parse::{match_digits, parse_bool};
-use crate::firewall::types::address::{Ipv4Cidr, Ipv6Cidr};
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct MacAddress([u8; 6]);
-
-static LOCAL_PART: [u8; 8] = [0xFE, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00];
-static EUI64_MIDDLE_PART: [u8; 2] = [0xFF, 0xFE];
-
-impl MacAddress {
-    /// generates a link local IPv6-address according to RFC 4291 (Appendix A)
-    pub fn eui64_link_local_address(&self) -> Ipv6Addr {
-        let head = &self.0[..3];
-        let tail = &self.0[3..];
-
-        let mut eui64_address: Vec<u8> = LOCAL_PART
-            .iter()
-            .chain(head.iter())
-            .chain(EUI64_MIDDLE_PART.iter())
-            .chain(tail.iter())
-            .copied()
-            .collect();
-
-        // we need to flip the 7th bit of the first eui64 byte
-        eui64_address[8] ^= 0x02;
-
-        Ipv6Addr::from(
-            TryInto::<[u8; 16]>::try_into(eui64_address).expect("is an u8 array with 16 entries"),
-        )
-    }
-}
-
-impl FromStr for MacAddress {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let split = s.split(':');
-
-        let parsed = split
-            .into_iter()
-            .map(|elem| u8::from_str_radix(elem, 16))
-            .collect::<Result<Vec<u8>, _>>()
-            .map_err(Error::msg)?;
-
-        if parsed.len() != 6 {
-            bail!("Invalid amount of elements in MAC address!");
-        }
-
-        let address = &parsed.as_slice()[0..6];
-        Ok(Self(address.try_into().unwrap()))
-    }
-}
-
-impl Display for MacAddress {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(
-            f,
-            "{:<02X}:{:<02X}:{:<02X}:{:<02X}:{:<02X}:{:<02X}",
-            self.0[0], self.0[1], self.0[2], self.0[3], self.0[4], self.0[5]
-        )
-    }
-}
-
-#[derive(Debug, Clone, Copy)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub enum NetworkDeviceModel {
-    VirtIO,
-    Veth,
-    E1000,
-    Vmxnet3,
-    RTL8139,
-}
-
-impl FromStr for NetworkDeviceModel {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s {
-            "virtio" => Ok(NetworkDeviceModel::VirtIO),
-            "e1000" => Ok(NetworkDeviceModel::E1000),
-            "rtl8139" => Ok(NetworkDeviceModel::RTL8139),
-            "vmxnet3" => Ok(NetworkDeviceModel::Vmxnet3),
-            "veth" => Ok(NetworkDeviceModel::Veth),
-            _ => bail!("Invalid network device model: {s}"),
-        }
-    }
-}
-
-#[derive(Debug)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct NetworkDevice {
-    model: NetworkDeviceModel,
-    mac_address: MacAddress,
-    firewall: bool,
-    ip: Option<Ipv4Cidr>,
-    ip6: Option<Ipv6Cidr>,
-}
-
-impl NetworkDevice {
-    pub fn model(&self) -> NetworkDeviceModel {
-        self.model
-    }
-
-    pub fn mac_address(&self) -> &MacAddress {
-        &self.mac_address
-    }
-
-    pub fn ip(&self) -> Option<&Ipv4Cidr> {
-        self.ip.as_ref()
-    }
-
-    pub fn ip6(&self) -> Option<&Ipv6Cidr> {
-        self.ip6.as_ref()
-    }
-
-    pub fn has_firewall(&self) -> bool {
-        self.firewall
-    }
-}
-
-impl FromStr for NetworkDevice {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let (mut ty, mut hwaddr, mut firewall, mut ip, mut ip6) = (None, None, true, None, None);
-
-        for entry in PropertyIterator::new(s) {
-            let (key, value) = entry.unwrap();
-
-            if let Some(key) = key {
-                match key {
-                    "type" | "model" => {
-                        ty = Some(NetworkDeviceModel::from_str(&value)?);
-                    }
-                    "hwaddr" | "macaddr" => {
-                        hwaddr = Some(MacAddress::from_str(&value)?);
-                    }
-                    "firewall" => {
-                        firewall = parse_bool(&value)?;
-                    }
-                    "ip" => {
-                        if value == "dhcp" {
-                            continue;
-                        }
-
-                        ip = Some(Ipv4Cidr::from_str(&value)?);
-                    }
