From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 4F2D41FF137 for ; Tue, 17 Feb 2026 07:16:28 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C5E811D85E; Tue, 17 Feb 2026 07:17:15 +0100 (CET) Message-ID: Date: Tue, 17 Feb 2026 07:17:09 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC proxmox 00/22] New crate for firewall api types To: Dietmar Maurer , pve-devel@lists.proxmox.com References: <20260216104401.3959270-1-dietmar@proxmox.com> Content-Language: en-US From: Hannes Laimer In-Reply-To: <20260216104401.3959270-1-dietmar@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1771309023105 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.060 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: MM3ZR6NSUOPHNHCAUEN24KAX42BKMUDA X-Message-ID-Hash: MM3ZR6NSUOPHNHCAUEN24KAX42BKMUDA X-MailFrom: h.laimer@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 2026-02-16 11:45, Dietmar Maurer wrote: > The current PVE firewall implementation is written in Perl, and Rust type > definitions can be auto-generated from its API schemas. However, many of the > more complex types are represented as opaque strings, which limits type safety. > > Verifiers for complex types like ports and address matches cannot be generated > automatically, so we need to implement them manually anyway. > > To address this, the crate provides hand-crafted Rust types that parse and validate these > string-encoded values into proper enums and structs, while remaining fully > compatible with the existing API wire format. The initial type definitions were > seeded from the auto-generated `pve-api-types` crate and then refined by hand. > > Types from proxmox-ve-rs/proxmox-ve-config/src/firewall/ are not really designed > to be used directly, as they are not fully compatible with the API wire format. they > also depends on system crates (nix, proxmox-sys, etc.) which we want to avoid for this crate. > I tried to reuse some of those types, but in many cases it was easier to > use types generated from the perl API schemas as a starting point and then modify them > as needed. > Generally I like the idea of having actual types for a lot of the just-string things we do in the PVE API. What we still need though is for the generator in `pve-api-types` to support external types so generated functions can also reference types that were not generated. I don't think that should be too complicated, just something to keep in mind. I was wondering if we actually need/want a separate crate. This could be part of `pve-api-types`, alongside the verifiers we'd also have something like `external types` that the generator can use if specified for specific endpoints. The rational here would be, that for endpoint where we want more than just verifiers we could define the types directly. This would also make it somewhat straightforward to introduce concrete typing in other, unrelated, places where that would make sense. On the other hand, for re-usability without the general pve stuff having a crate might be handy. Either way, thanks for taking a look at this! > Dependencies are minimal, so that we can use this crate for wasm targets (GUI). > > > This series depends on the CommaSeparatedList patch send recently. > > > Dietmar Maurer (22): > firewall-api-types: add new crate for firewall api types > firewall-api-types: add README.md > firewall-api-types: add firewall policy types > firewall-api-types: add logging types > firewall-api-types: add FirewallClusterOptions > firewall-api-types: add FirewallGuestOptions > firewall-api-types: add FirewallConntrackHelper enum > firewall-api-types: add FirewallNodeOptions struct > firewall-api-types: add FirewallRef type > firewall-api-types: add FirewallPortList types > firewall-api-types: add FirewallIcmpType > firewall-api-types: add FirewallIpsetReference type > firewall-api-types: add FirewallAliasReference type > firewall-api-types: add firewall address types > firewall-api-types: add FirewallRule type > firewall-api-types: use ConfigDigest from proxmox-config-digest crate > firewall-api-types: use COMMENT_SCHEMA from proxmox-schema crate > firewall-api-types: add FirewallRuleUpdater type > firewall-api-types: refactor FirewallRule and add > FirewallRuleListEntry > firewall-api-types: add DeletableFirewallRuleProperty enum > firewall-api-types: add FirewallAliasEntry API type > firewall-api-types: add FirewallIpsetListEntry and FirewallIpsetEntry > api types > > Cargo.toml | 1 + > proxmox-firewall-api-types/Cargo.toml | 30 + > proxmox-firewall-api-types/README.md | 54 ++ > proxmox-firewall-api-types/debian/changelog | 5 + > proxmox-firewall-api-types/debian/control | 52 ++ > proxmox-firewall-api-types/debian/copyright | 18 + > .../debian/debcargo.toml | 7 + > proxmox-firewall-api-types/src/address.rs | 229 +++++++ > proxmox-firewall-api-types/src/alias.rs | 181 ++++++ > .../src/cluster_options.rs | 61 ++ > proxmox-firewall-api-types/src/conntrack.rs | 52 ++ > .../src/firewall_ref.rs | 62 ++ > .../src/guest_options.rs | 97 +++ > proxmox-firewall-api-types/src/icmp_type.rs | 559 ++++++++++++++++++ > proxmox-firewall-api-types/src/ipset.rs | 254 ++++++++ > proxmox-firewall-api-types/src/lib.rs | 46 ++ > proxmox-firewall-api-types/src/log.rs | 312 ++++++++++ > .../src/node_options.rs | 240 ++++++++ > proxmox-firewall-api-types/src/policy.rs | 151 +++++ > proxmox-firewall-api-types/src/port.rs | 177 ++++++ > proxmox-firewall-api-types/src/rule.rs | 351 +++++++++++ > 21 files changed, 2939 insertions(+) > create mode 100644 proxmox-firewall-api-types/Cargo.toml > create mode 100644 proxmox-firewall-api-types/README.md > create mode 100644 proxmox-firewall-api-types/debian/changelog > create mode 100644 proxmox-firewall-api-types/debian/control > create mode 100644 proxmox-firewall-api-types/debian/copyright > create mode 100644 proxmox-firewall-api-types/debian/debcargo.toml > create mode 100644 proxmox-firewall-api-types/src/address.rs > create mode 100644 proxmox-firewall-api-types/src/alias.rs > create mode 100644 proxmox-firewall-api-types/src/cluster_options.rs > create mode 100644 proxmox-firewall-api-types/src/conntrack.rs > create mode 100644 proxmox-firewall-api-types/src/firewall_ref.rs > create mode 100644 proxmox-firewall-api-types/src/guest_options.rs > create mode 100644 proxmox-firewall-api-types/src/icmp_type.rs > create mode 100644 proxmox-firewall-api-types/src/ipset.rs > create mode 100644 proxmox-firewall-api-types/src/lib.rs > create mode 100644 proxmox-firewall-api-types/src/log.rs > create mode 100644 proxmox-firewall-api-types/src/node_options.rs > create mode 100644 proxmox-firewall-api-types/src/policy.rs > create mode 100644 proxmox-firewall-api-types/src/port.rs > create mode 100644 proxmox-firewall-api-types/src/rule.rs >