feat(firewall): adds forward_policy to cluster firewall (#2064)

Signed-off-by: Marshall Ford <inbox@marshallford.me>
Co-authored-by: Pavel Boldyrev <627562+bpg@users.noreply.github.com>

docs/resources/virtual_environment_cluster_firewall.md

@@ -15,9 +15,10 @@ Manages firewall options on the cluster level.
 resource "proxmox_virtual_environment_cluster_firewall" "example" {
   enabled = false
 
-  ebtables      = false
+  ebtables       = false
-  input_policy  = "DROP"
+  input_policy   = "DROP"
-  output_policy = "ACCEPT"
+  output_policy  = "ACCEPT"
+  forward_policy = "ACCEPT"
   log_ratelimit {
     enabled = false
     burst   = 10
@@ -32,6 +33,7 @@ resource "proxmox_virtual_environment_cluster_firewall" "example" {
 - `ebtables` - (Optional) Enable ebtables rules cluster wide.
 - `input_policy` - (Optional) The default input policy (`ACCEPT`, `DROP`, `REJECT`).
 - `output_policy` - (Optional) The default output policy (`ACCEPT`, `DROP`, `REJECT`).
+- `forward_policy` - (Optional) The default forward policy (`ACCEPT`, `DROP`).
 - `log_ratelimit` - (Optional) The log rate limit.
     - `enabled` - (Optional) Enable or disable the log rate limit.
     - `burst` - (Optional) Initial burst of packages which will always get

docs/resources/virtual_environment_firewall_ipset.md

@@ -42,9 +42,9 @@ resource "proxmox_virtual_environment_firewall_ipset" "ipset" {
 
 ## Argument Reference
 
-- `node_name` - (Optional) Node name. Leave empty for cluster level aliases.
+- `node_name` - (Optional) Node name. Leave empty for cluster level ipsets.
-- `vm_id` - (Optional) VM ID. Leave empty for cluster level aliases.
+- `vm_id` - (Optional) VM ID. Leave empty for cluster level ipsets.
-- `container_id` - (Optional) Container ID. Leave empty for cluster level aliases.
+- `container_id` - (Optional) Container ID. Leave empty for cluster level ipsets.
 - `name` - (Required) IPSet name.
 - `comment` - (Optional) IPSet comment.
 - `cidr` - (Optional) IP/CIDR block (multiple blocks supported).

docs/resources/virtual_environment_firewall_options.md

@@ -34,9 +34,9 @@ resource "proxmox_virtual_environment_firewall_options" "example" {
 ## Argument Reference
 
 - `node_name` - (Required) Node name.
-- `vm_id` - (Optional) VM ID. Leave empty for cluster level aliases.
+- `vm_id` - (Optional) VM ID.
-- `container_id` - (Optional) Container ID. Leave empty for cluster level aliases.
+- `container_id` - (Optional) Container ID.
-- `dhcp` - (Optional)Enable DHCP.
+- `dhcp` - (Optional) Enable DHCP.
 - `enabled` - (Optional) Enable or disable the firewall.
 - `ipfilter` - (Optional) Enable default IP filters. This is equivalent to
     adding an empty `ipfilter-net<id>` ipset for every interface. Such ipsets

proxmox/cluster/firewall/options_types.go

@@ -18,11 +18,12 @@ import (
 
 // OptionsPutRequestBody is the request body for the PUT /cluster/firewall/options API call.
 type OptionsPutRequestBody struct {
-	EBTables     *types.CustomBool   `json:"ebtables,omitempty"      url:"ebtables,omitempty,int"`
+	EBTables     *types.CustomBool   `json:"ebtables,omitempty"       url:"ebtables,omitempty,int"`
-	Enable       *types.CustomBool   `json:"enable,omitempty"        url:"enable,omitempty,int"`
+	Enable       *types.CustomBool   `json:"enable,omitempty"         url:"enable,omitempty,int"`
-	LogRateLimit *CustomLogRateLimit `json:"log_ratelimit,omitempty" url:"log_ratelimit,omitempty"`
+	LogRateLimit *CustomLogRateLimit `json:"log_ratelimit,omitempty"  url:"log_ratelimit,omitempty"`
-	PolicyIn     *string             `json:"policy_in,omitempty"     url:"policy_in,omitempty"`
+	PolicyIn     *string             `json:"policy_in,omitempty"      url:"policy_in,omitempty"`
-	PolicyOut    *string             `json:"policy_out,omitempty"    url:"policy_out,omitempty"`
+	PolicyOut    *string             `json:"policy_out,omitempty"     url:"policy_out,omitempty"`
+	PolicyFwd    *string             `json:"policy_forward,omitempty" url:"policy_forward,omitempty"`
 }
 
 // CustomLogRateLimit is a custom type for the log_ratelimit field of the firewall optionss.
@@ -39,11 +40,12 @@ type OptionsGetResponseBody struct {
 
 // OptionsGetResponseData is the data field of the response body for the GET /cluster/firewall/options API call.
 type OptionsGetResponseData struct {
-	EBTables     *types.CustomBool   `json:"ebtables"      url:"ebtables, int"`
+	EBTables     *types.CustomBool   `json:"ebtables"       url:"ebtables, int"`
-	Enable       *types.CustomBool   `json:"enable"        url:"enable,int"`
+	Enable       *types.CustomBool   `json:"enable"         url:"enable,int"`
-	LogRateLimit *CustomLogRateLimit `json:"log_ratelimit" url:"log_ratelimit"`
+	LogRateLimit *CustomLogRateLimit `json:"log_ratelimit"  url:"log_ratelimit"`
-	PolicyIn     *string             `json:"policy_in"     url:"policy_in"`
+	PolicyIn     *string             `json:"policy_in"      url:"policy_in"`
-	PolicyOut    *string             `json:"policy_out"    url:"policy_out"`
+	PolicyOut    *string             `json:"policy_out"     url:"policy_out"`
+	PolicyFwd    *string             `json:"policy_forward" url:"policy_forward"`
 }
 
 // EncodeValues converts a CustomWatchdogDevice struct to a URL vlaue.

proxmoxtf/resource/cluster/firewall/firewall.go

@@ -24,6 +24,7 @@ const (
 	dvLogRatelimitRate   = "1/second"
 	dvPolicyIn           = "DROP"
 	dvPolicyOut          = "ACCEPT"
+	dvPolicyFwd          = "ACCEPT"
 
 	mkEBTables            = "ebtables"
 	mkEnabled             = "enabled"
@@ -33,6 +34,7 @@ const (
 	mkLogRatelimitRate    = "rate"
 	mkPolicyIn            = "input_policy"
 	mkPolicyOut           = "output_policy"
+	mkPolicyFwd           = "forward_policy"
 )
 
 // Firewall returns a resource to manage firewall options.
@@ -102,6 +104,13 @@ func Firewall() *schema.Resource {
 				Default:          dvPolicyOut,
 				ValidateDiagFunc: validators.FirewallPolicy(),
 			},
+			mkPolicyFwd: {
+				Type:             schema.TypeString,
+				Description:      "Default policy for forwarded traffic",
+				Optional:         true,
+				Default:          dvPolicyFwd,
+				ValidateDiagFunc: validators.FirewallForwardPolicy(),
+			},
 		},
 		CreateContext: selectFirewallAPI(firewallCreate),
 		ReadContext:   selectFirewallAPI(firewallRead),
@@ -125,9 +134,11 @@ func firewallCreate(ctx context.Context, api firewall.API, d *schema.ResourceDat
 func setOptions(ctx context.Context, api firewall.API, d *schema.ResourceData) diag.Diagnostics {
 	policyIn := d.Get(mkPolicyIn).(string)
 	policyOut := d.Get(mkPolicyOut).(string)
+	policyFwd := d.Get(mkPolicyFwd).(string)
 	body := &firewall.OptionsPutRequestBody{
 		PolicyIn:  &policyIn,
 		PolicyOut: &policyOut,
+		PolicyFwd: &policyFwd,
 	}
 
 	logRatelimit := d.Get(mkLogRatelimit).([]interface{})
@@ -198,6 +209,11 @@ func firewallRead(ctx context.Context, api firewall.API, d *schema.ResourceData)
 		diags = append(diags, diag.FromErr(err)...)
 	}
 
+	if options.PolicyFwd != nil {
+		err = d.Set(mkPolicyFwd, *options.PolicyFwd)
+		diags = append(diags, diag.FromErr(err)...)
+	}
+
 	return diags
 }
 

proxmoxtf/resource/validators/firewall.go

@@ -31,6 +31,14 @@ func FirewallPolicy() schema.SchemaValidateDiagFunc {
 	))
 }
 
+// FirewallForwardPolicy returns a schema validation function for a firewall forward policy.
+func FirewallForwardPolicy() schema.SchemaValidateDiagFunc {
+	return validation.ToDiagFunc(validation.StringInSlice(
+		[]string{"ACCEPT", "DROP"},
+		false,
+	))
+}
+
 // FirewallLogLevel returns a schema validation function for a firewall log level.
 func FirewallLogLevel() schema.SchemaValidateDiagFunc {
 	return validation.ToDiagFunc(validation.StringInSlice(