-                    "ip6" => {
-                        if value == "dhcp" || value == "auto" {
-                            continue;
-                        }
-
-                        ip6 = Some(Ipv6Cidr::from_str(&value)?);
-                    }
-                    _ => {
-                        if let Ok(model) = NetworkDeviceModel::from_str(key) {
-                            ty = Some(model);
-                            hwaddr = Some(MacAddress::from_str(&value)?);
-                        }
-                    }
-                }
-            }
-        }
-
-        if let (Some(ty), Some(hwaddr)) = (ty, hwaddr) {
-            return Ok(NetworkDevice {
-                model: ty,
-                mac_address: hwaddr,
-                firewall,
-                ip,
-                ip6,
-            });
-        }
-
-        bail!("No valid network device detected in string {s}");
-    }
-}
-
-#[derive(Debug, Default)]
-#[cfg_attr(test, derive(Eq, PartialEq))]
-pub struct NetworkConfig {
-    network_devices: HashMap<i64, NetworkDevice>,
-}
-
-impl NetworkConfig {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn index_from_net_key(key: &str) -> Result<i64, Error> {
-        if let Some(digits) = key.strip_prefix("net") {
-            if let Some((digits, rest)) = match_digits(digits) {
-                let index: i64 = digits.parse()?;
-
-                if (0..31).contains(&index) && rest.is_empty() {
-                    return Ok(index);
-                }
-            }
-        }
-
-        bail!("No index found in net key string: {key}")
-    }
-
-    pub fn network_devices(&self) -> &HashMap<i64, NetworkDevice> {
-        &self.network_devices
-    }
-
-    pub fn parse<R: io::BufRead>(input: R) -> Result<Self, Error> {
-        let mut network_devices = HashMap::new();
-
-        for line in input.lines() {
-            let line = line?;
-            let line = line.trim();
-
-            if line.is_empty() || line.starts_with('#') {
-                continue;
-            }
-
-            if line.starts_with('[') {
-                break;
-            }
-
-            if line.starts_with("net") {
-                log::trace!("parsing net config line: {line}");
-
-                if let Some((mut key, mut value)) = line.split_once(':') {
-                    if key.is_empty() || value.is_empty() {
-                        continue;
-                    }
-
-                    key = key.trim();
-                    value = value.trim();
-
-                    if let Ok(index) = Self::index_from_net_key(key) {
-                        let network_device = NetworkDevice::from_str(value)?;
-
-                        let exists = network_devices.insert(index, network_device);
-
-                        if exists.is_some() {
-                            bail!("Duplicated config key detected: {key}");
-                        }
-                    } else {
-                        bail!("Encountered invalid net key in cfg: {key}");
-                    }
-                }
-            }
-        }
-
-        Ok(Self { network_devices })
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_parse_mac_address() {
-        for input in [
-            "aa:aa:aa:11:22:33",
-            "AA:BB:FF:11:22:33",
-            "bc:24:11:AA:bb:Ef",
-        ] {
-            let mac_address = input.parse::<MacAddress>().expect("valid mac address");
-
-            assert_eq!(input.to_uppercase(), mac_address.to_string());
-        }
-
-        for input in [
-            "aa:aa:aa:11:22:33:aa",
-            "AA:BB:FF:11:22",
-            "AA:BB:GG:11:22:33",
-            "AABBGG112233",
-            "",
-        ] {
-            input
-                .parse::<MacAddress>()
-                .expect_err("invalid mac address");
-        }
-    }
-
-    #[test]
-    fn test_eui64_link_local_address() {
-        let mac_address: MacAddress = "BC:24:11:49:8D:75".parse().expect("valid MAC address");
-
-        let link_local_address =
-            Ipv6Addr::from_str("fe80::be24:11ff:fe49:8d75").expect("valid IPv6 address");
-
