diff --git a/docs/resources/virtual_environment_cluster_firewall.md b/docs/resources/virtual_environment_cluster_firewall.md index 3ebeaab0..2c1b5fe9 100644 --- a/docs/resources/virtual_environment_cluster_firewall.md +++ b/docs/resources/virtual_environment_cluster_firewall.md @@ -15,9 +15,10 @@ Manages firewall options on the cluster level. resource "proxmox_virtual_environment_cluster_firewall" "example" { enabled = false - ebtables = false - input_policy = "DROP" - output_policy = "ACCEPT" + ebtables = false + input_policy = "DROP" + output_policy = "ACCEPT" + forward_policy = "ACCEPT" log_ratelimit { enabled = false burst = 10 @@ -32,6 +33,7 @@ resource "proxmox_virtual_environment_cluster_firewall" "example" { - `ebtables` - (Optional) Enable ebtables rules cluster wide. - `input_policy` - (Optional) The default input policy (`ACCEPT`, `DROP`, `REJECT`). - `output_policy` - (Optional) The default output policy (`ACCEPT`, `DROP`, `REJECT`). +- `forward_policy` - (Optional) The default forward policy (`ACCEPT`, `DROP`). - `log_ratelimit` - (Optional) The log rate limit. - `enabled` - (Optional) Enable or disable the log rate limit. - `burst` - (Optional) Initial burst of packages which will always get diff --git a/docs/resources/virtual_environment_firewall_ipset.md b/docs/resources/virtual_environment_firewall_ipset.md index bf8fdacd..36a46fca 100644 --- a/docs/resources/virtual_environment_firewall_ipset.md +++ b/docs/resources/virtual_environment_firewall_ipset.md @@ -42,9 +42,9 @@ resource "proxmox_virtual_environment_firewall_ipset" "ipset" { ## Argument Reference -- `node_name` - (Optional) Node name. Leave empty for cluster level aliases. -- `vm_id` - (Optional) VM ID. Leave empty for cluster level aliases. -- `container_id` - (Optional) Container ID. Leave empty for cluster level aliases. +- `node_name` - (Optional) Node name. Leave empty for cluster level ipsets. +- `vm_id` - (Optional) VM ID. Leave empty for cluster level ipsets. +- `container_id` - (Optional) Container ID. Leave empty for cluster level ipsets. - `name` - (Required) IPSet name. - `comment` - (Optional) IPSet comment. - `cidr` - (Optional) IP/CIDR block (multiple blocks supported). diff --git a/docs/resources/virtual_environment_firewall_options.md b/docs/resources/virtual_environment_firewall_options.md index be887158..fad0fcb6 100644 --- a/docs/resources/virtual_environment_firewall_options.md +++ b/docs/resources/virtual_environment_firewall_options.md @@ -34,9 +34,9 @@ resource "proxmox_virtual_environment_firewall_options" "example" { ## Argument Reference - `node_name` - (Required) Node name. -- `vm_id` - (Optional) VM ID. Leave empty for cluster level aliases. -- `container_id` - (Optional) Container ID. Leave empty for cluster level aliases. -- `dhcp` - (Optional)Enable DHCP. +- `vm_id` - (Optional) VM ID. +- `container_id` - (Optional) Container ID. +- `dhcp` - (Optional) Enable DHCP. - `enabled` - (Optional) Enable or disable the firewall. - `ipfilter` - (Optional) Enable default IP filters. This is equivalent to adding an empty `ipfilter-net` ipset for every interface. Such ipsets diff --git a/proxmox/cluster/firewall/options_types.go b/proxmox/cluster/firewall/options_types.go index 91751717..666139af 100644 --- a/proxmox/cluster/firewall/options_types.go +++ b/proxmox/cluster/firewall/options_types.go @@ -18,11 +18,12 @@ import ( // OptionsPutRequestBody is the request body for the PUT /cluster/firewall/options API call. type OptionsPutRequestBody struct { - EBTables *types.CustomBool `json:"ebtables,omitempty" url:"ebtables,omitempty,int"` - Enable *types.CustomBool `json:"enable,omitempty" url:"enable,omitempty,int"` - LogRateLimit *CustomLogRateLimit `json:"log_ratelimit,omitempty" url:"log_ratelimit,omitempty"` - PolicyIn *string `json:"policy_in,omitempty" url:"policy_in,omitempty"` - PolicyOut *string `json:"policy_out,omitempty" url:"policy_out,omitempty"` + EBTables *types.CustomBool `json:"ebtables,omitempty" url:"ebtables,omitempty,int"` + Enable *types.CustomBool `json:"enable,omitempty" url:"enable,omitempty,int"` + LogRateLimit *CustomLogRateLimit `json:"log_ratelimit,omitempty" url:"log_ratelimit,omitempty"` + PolicyIn *string `json:"policy_in,omitempty" url:"policy_in,omitempty"` + PolicyOut *string `json:"policy_out,omitempty" url:"policy_out,omitempty"` + PolicyFwd *string `json:"policy_forward,omitempty" url:"policy_forward,omitempty"` } // CustomLogRateLimit is a custom type for the log_ratelimit field of the firewall optionss. @@ -39,11 +40,12 @@ type OptionsGetResponseBody struct { // OptionsGetResponseData is the data field of the response body for the GET /cluster/firewall/options API call. type OptionsGetResponseData struct { - EBTables *types.CustomBool `json:"ebtables" url:"ebtables, int"` - Enable *types.CustomBool `json:"enable" url:"enable,int"` - LogRateLimit *CustomLogRateLimit `json:"log_ratelimit" url:"log_ratelimit"` - PolicyIn *string `json:"policy_in" url:"policy_in"` - PolicyOut *string `json:"policy_out" url:"policy_out"` + EBTables *types.CustomBool `json:"ebtables" url:"ebtables, int"` + Enable *types.CustomBool `json:"enable" url:"enable,int"` + LogRateLimit *CustomLogRateLimit `json:"log_ratelimit" url:"log_ratelimit"` + PolicyIn *string `json:"policy_in" url:"policy_in"` + PolicyOut *string `json:"policy_out" url:"policy_out"` + PolicyFwd *string `json:"policy_forward" url:"policy_forward"` } // EncodeValues converts a CustomWatchdogDevice struct to a URL vlaue. diff --git a/proxmoxtf/resource/cluster/firewall/firewall.go b/proxmoxtf/resource/cluster/firewall/firewall.go index 2705d959..ea470094 100644 --- a/proxmoxtf/resource/cluster/firewall/firewall.go +++ b/proxmoxtf/resource/cluster/firewall/firewall.go @@ -24,6 +24,7 @@ const ( dvLogRatelimitRate = "1/second" dvPolicyIn = "DROP" dvPolicyOut = "ACCEPT" + dvPolicyFwd = "ACCEPT" mkEBTables = "ebtables" mkEnabled = "enabled" @@ -33,6 +34,7 @@ const ( mkLogRatelimitRate = "rate" mkPolicyIn = "input_policy" mkPolicyOut = "output_policy" + mkPolicyFwd = "forward_policy" ) // Firewall returns a resource to manage firewall options. @@ -102,6 +104,13 @@ func Firewall() *schema.Resource { Default: dvPolicyOut, ValidateDiagFunc: validators.FirewallPolicy(), }, + mkPolicyFwd: { + Type: schema.TypeString, + Description: "Default policy for forwarded traffic", + Optional: true, + Default: dvPolicyFwd, + ValidateDiagFunc: validators.FirewallForwardPolicy(), + }, }, CreateContext: selectFirewallAPI(firewallCreate), ReadContext: selectFirewallAPI(firewallRead), @@ -125,9 +134,11 @@ func firewallCreate(ctx context.Context, api firewall.API, d *schema.ResourceDat func setOptions(ctx context.Context, api firewall.API, d *schema.ResourceData) diag.Diagnostics { policyIn := d.Get(mkPolicyIn).(string) policyOut := d.Get(mkPolicyOut).(string) + policyFwd := d.Get(mkPolicyFwd).(string) body := &firewall.OptionsPutRequestBody{ PolicyIn: &policyIn, PolicyOut: &policyOut, + PolicyFwd: &policyFwd, } logRatelimit := d.Get(mkLogRatelimit).([]interface{}) @@ -198,6 +209,11 @@ func firewallRead(ctx context.Context, api firewall.API, d *schema.ResourceData) diags = append(diags, diag.FromErr(err)...) } + if options.PolicyFwd != nil { + err = d.Set(mkPolicyFwd, *options.PolicyFwd) + diags = append(diags, diag.FromErr(err)...) + } + return diags } diff --git a/proxmoxtf/resource/validators/firewall.go b/proxmoxtf/resource/validators/firewall.go index a87ee3e3..694acaa8 100644 --- a/proxmoxtf/resource/validators/firewall.go +++ b/proxmoxtf/resource/validators/firewall.go @@ -31,6 +31,14 @@ func FirewallPolicy() schema.SchemaValidateDiagFunc { )) } +// FirewallForwardPolicy returns a schema validation function for a firewall forward policy. +func FirewallForwardPolicy() schema.SchemaValidateDiagFunc { + return validation.ToDiagFunc(validation.StringInSlice( + []string{"ACCEPT", "DROP"}, + false, + )) +} + // FirewallLogLevel returns a schema validation function for a firewall log level. func FirewallLogLevel() schema.SchemaValidateDiagFunc { return validation.ToDiagFunc(validation.StringInSlice(