From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 8DF821FF142 for ; Mon, 16 Feb 2026 11:50:33 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7444DEA0C; Mon, 16 Feb 2026 11:51:23 +0100 (CET) From: Dietmar Maurer To: pve-devel@lists.proxmox.com Subject: [RFC proxmox 19/22] firewall-api-types: refactor FirewallRule and add FirewallRuleListEntry Date: Mon, 16 Feb 2026 11:43:57 +0100 Message-ID: <20260216104401.3959270-20-dietmar@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260216104401.3959270-1-dietmar@proxmox.com> References: <20260216104401.3959270-1-dietmar@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -1.862 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy ENA_SUBJ_ODD_CASE 2.6 Subject has odd case KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: W67MRINROEHE4LYXWLY7EFH5A64JSG66 X-Message-ID-Hash: W67MRINROEHE4LYXWLY7EFH5A64JSG66 X-MailFrom: dietmar@zilli.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Move 'pos' and 'digest' fields out of FirewallRule, since they are not part of the rule definition itself but rather metadata associated with a rule's position in a list. Introduce FirewallRuleListEntry which wraps a FirewallRule together with its position and digest, for use in list/get API responses. Add a dedicated FIREWALL_RULE_POS_SCHEMA for the rule position field, because we need it several times now. Derive Clone and PartialEq on FirewallRule and FirewallRuleListEntry, because this is a requirement to use it in the yew GUI. Drop Eq from FirewallRuleType since PartialEq is sufficient. Add dev-dependencies (proxmox-router, serde_json) and a test_fake_server_client_api test module with mock create_rule, update_rule, and get_rule API handlers to verify that the types work correctly with the #[api] macro. Signed-off-by: Dietmar Maurer --- proxmox-firewall-api-types/Cargo.toml | 4 + proxmox-firewall-api-types/src/rule.rs | 130 ++++++++++++++++++++----- 2 files changed, 110 insertions(+), 24 deletions(-) diff --git a/proxmox-firewall-api-types/Cargo.toml b/proxmox-firewall-api-types/Cargo.toml index 2e894606..6685d75c 100644 --- a/proxmox-firewall-api-types/Cargo.toml +++ b/proxmox-firewall-api-types/Cargo.toml @@ -12,6 +12,10 @@ exclude.workspace = true [features] enum-fallback = ["dep:proxmox-fixed-string"] +[dev-dependencies] +proxmox-router = { workspace = true } +serde_json = { workspace = true } + [dependencies] anyhow.workspace = true regex.workspace = true diff --git a/proxmox-firewall-api-types/src/rule.rs b/proxmox-firewall-api-types/src/rule.rs index 48869b25..d067c209 100644 --- a/proxmox-firewall-api-types/src/rule.rs +++ b/proxmox-firewall-api-types/src/rule.rs @@ -5,7 +5,7 @@ use serde::{Deserialize, Serialize}; use proxmox_fixed_string::FixedString; use proxmox_schema::api_types::COMMENT_SCHEMA; -use proxmox_schema::{api, const_regex, ApiStringFormat, Updater}; +use proxmox_schema::{api, const_regex, ApiStringFormat, IntegerSchema, Schema, Updater}; use crate::{FirewallAddressMatch, FirewallIcmpType, FirewallPortList}; use crate::{FIREWALL_DPORT_API_SCHEMA, FIREWALL_SPORT_API_SCHEMA}; @@ -16,6 +16,10 @@ const_regex! { FIREWALL_SECURITY_GROUP_RE = r##"^[A-Za-z][A-Za-z0-9\-\_]+$"##; } +const FIREWALL_RULE_POS_SCHEMA: Schema = IntegerSchema::new("Rule position .") + .minimum(0) + .schema(); + #[api( properties: { action: { @@ -31,9 +35,6 @@ const_regex! { dest: { optional: true, }, - digest: { - optional: true, - }, dport: { optional: true, schema: FIREWALL_DPORT_API_SCHEMA, @@ -61,11 +62,6 @@ const_regex! { optional: true, type: String, }, - pos: { - minimum: 0, - optional: true, - type: Integer, - }, proto: { max_length: 64, // arbitrary limit, much longer than anything in /etc/protocols optional: true, @@ -84,7 +80,7 @@ const_regex! { }, )] /// Firewall Rule. -#[derive(Debug, serde::Deserialize, serde::Serialize, Updater)] +#[derive(Debug, serde::Deserialize, serde::Serialize, Updater, Clone, PartialEq)] pub struct FirewallRule { /// Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name. #[updater(serde(default, skip_serializing_if = "Option::is_none"))] @@ -97,12 +93,6 @@ pub struct FirewallRule { #[serde(default, skip_serializing_if = "Option::is_none")] pub dest: Option, - /// Prevent changes if current configuration file has a different digest. - /// This can be used to prevent concurrent modifications. - #[serde(default, skip_serializing_if = "Option::is_none")] - #[updater(type = "Option")] - pub digest: Option, - /// Restrict TCP/UDP destination port. #[serde(default, skip_serializing_if = "Option::is_none")] pub dport: Option, @@ -132,11 +122,6 @@ pub struct FirewallRule { #[serde(rename = "macro")] pub r#macro: Option, - /// Update rule at position . - #[serde(deserialize_with = "proxmox_serde::perl::deserialize_u64")] - #[serde(default, skip_serializing_if = "Option::is_none")] - pub pos: Option, - /// IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, /// as defined in '/etc/protocols'. #[serde(default, skip_serializing_if = "Option::is_none")] @@ -154,9 +139,30 @@ pub struct FirewallRule { pub ty: FirewallRuleType, } +#[api( + properties: { + pos: { + optional: true, + schema: FIREWALL_RULE_POS_SCHEMA, + }, + rule: { + type: FirewallRule, + flatten: true, + } + }, +)] +#[derive(Debug, Deserialize, Serialize, Clone, PartialEq)] +/// Firewall rule list entry. Includes position, digest and the rule itself. +pub struct FirewallRuleListEntry { + pub pos: u64, + pub digest: ConfigDigest, + #[serde(flatten)] + pub rule: FirewallRule, +} + #[api] /// Rule type. -#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)] +#[derive(Clone, Copy, Debug, PartialEq, Deserialize, Serialize)] pub enum FirewallRuleType { #[serde(rename = "in")] /// in. @@ -209,7 +215,6 @@ mod test { // Numeric fields - these are Option in updater updater.enable = Some(1); - updater.pos = Some(0); // Enum fields - these are Option in updater updater.ty = Some(FirewallRuleType::In); @@ -223,6 +228,83 @@ mod test { updater.dport = Some("80".parse().unwrap()); updater.sport = Some("1024:65535".parse().unwrap()); updater.icmp_type = Some(FirewallIcmpType::Named(FirewallIcmpTypeName::EchoRequest)); - updater.digest = Some(ConfigDigest::from([0u8; 32])); + } +} + +#[cfg(test)] +mod test_fake_server_client_api { + use super::*; + use anyhow::Error; + use proxmox_schema::api; + + #[api( + input: { + properties: { + rule: { + type: FirewallRule, + flatten: true + }, + pos: { + optional: true, + schema: FIREWALL_RULE_POS_SCHEMA, + }, + digest: { + optional: true, + }, + }, + }, + )] + /// create rule + pub fn create_rule( + rule: FirewallRule, + pos: Option, + digest: Option, + ) -> Result<(), Error> { + unimplemented!(); + } + + #[api( + input: { + properties: { + rule: { + type: FirewallRule, + flatten: true + }, + pos: { + schema: FIREWALL_RULE_POS_SCHEMA, + }, + digest: { + optional: true, + }, + }, + }, + )] + /// update rule + pub fn update_rule( + pos: u64, + rule: FirewallRuleUpdater, + digest: Option, + ) -> Result<(), Error> { + unimplemented!(); + } + + #[api( + input: { + properties: { + pos: { + schema: FIREWALL_RULE_POS_SCHEMA, + }, + digest: { + optional: true, + }, + }, + }, + )] + /// update rule + pub fn get_rule( + pos: u64, + digest: Option, + ) -> Result { + unimplemented!(); } } -- 2.47.3