-        assert_eq!(link_local_address, mac_address.eui64_link_local_address());
-    }
-
-    #[test]
-    fn test_parse_network_device() {
-        let mut network_device: NetworkDevice =
-            "virtio=AA:AA:AA:17:19:81,bridge=public,firewall=1,queues=4"
-                .parse()
-                .expect("valid network configuration");
-
-        assert_eq!(
-            network_device,
-            NetworkDevice {
-                model: NetworkDeviceModel::VirtIO,
-                mac_address: MacAddress([0xAA, 0xAA, 0xAA, 0x17, 0x19, 0x81]),
-                firewall: true,
-                ip: None,
-                ip6: None,
-            }
-        );
-
-        network_device = "model=virtio,macaddr=AA:AA:AA:17:19:81,bridge=public,firewall=1,queues=4"
-            .parse()
-            .expect("valid network configuration");
-
-        assert_eq!(
-            network_device,
-            NetworkDevice {
-                model: NetworkDeviceModel::VirtIO,
-                mac_address: MacAddress([0xAA, 0xAA, 0xAA, 0x17, 0x19, 0x81]),
-                firewall: true,
-                ip: None,
-                ip6: None,
-            }
-        );
-
-        network_device =
-            "name=eth0,bridge=public,firewall=0,hwaddr=AA:AA:AA:E2:3E:24,ip=dhcp,type=veth"
-                .parse()
-                .expect("valid network configuration");
-
-        assert_eq!(
-            network_device,
-            NetworkDevice {
-                model: NetworkDeviceModel::Veth,
-                mac_address: MacAddress([0xAA, 0xAA, 0xAA, 0xE2, 0x3E, 0x24]),
-                firewall: false,
-                ip: None,
-                ip6: None,
-            }
-        );
-
-        "model=virtio"
-            .parse::<NetworkDevice>()
-            .expect_err("invalid network configuration");
-
-        "bridge=public,firewall=0"
-            .parse::<NetworkDevice>()
-            .expect_err("invalid network configuration");
-
-        "".parse::<NetworkDevice>()
-            .expect_err("invalid network configuration");
-
-        "name=eth0,bridge=public,firewall=0,hwaddr=AA:AA:AG:E2:3E:24,ip=dhcp,type=veth"
-            .parse::<NetworkDevice>()
-            .expect_err("invalid network configuration");
-    }
-
-    #[test]
-    fn test_parse_network_confg() {
-        let mut guest_config = "\
-boot: order=scsi0;net0
-cores: 4
-cpu: host
-memory: 8192
-meta: creation-qemu=8.0.2,ctime=1700141675
-name: hoan-sdn
-net0: virtio=AA:BB:CC:F2:FE:75,bridge=public
-numa: 0
-ostype: l26
-parent: uwu
-scsi0: local-lvm:vm-999-disk-0,discard=on,iothread=1,size=32G
-scsihw: virtio-scsi-single
-smbios1: uuid=addb0cc6-0393-4269-a504-1eb46604cb8a
-sockets: 1
-vmgenid: 13bcbb05-3608-4d74-bf4f-d5d20c3538e8
-
-[snapshot]
-boot: order=scsi0;ide2;net0
-cores: 4
-cpu: x86-64-v2-AES
-ide2: NFS-iso:iso/proxmox-ve_8.0-2.iso,media=cdrom,size=1166488K
-memory: 8192
-meta: creation-qemu=8.0.2,ctime=1700141675
-name: test
-net2: virtio=AA:AA:AA:F2:FE:75,bridge=public,firewall=1
-numa: 0
-ostype: l26
-parent: pre-SDN
-scsi0: local-lvm:vm-999-disk-0,discard=on,iothread=1,size=32G
-scsihw: virtio-scsi-single
-smbios1: uuid=addb0cc6-0393-4269-a504-1eb46604cb8a
-snaptime: 1700143513
-sockets: 1
-vmgenid: 706fbe99-d28b-4047-a9cd-3677c859ca8a
-
-[snapshott]
-boot: order=scsi0;ide2;net0
-cores: 4
-cpu: host
-ide2: NFS-iso:iso/proxmox-ve_8.0-2.iso,media=cdrom,size=1166488K
-memory: 8192
-meta: creation-qemu=8.0.2,ctime=1700141675
-name: hoan-sdn
-net0: virtio=AA:AA:FF:F2:FE:75,bridge=public,firewall=0
-numa: 0
-ostype: l26
-parent: SDN
-scsi0: local-lvm:vm-999-disk-0,discard=on,iothread=1,size=32G
-scsihw: virtio-scsi-single
-smbios1: uuid=addb0cc6-0393-4269-a504-1eb46604cb8a
-snaptime: 1700158473
-sockets: 1
-vmgenid: 706fbe99-d28b-4047-a9cd-3677c859ca8a"
-            .as_bytes();
-
-        let mut network_config: NetworkConfig =
-            NetworkConfig::parse(guest_config).expect("valid network configuration");
-
-        assert_eq!(network_config.network_devices().len(), 1);
-
-        assert_eq!(
-            network_config.network_devices()[&0],
-            NetworkDevice {
