From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Dietmar Maurer <dietmar@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [RFC proxmox 03/22] firewall-api-types: add firewall policy types
Date: Thu, 12 Mar 2026 11:17:39 +0100 [thread overview]
Message-ID: <wb3rji4tzgv3s2bxvlavl3xdhcoz6eaqfzj43gddyo46tsfpvi@wqcoqpuvkudx> (raw)
In-Reply-To: <20260216104401.3959270-4-dietmar@proxmox.com>
On Mon, Feb 16, 2026 at 11:43:41AM +0100, Dietmar Maurer wrote:
> Generated from perl api.
>
> Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
> ---
> proxmox-firewall-api-types/Cargo.toml | 5 +-
> proxmox-firewall-api-types/src/lib.rs | 3 +-
> proxmox-firewall-api-types/src/policy.rs | 151 +++++++++++++++++++++++
> 3 files changed, 157 insertions(+), 2 deletions(-)
> create mode 100644 proxmox-firewall-api-types/src/policy.rs
>
> diff --git a/proxmox-firewall-api-types/Cargo.toml b/proxmox-firewall-api-types/Cargo.toml
> index 515d1efc..3122d813 100644
> --- a/proxmox-firewall-api-types/Cargo.toml
> +++ b/proxmox-firewall-api-types/Cargo.toml
> @@ -9,12 +9,15 @@ license.workspace = true
> repository.workspace = true
> exclude.workspace = true
>
> +[features]
> +enum-fallback = ["dep:proxmox-fixed-string"]
> +
> [dependencies]
> anyhow.workspace = true
> regex.workspace = true
> -proxmox-fixed-string.workspace = true
>
> serde = { workspace = true, features = [ "derive" ] }
> serde_plain = { workspace = true }
You could replace this with `proxmox-serde`. We also already had
`serde-with` in some places for the same purpose (which now use
`proxmox-serde` I think).
> proxmox-schema = { workspace = true, features = ["api-macro"] }
> proxmox-serde = { workspace = true, features = ["perl"] }
> +proxmox-fixed-string = { workspace = true, optional = true }
> diff --git a/proxmox-firewall-api-types/src/lib.rs b/proxmox-firewall-api-types/src/lib.rs
> index 7c4a64a7..b8004c76 100644
> --- a/proxmox-firewall-api-types/src/lib.rs
> +++ b/proxmox-firewall-api-types/src/lib.rs
> @@ -1 +1,2 @@
> -// TODO: add code here
> +mod policy;
> +pub use policy::{FirewallFWPolicy, FirewallIOPolicy};
> diff --git a/proxmox-firewall-api-types/src/policy.rs b/proxmox-firewall-api-types/src/policy.rs
> new file mode 100644
> index 00000000..274fbe20
> --- /dev/null
> +++ b/proxmox-firewall-api-types/src/policy.rs
> @@ -0,0 +1,151 @@
> +use serde::{Deserialize, Serialize};
> +
> +#[cfg(feature = "enum-fallback")]
> +use proxmox_fixed_string::FixedString;
> +use proxmox_schema::api;
> +
> +#[api]
> +/// Firewall forward policy.
> +#[derive(Clone, Copy, Debug, Default, Eq, PartialEq, Deserialize, Serialize)]
> +pub enum FirewallFWPolicy {
> + #[serde(rename = "ACCEPT")]
> + #[default]
> + /// ACCEPT.
> + Accept,
> + #[serde(rename = "DROP")]
> + /// DROP.
> + Drop,
> + #[cfg(feature = "enum-fallback")]
> + #[serde(untagged)]
> + /// Unknwon
> + UnknownEnumValue(FixedString),
> +}
> +serde_plain::derive_display_from_serialize!(FirewallFWPolicy);
> +serde_plain::derive_fromstr_from_deserialize!(FirewallFWPolicy);
> +
> +#[api]
> +/// Firewall IO policy.
> +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize)]
> +pub enum FirewallIOPolicy {
> + #[serde(rename = "ACCEPT")]
> + /// ACCEPT.
> + Accept,
> + #[serde(rename = "DROP")]
> + /// DROP.
> + Drop,
> + #[serde(rename = "REJECT")]
> + /// REJECT.
