Skip to content

Commit

Permalink
feat: ingress and egress parsing and crds
Browse files Browse the repository at this point in the history
  • Loading branch information
@vknabel
vknabel committed Nov 21, 2024
1 parent 2af62fd commit cce6694
Show file tree
Hide file tree
Showing 5 changed files with 310 additions and 10 deletions.
33 changes: 23 additions & 10 deletions api/v2/types_firewall.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,29 +127,42 @@ type FirewallTemplateSpec struct {

// InitialRuleSet is the initial rule set deployed on the firewall.
type InitialRuleSet struct {
Egress []EgressRule
Ingress []IngressRule
// Egress rules to be deployed initially on the firewall.
Egress []EgressRule `json:"egress,omitempty"`
// Ingress rules to be deployed initially on the firewall.
Ingress []IngressRule `json:"ingress,omitempty"`
}

// NetworkProtocol represents the kind of network protocol.
type NetworkProtocol string

const (
// NetworkProtocolTCP represents tcp connections.
NetworkProtocolTCP = "TCP"
// NetworkProtocolUDP represents udp connections.
NetworkProtocolUDP = "UDP"
)

type EgressRule struct {
Comment string
Ports []int32
Protocol NetworkProtocol
To []string
// Comment provides a human readable description of this rule.
Comment string `json:"comment,omitempty"`
// Ports contains all affected network ports.
Ports []int32 `json:"ports"`
// Protocol constraints the protocol this rule applies to.
Protocol NetworkProtocol `json:"protocol"`
// To target addresses this rule applies to. May contain IPs or dns names.
To []string `json:"to"`
}

type IngressRule struct {
Comment string
Ports []int32
Protocol NetworkProtocol
From []string
// Comment provides a human readable description of this rule.
Comment string `json:"comment,omitempty"`
// Ports contains all affected network ports.
Ports []int32 `json:"ports"`
// Protocol constraints the protocol this rule applies to.
Protocol NetworkProtocol `json:"protocol"`
// From source addresses this rule applies to. May contain IPs or dns names.
From []string `json:"from"`
}

// EgressRuleSNAT holds a Source-NAT rule
Expand Down
84 changes: 84 additions & 0 deletions api/v2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

69 changes: 69 additions & 0 deletions config/crds/firewall.metal-stack.io_firewalldeployments.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,75 @@ spec:
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
initialRuleSet:
description: InitialRuleSet is the initial firewall ruleset
applied before the firewall-controller starts running.
properties:
egress:
description: Egress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
to:
description: To target addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
required:
- ports
- protocol
- to
type: object
type: array
ingress:
description: Ingress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
from:
description: From source addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
required:
- from
- ports
- protocol
type: object
type: array
type: object
internalPrefixes:
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Expand Down
65 changes: 65 additions & 0 deletions config/crds/firewall.metal-stack.io_firewalls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,71 @@ spec:
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
initialRuleSet:
description: InitialRuleSet is the initial firewall ruleset applied
before the firewall-controller starts running.
properties:
egress:
description: Egress rules to be deployed initially on the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
ports:
description: Ports contains all affected network ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this rule
applies to.
type: string
to:
description: To target addresses this rule applies to. May
contain IPs or dns names.
items:
type: string
type: array
required:
- ports
- protocol
- to
type: object
type: array
ingress:
description: Ingress rules to be deployed initially on the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
from:
description: From source addresses this rule applies to.
May contain IPs or dns names.
items:
type: string
type: array
ports:
description: Ports contains all affected network ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this rule
applies to.
type: string
required:
- from
- ports
- protocol
type: object
type: array
type: object
internalPrefixes:
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Expand Down
69 changes: 69 additions & 0 deletions config/crds/firewall.metal-stack.io_firewallsets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,75 @@ spec:
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
initialRuleSet:
description: InitialRuleSet is the initial firewall ruleset
applied before the firewall-controller starts running.
properties:
egress:
description: Egress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
to:
description: To target addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
required:
- ports
- protocol
- to
type: object
type: array
ingress:
description: Ingress rules to be deployed initially on
the firewall.
items:
properties:
comment:
description: Comment provides a human readable description
of this rule.
type: string
from:
description: From source addresses this rule applies
to. May contain IPs or dns names.
items:
type: string
type: array
ports:
description: Ports contains all affected network
ports.
items:
format: int32
type: integer
type: array
protocol:
description: Protocol constraints the protocol this
rule applies to.
type: string
required:
- from
- ports
- protocol
type: object
type: array
type: object
internalPrefixes:
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Expand Down

0 comments on commit cce6694

Please sign in to comment.