-                model: NetworkDeviceModel::VirtIO,
-                mac_address: MacAddress([0xAA, 0xBB, 0xCC, 0xF2, 0xFE, 0x75]),
-                firewall: true,
-                ip: None,
-                ip6: None,
-            }
-        );
-
-        guest_config = "\
-arch: amd64
-cores: 1
-features: nesting=1
-hostname: dnsct
-memory: 512
-net0: name=eth0,bridge=data,firewall=1,hwaddr=BC:24:11:47:83:11,ip=dhcp,type=veth
-net2:   name=eth0,bridge=data,firewall=0,hwaddr=BC:24:11:47:83:12,ip=123.123.123.123/24,type=veth  
-net5: name=eth0,bridge=data,firewall=1,hwaddr=BC:24:11:47:83:13,ip6=fd80::1/64,type=veth
-ostype: alpine
-rootfs: local-lvm:vm-10001-disk-0,size=1G
-swap: 512
-unprivileged: 1"
-            .as_bytes();
-
-        network_config = NetworkConfig::parse(guest_config).expect("valid network configuration");
-
-        assert_eq!(network_config.network_devices().len(), 3);
-
-        assert_eq!(
-            network_config.network_devices()[&0],
-            NetworkDevice {
-                model: NetworkDeviceModel::Veth,
-                mac_address: MacAddress([0xBC, 0x24, 0x11, 0x47, 0x83, 0x11]),
-                firewall: true,
-                ip: None,
-                ip6: None,
-            }
-        );
-
-        assert_eq!(
-            network_config.network_devices()[&2],
-            NetworkDevice {
-                model: NetworkDeviceModel::Veth,
-                mac_address: MacAddress([0xBC, 0x24, 0x11, 0x47, 0x83, 0x12]),
-                firewall: false,
-                ip: Some(Ipv4Cidr::from_str("123.123.123.123/24").expect("valid ipv4")),
-                ip6: None,
-            }
-        );
-
-        assert_eq!(
-            network_config.network_devices()[&5],
-            NetworkDevice {
-                model: NetworkDeviceModel::Veth,
-                mac_address: MacAddress([0xBC, 0x24, 0x11, 0x47, 0x83, 0x13]),
-                firewall: true,
-                ip: None,
-                ip6: Some(Ipv6Cidr::from_str("fd80::1/64").expect("valid ipv6")),
-            }
-        );
-
-        NetworkConfig::parse(
-            "netqwe: name=eth0,bridge=data,firewall=1,hwaddr=BC:24:11:47:83:11,ip=dhcp,type=veth"
-                .as_bytes(),
-        )
-        .expect_err("invalid net key");
-
-        NetworkConfig::parse(
-            "net0 name=eth0,bridge=data,firewall=1,hwaddr=BC:24:11:47:83:11,ip=dhcp,type=veth"
-                .as_bytes(),
-        )
-        .expect_err("invalid net key");
-
-        NetworkConfig::parse(
-            "net33: name=eth0,bridge=data,firewall=1,hwaddr=BC:24:11:47:83:11,ip=dhcp,type=veth"
-                .as_bytes(),
-        )
-        .expect_err("invalid net key");
-    }
-}
diff --git a/proxmox-ve-config/src/host/mod.rs b/proxmox-ve-config/src/host/mod.rs
deleted file mode 100644
index b5614dd..0000000
--- a/proxmox-ve-config/src/host/mod.rs
+++ /dev/null
@@ -1 +0,0 @@
-pub mod utils;
diff --git a/proxmox-ve-config/src/host/utils.rs b/proxmox-ve-config/src/host/utils.rs
deleted file mode 100644
index b1dc8e9..0000000
--- a/proxmox-ve-config/src/host/utils.rs
+++ /dev/null
@@ -1,70 +0,0 @@
-use std::net::{IpAddr, ToSocketAddrs};
-
-use crate::firewall::types::Cidr;
-
-use nix::sys::socket::{AddressFamily, SockaddrLike};
-use proxmox_sys::nodename;
-
-/// gets a list of IPs that the hostname of this node resolves to
-///
-/// panics if the local hostname is not resolvable
-pub fn host_ips() -> Vec<IpAddr> {
-    let hostname = nodename();
-
-    log::trace!("resolving hostname");
-
-    format!("{hostname}:0")
-        .to_socket_addrs()
-        .expect("local hostname is resolvable")
-        .map(|addr| addr.ip())
-        .collect()
-}
-
-/// gets a list of all configured CIDRs on all network interfaces of this host
-///
-/// panics if unable to query the current network configuration
-pub fn network_interface_cidrs() -> Vec<Cidr> {
-    use nix::ifaddrs::getifaddrs;
-
-    log::trace!("reading networking interface list");
-
-    let mut cidrs = Vec::new();
-
-    let interfaces = getifaddrs().expect("should be able to query network interfaces");