> + Reject,
> + #[cfg(feature = "enum-fallback")]
> + #[serde(untagged)]
> + /// Unknwon
> + UnknownEnumValue(FixedString),
> +}
> +serde_plain::derive_display_from_serialize!(FirewallIOPolicy);
> +serde_plain::derive_fromstr_from_deserialize!(FirewallIOPolicy);
> +
> +#[cfg(test)]
> +mod tests {
> + use super::*;
> +
> + #[test]
> + fn test_firewall_fw_policy_default() {
> + assert_eq!(FirewallFWPolicy::default(), FirewallFWPolicy::Accept);
> + }
> +
> + #[test]
> + #[cfg(not(feature = "enum-fallback"))]
> + fn test_firewall_fw_policy_serde_invalid() {
> + serde_plain::from_str::<FirewallFWPolicy>("REJECT")
> + .expect_err("REJECT is not valid for FWPolicy");
Without `serde_plain` these types of tests could all be of the form:
"REJECT"
.parse::<FirewallFWPolicy>()
.expect_err("REJECT is not valid for FWPolicy");
> + serde_plain::from_str::<FirewallFWPolicy>("accept")
> + .expect_err("lowercase should be invalid");
> + serde_plain::from_str::<FirewallFWPolicy>("").expect_err("empty string should be invalid");
> + }
> +
> + #[test]
> + fn test_firewall_fw_policy_roundtrip() {
This tests Display and FromStr implementations generated by a crate
specifically meant to add these to a simple enum.
Testing this is the job of that external crate.
(After all, we don't test whether the implementation generated by
`#[derive(PartialEq)]` does the correct thing either for all the enum
values...)
> + for policy in [FirewallFWPolicy::Accept, FirewallFWPolicy::Drop] {
> + let serialized = serde_plain::to_string(&policy).expect("serialize");
> + let parsed: FirewallFWPolicy =
> + serde_plain::from_str(&serialized).expect("roundtrip parse");
> + assert_eq!(policy, parsed);
> + }
> + }
> +
> + #[test]
> + fn test_firewall_fw_policy_serde() {
Similar to the above. If we want to maintain a list of "this is the
value perl uses" *in addition to `#[serde(rename)]`, then why not
iterate through an array of `(FirewallFWPolicy::Foo, "FOO")` tuples.
But that's just another list to maintain - if anything, we should
involve pve-api-types in this without having to manually maintain
the wire foramt in multiple places like this.
> + let accept = FirewallFWPolicy::Accept;
> + let serialized = serde_plain::to_string(&accept).expect("serialize");
> + assert_eq!(serialized, "ACCEPT");
> +
> + let parsed: FirewallFWPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, accept);
> +
> + let drop = FirewallFWPolicy::Drop;
> + let serialized = serde_plain::to_string(&drop).expect("serialize");
> + assert_eq!(serialized, "DROP");
> +
> + let parsed: FirewallFWPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, drop);
> + }
> +
> + #[test]
> + #[cfg(feature = "enum-fallback")]
> + fn test_firewall_fw_policy_serde_enum_fallback() {
Meh... fine... but technically the job of the `serde` crate to test that
`serde(untagged)` on an enum actually works...
> + let unknown = FirewallFWPolicy::UnknownEnumValue(FixedString::new("TEST").unwrap());
> + let serialized = serde_plain::to_string(&unknown).expect("serialize");
And could use `.to_string()` instead of serde_plain here, too.
> + assert_eq!(serialized, "TEST");
> +
> + let parsed: FirewallFWPolicy = serde_plain::from_str(&serialized).expect("deserialize");
and then `serialized.parse().expect(…)`.
> + assert_eq!(parsed, unknown);
> + }
> +
> + #[test]
> + #[cfg(not(feature = "enum-fallback"))]
> + fn test_firewall_io_policy_serde_invalid() {
> + serde_plain::from_str::<FirewallIOPolicy>("ALLOW").expect_err("ALLOW is not valid");
> + serde_plain::from_str::<FirewallIOPolicy>("drop").expect_err("lowercase should be invalid");
> + serde_plain::from_str::<FirewallIOPolicy>("").expect_err("empty string should be invalid");
> + }
> +
> + #[test]
> + fn test_firewall_io_policy_roundtrip() {
Like for FW policy.
> + for policy in [
> + FirewallIOPolicy::Accept,
> + FirewallIOPolicy::Drop,
> + FirewallIOPolicy::Reject,
> + ] {
> + let serialized = serde_plain::to_string(&policy).expect("serialize");
> + let parsed: FirewallIOPolicy =
> + serde_plain::from_str(&serialized).expect("roundtrip parse");
> + assert_eq!(policy, parsed);
> + }
> + }
> +
> + #[test]
> + fn test_firewall_io_policy_serde() {
> + for (policy, expected) in [
> + (FirewallIOPolicy::Accept, "ACCEPT"),
> + (FirewallIOPolicy::Drop, "DROP"),
> + (FirewallIOPolicy::Reject, "REJECT"),
So here we do use a list, but the other argument from the FW policy
variant still stands :S
> + ] {
> + let serialized = serde_plain::to_string(&policy).expect("serialize");
> + assert_eq!(serialized, expected);
> +
> + let parsed: FirewallIOPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, policy);
> + }
> + }
> +
> + #[test]
> + #[cfg(feature = "enum-fallback")]
> + fn test_firewall_io_policy_serde_enum_fallback() {
> + let unknown = FirewallIOPolicy::UnknownEnumValue(FixedString::new("TEST").unwrap());
> + let serialized = serde_plain::to_string(&unknown).expect("serialize");
> + assert_eq!(serialized, "TEST");
> +
> + let parsed: FirewallIOPolicy = serde_plain::from_str(&serialized).expect("deserialize");
> + assert_eq!(parsed, unknown);
> + }
> +}
> --
> 2.47.3
next prev parent reply other threads:[~2026-03-12 10:18 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 10:43 [RFC proxmox 00/22] New crate for firewall api types Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 01/22] firewall-api-types: add new " Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 02/22] firewall-api-types: add README.md Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 03/22] firewall-api-types: add firewall policy types Dietmar Maurer
2026-03-12 10:17 ` Wolfgang Bumiller [this message]
2026-02-16 10:43 ` [RFC proxmox 04/22] firewall-api-types: add logging types Dietmar Maurer
2026-03-02 12:24 ` Stefan Hanreich
2026-03-05 7:04 ` Dietmar Maurer
2026-03-12 10:22 ` Wolfgang Bumiller
2026-03-12 10:31 ` Wolfgang Bumiller
2026-02-16 10:43 ` [RFC proxmox 05/22] firewall-api-types: add FirewallClusterOptions Dietmar Maurer
2026-03-02 12:27 ` Stefan Hanreich
2026-03-05 7:06 ` Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 06/22] firewall-api-types: add FirewallGuestOptions Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 07/22] firewall-api-types: add FirewallConntrackHelper enum Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 08/22] firewall-api-types: add FirewallNodeOptions struct Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 09/22] firewall-api-types: add FirewallRef type Dietmar Maurer
2026-03-12 10:36 ` Wolfgang Bumiller
2026-03-12 10:41 ` Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 10/22] firewall-api-types: add FirewallPortList types Dietmar Maurer
2026-03-02 12:17 ` Stefan Hanreich
2026-03-05 7:02 ` Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 11/22] firewall-api-types: add FirewallIcmpType Dietmar Maurer
2026-03-12 10:51 ` Wolfgang Bumiller
2026-02-16 10:43 ` [RFC proxmox 12/22] firewall-api-types: add FirewallIpsetReference type Dietmar Maurer
2026-03-02 12:39 ` Stefan Hanreich
2026-02-16 10:43 ` [RFC proxmox 13/22] firewall-api-types: add FirewallAliasReference type Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 14/22] firewall-api-types: add firewall address types Dietmar Maurer
2026-03-12 13:24 ` Wolfgang Bumiller
2026-02-16 10:43 ` [RFC proxmox 15/22] firewall-api-types: add FirewallRule type Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 16/22] firewall-api-types: use ConfigDigest from proxmox-config-digest crate Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 17/22] firewall-api-types: use COMMENT_SCHEMA from proxmox-schema crate Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 18/22] firewall-api-types: add FirewallRuleUpdater type Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 19/22] firewall-api-types: refactor FirewallRule and add FirewallRuleListEntry Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 20/22] firewall-api-types: add DeletableFirewallRuleProperty enum Dietmar Maurer
2026-02-16 10:43 ` [RFC proxmox 21/22] firewall-api-types: add FirewallAliasEntry API type Dietmar Maurer
2026-02-16 10:44 ` [RFC proxmox 22/22] firewall-api-types: add FirewallIpsetListEntry and FirewallIpsetEntry api types Dietmar Maurer
2026-02-17 6:17 ` [RFC proxmox 00/22] New crate for firewall " Hannes Laimer
2026-02-17 6:39 ` Dietmar Maurer
2026-02-17 8:17 ` Hannes Laimer
2026-03-02 13:55 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=wb3rji4tzgv3s2bxvlavl3xdhcoz6eaqfzj43gddyo46tsfpvi@wqcoqpuvkudx \
--to=w.bumiller@proxmox.com \
--cc=dietmar@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox