mirror of
https://github.com/bpg/terraform-provider-proxmox.git
synced 2025-08-22 11:28:33 +00:00
feat(firewall): adds forward_policy to cluster firewall (#2064)
Signed-off-by: Marshall Ford <inbox@marshallford.me> Co-authored-by: Pavel Boldyrev <627562+bpg@users.noreply.github.com>
This commit is contained in:
Marshall Ford
GitHub
parent
092edf2d08
commit
209d10cc0b
@ -15,9 +15,10 @@ Manages firewall options on the cluster level.
|
||||
resource "proxmox_virtual_environment_cluster_firewall" "example" {
|
||||
enabled = false
|
||||
|
||||
ebtables = false
|
||||
input_policy = "DROP"
|
||||
output_policy = "ACCEPT"
|
||||
ebtables = false
|
||||
input_policy = "DROP"
|
||||
output_policy = "ACCEPT"
|
||||
forward_policy = "ACCEPT"
|
||||
log_ratelimit {
|
||||
enabled = false
|
||||
burst = 10
|
||||
@ -32,6 +33,7 @@ resource "proxmox_virtual_environment_cluster_firewall" "example" {
|
||||
- `ebtables` - (Optional) Enable ebtables rules cluster wide.
|
||||
- `input_policy` - (Optional) The default input policy (`ACCEPT`, `DROP`, `REJECT`).
|
||||
- `output_policy` - (Optional) The default output policy (`ACCEPT`, `DROP`, `REJECT`).
|
||||
- `forward_policy` - (Optional) The default forward policy (`ACCEPT`, `DROP`).
|
||||
- `log_ratelimit` - (Optional) The log rate limit.
|
||||
- `enabled` - (Optional) Enable or disable the log rate limit.
|
||||
- `burst` - (Optional) Initial burst of packages which will always get
|
||||
|
||||
@ -42,9 +42,9 @@ resource "proxmox_virtual_environment_firewall_ipset" "ipset" {
|
||||
|
||||
## Argument Reference
|
||||
|
||||
- `node_name` - (Optional) Node name. Leave empty for cluster level aliases.
|
||||
- `vm_id` - (Optional) VM ID. Leave empty for cluster level aliases.
|
||||
- `container_id` - (Optional) Container ID. Leave empty for cluster level aliases.
|
||||
- `node_name` - (Optional) Node name. Leave empty for cluster level ipsets.
|
||||
- `vm_id` - (Optional) VM ID. Leave empty for cluster level ipsets.
|
||||
- `container_id` - (Optional) Container ID. Leave empty for cluster level ipsets.
|
||||
- `name` - (Required) IPSet name.
|
||||
- `comment` - (Optional) IPSet comment.
|
||||
- `cidr` - (Optional) IP/CIDR block (multiple blocks supported).
|
||||
|
||||
@ -34,9 +34,9 @@ resource "proxmox_virtual_environment_firewall_options" "example" {
|
||||
## Argument Reference
|
||||
|
||||
- `node_name` - (Required) Node name.
|
||||
- `vm_id` - (Optional) VM ID. Leave empty for cluster level aliases.
|
||||
- `container_id` - (Optional) Container ID. Leave empty for cluster level aliases.
|
||||
- `dhcp` - (Optional)Enable DHCP.
|
||||
- `vm_id` - (Optional) VM ID.
|
||||
- `container_id` - (Optional) Container ID.
|
||||
- `dhcp` - (Optional) Enable DHCP.
|
||||
- `enabled` - (Optional) Enable or disable the firewall.
|
||||
- `ipfilter` - (Optional) Enable default IP filters. This is equivalent to
|
||||
adding an empty `ipfilter-net<id>` ipset for every interface. Such ipsets
|
||||
|
||||
@ -18,11 +18,12 @@ import (
|
||||
|
||||
// OptionsPutRequestBody is the request body for the PUT /cluster/firewall/options API call.
|
||||
type OptionsPutRequestBody struct {
|
||||
EBTables *types.CustomBool `json:"ebtables,omitempty" url:"ebtables,omitempty,int"`
|
||||
Enable *types.CustomBool `json:"enable,omitempty" url:"enable,omitempty,int"`
|
||||
LogRateLimit *CustomLogRateLimit `json:"log_ratelimit,omitempty" url:"log_ratelimit,omitempty"`
|
||||
PolicyIn *string `json:"policy_in,omitempty" url:"policy_in,omitempty"`
|
||||
PolicyOut *string `json:"policy_out,omitempty" url:"policy_out,omitempty"`
|
||||
EBTables *types.CustomBool `json:"ebtables,omitempty" url:"ebtables,omitempty,int"`
|
||||
Enable *types.CustomBool `json:"enable,omitempty" url:"enable,omitempty,int"`
|
||||
LogRateLimit *CustomLogRateLimit `json:"log_ratelimit,omitempty" url:"log_ratelimit,omitempty"`
|
||||
PolicyIn *string `json:"policy_in,omitempty" url:"policy_in,omitempty"`
|
||||
PolicyOut *string `json:"policy_out,omitempty" url:"policy_out,omitempty"`
|
||||
PolicyFwd *string `json:"policy_forward,omitempty" url:"policy_forward,omitempty"`
|
||||
}
|
||||
|
||||
// CustomLogRateLimit is a custom type for the log_ratelimit field of the firewall optionss.
|
||||
@ -39,11 +40,12 @@ type OptionsGetResponseBody struct {
|
||||
|
||||
// OptionsGetResponseData is the data field of the response body for the GET /cluster/firewall/options API call.
|
||||
type OptionsGetResponseData struct {
|
||||
EBTables *types.CustomBool `json:"ebtables" url:"ebtables, int"`
|
||||
Enable *types.CustomBool `json:"enable" url:"enable,int"`
|
||||
LogRateLimit *CustomLogRateLimit `json:"log_ratelimit" url:"log_ratelimit"`
|
||||
PolicyIn *string `json:"policy_in" url:"policy_in"`
|
||||
PolicyOut *string `json:"policy_out" url:"policy_out"`
|
||||
EBTables *types.CustomBool `json:"ebtables" url:"ebtables, int"`
|
||||
Enable *types.CustomBool `json:"enable" url:"enable,int"`
|
||||
LogRateLimit *CustomLogRateLimit `json:"log_ratelimit" url:"log_ratelimit"`
|
||||
PolicyIn *string `json:"policy_in" url:"policy_in"`
|
||||
PolicyOut *string `json:"policy_out" url:"policy_out"`
|
||||
PolicyFwd *string `json:"policy_forward" url:"policy_forward"`
|
||||
}
|
||||
|
||||
// EncodeValues converts a CustomWatchdogDevice struct to a URL vlaue.
|
||||
|
||||
@ -24,6 +24,7 @@ const (
|
||||
dvLogRatelimitRate = "1/second"
|
||||
dvPolicyIn = "DROP"
|
||||
dvPolicyOut = "ACCEPT"
|
||||
dvPolicyFwd = "ACCEPT"
|
||||
|
||||
mkEBTables = "ebtables"
|
||||
mkEnabled = "enabled"
|
||||
@ -33,6 +34,7 @@ const (
|
||||
mkLogRatelimitRate = "rate"
|
||||
mkPolicyIn = "input_policy"
|
||||
mkPolicyOut = "output_policy"
|
||||
mkPolicyFwd = "forward_policy"
|
||||
)
|
||||
|
||||
// Firewall returns a resource to manage firewall options.
|
||||
@ -102,6 +104,13 @@ func Firewall() *schema.Resource {
|
||||
Default: dvPolicyOut,
|
||||
ValidateDiagFunc: validators.FirewallPolicy(),
|
||||
},
|
||||
mkPolicyFwd: {
|
||||
Type: schema.TypeString,
|
||||
Description: "Default policy for forwarded traffic",
|
||||
Optional: true,
|
||||
Default: dvPolicyFwd,
|
||||
ValidateDiagFunc: validators.FirewallForwardPolicy(),
|
||||
},
|
||||
},
|
||||
CreateContext: selectFirewallAPI(firewallCreate),
|
||||
ReadContext: selectFirewallAPI(firewallRead),
|
||||
@ -125,9 +134,11 @@ func firewallCreate(ctx context.Context, api firewall.API, d *schema.ResourceDat
|
||||
func setOptions(ctx context.Context, api firewall.API, d *schema.ResourceData) diag.Diagnostics {
|
||||
policyIn := d.Get(mkPolicyIn).(string)
|
||||
policyOut := d.Get(mkPolicyOut).(string)
|
||||
policyFwd := d.Get(mkPolicyFwd).(string)
|
||||
body := &firewall.OptionsPutRequestBody{
|
||||
PolicyIn: &policyIn,
|
||||
PolicyOut: &policyOut,
|
||||
PolicyFwd: &policyFwd,
|
||||
}
|
||||
|
||||
logRatelimit := d.Get(mkLogRatelimit).([]interface{})
|
||||
@ -198,6 +209,11 @@ func firewallRead(ctx context.Context, api firewall.API, d *schema.ResourceData)
|
||||
diags = append(diags, diag.FromErr(err)...)
|
||||
}
|
||||
|
||||
if options.PolicyFwd != nil {
|
||||
err = d.Set(mkPolicyFwd, *options.PolicyFwd)
|
||||
diags = append(diags, diag.FromErr(err)...)
|
||||
}
|
||||
|
||||
return diags
|
||||
}
|
||||
|
||||
|
||||
@ -31,6 +31,14 @@ func FirewallPolicy() schema.SchemaValidateDiagFunc {
|
||||
))
|
||||
}
|
||||
|
||||
// FirewallForwardPolicy returns a schema validation function for a firewall forward policy.
|
||||
func FirewallForwardPolicy() schema.SchemaValidateDiagFunc {
|
||||
return validation.ToDiagFunc(validation.StringInSlice(
|
||||
[]string{"ACCEPT", "DROP"},
|
||||
false,
|
||||
))
|
||||
}
|
||||
|
||||
// FirewallLogLevel returns a schema validation function for a firewall log level.
|
||||
func FirewallLogLevel() schema.SchemaValidateDiagFunc {
|
||||
return validation.ToDiagFunc(validation.StringInSlice(
|
||||
|
||||
Loading…
Reference in New Issue
Block a user