-
-    for interface in interfaces {
-        if let (Some(address), Some(netmask)) = (interface.address, interface.netmask) {
-            match (address.family(), netmask.family()) {
-                (Some(AddressFamily::Inet), Some(AddressFamily::Inet)) => {
-                    let address = address.as_sockaddr_in().expect("is an IPv4 address").ip();
-
-                    let netmask = netmask
-                        .as_sockaddr_in()
-                        .expect("is an IPv4 address")
-                        .ip()
-                        .count_ones()
-                        .try_into()
-                        .expect("count_ones of u32 is < u8_max");
-
-                    cidrs.push(Cidr::new_v4(address, netmask).expect("netmask is valid"));
-                }
-                (Some(AddressFamily::Inet6), Some(AddressFamily::Inet6)) => {
-                    let address = address.as_sockaddr_in6().expect("is an IPv6 address").ip();
-
-                    let netmask_address =
-                        netmask.as_sockaddr_in6().expect("is an IPv6 address").ip();
-
-                    let netmask = u128::from_be_bytes(netmask_address.octets())
-                        .count_ones()
-                        .try_into()
-                        .expect("count_ones of u128 is < u8_max");
-
-                    cidrs.push(Cidr::new_v6(address, netmask).expect("netmask is valid"));
-                }
-                _ => continue,
-            }
-        }
-    }
-
-    cidrs
-}
diff --git a/proxmox-ve-config/src/lib.rs b/proxmox-ve-config/src/lib.rs
deleted file mode 100644
index 856b14f..0000000
--- a/proxmox-ve-config/src/lib.rs
+++ /dev/null
@@ -1,3 +0,0 @@
-pub mod firewall;
-pub mod guest;
-pub mod host;
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2024-11-17 11:25 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-15 12:09 [pve-devel] [PATCH docs/firewall/manager/proxmox{-firewall, -perl-rs} v4 0/9] autogenerate ipsets for sdn objects Stefan Hanreich
2024-11-15 12:09 ` Stefan Hanreich [this message]
2024-11-17 14:08   ` [pve-devel] applied: [PATCH proxmox-firewall v4 1/9] add proxmox-ve-rs crate - move proxmox-ve-config there Thomas Lamprecht
2024-11-15 12:09 ` [pve-devel] [PATCH proxmox-firewall v4 2/9] config: tests: add support for loading sdn and ipam config Stefan Hanreich
2024-11-17 14:08   ` [pve-devel] applied: " Thomas Lamprecht
2024-11-15 12:09 ` [pve-devel] [PATCH proxmox-firewall v4 3/9] ipsets: autogenerate ipsets for vnets and ipam Stefan Hanreich
2024-11-17 14:08   ` [pve-devel] applied: " Thomas Lamprecht
2024-11-15 12:09 ` [pve-devel] [PATCH pve-firewall v4 4/9] add support for loading sdn firewall configuration Stefan Hanreich
2024-11-17 14:57   ` Thomas Lamprecht
2024-11-18  9:22     ` Stefan Hanreich
2024-11-18  9:35     ` Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH pve-firewall v4 5/9] nftables: make is_nftables check flag file instead of config Stefan Hanreich
2024-11-17 14:58   ` [pve-devel] applied: " Thomas Lamprecht
2024-11-15 12:09 ` [pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets Stefan Hanreich
2024-11-17 14:30   ` Thomas Lamprecht
2024-11-18  9:02     ` Stefan Hanreich
2024-11-18 11:38       ` Thomas Lamprecht
2024-11-18 13:23         ` Thomas Lamprecht
2024-11-18 13:32           ` Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH proxmox-perl-rs v4 7/9] add PVE::RS::Firewall::SDN module Stefan Hanreich
2024-11-17 14:36   ` [pve-devel] applied: " Thomas Lamprecht
2024-11-15 12:09 ` [pve-devel] [PATCH pve-manager v4 8/9] firewall: add sdn scope to IPRefSelector Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH pve-docs v4 9/9] sdn: add documentation for firewall integration Stefan Hanreich
2024-11-18 11:47 ` [pve-devel] [PATCH docs/firewall/manager/proxmox{-firewall, -perl-rs} v4 0/9] autogenerate ipsets for sdn objects Stefan Hanreich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241115120937.169342-2-s.hanreich@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=w.bumiller@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal