Skip to content

Commit

Permalink
fix(firewall): Add support for firewall flag for LXC/VM net adapters (
Browse files Browse the repository at this point in the history
  • Loading branch information
bpg authored Apr 9, 2023
1 parent be3995e commit f4783f8
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 11 deletions.
7 changes: 5 additions & 2 deletions docs/resources/virtual_environment_container.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ output "ubuntu_container_public_key" {
to `vmbr0`).
- `enabled` - (Optional) Whether to enable the network device (defaults
to `true`).
- `firewall` - (Optional) Whether this interface's firewall rules should be
used (defaults to `false`).
- `mac_address` - (Optional) The MAC address.
- `mtu` - (Optional) Maximum transfer unit of the interface. Cannot be
larger than the bridge's MTU.
Expand Down Expand Up @@ -170,10 +172,11 @@ output "ubuntu_container_public_key" {
meta-argument to ignore changes to this attribute.
- `template` - (Optional) Whether to create a template (defaults to `false`).
- `unprivileged` - (Optional) Whether the container runs as unprivileged on
the host (defaults to `false`).
the host (defaults to `false`).
- `vm_id` - (Optional) The virtual machine identifier
- `features` - (Optional) The container features
- `nesting` - (Optional) Whether the container is nested (defaults to `false`)
- `nesting` - (Optional) Whether the container is nested (defaults
to `false`)

## Attribute Reference

Expand Down
2 changes: 2 additions & 0 deletions docs/resources/virtual_environment_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,8 @@ output "ubuntu_vm_public_key" {
to `vmbr0`).
- `enabled` - (Optional) Whether to enable the network device (defaults
to `true`).
- `firewall` - (Optional) Whether this interface's firewall rules should be
used (defaults to `false`).
- `mac_address` - (Optional) The MAC address.
- `model` - (Optional) The network device model (defaults to `virtio`).
- `e1000` - Intel E1000.
Expand Down
27 changes: 27 additions & 0 deletions proxmoxtf/resource/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ const (
dvResourceVirtualEnvironmentContainerMemorySwap = 0
dvResourceVirtualEnvironmentContainerNetworkInterfaceBridge = "vmbr0"
dvResourceVirtualEnvironmentContainerNetworkInterfaceEnabled = true
dvResourceVirtualEnvironmentContainerNetworkInterfaceFirewall = false
dvResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress = ""
dvResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit = 0
dvResourceVirtualEnvironmentContainerNetworkInterfaceVLANID = 0
Expand Down Expand Up @@ -98,6 +99,7 @@ const (
mkResourceVirtualEnvironmentContainerNetworkInterface = "network_interface"
mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge = "bridge"
mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled = "enabled"
mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall = "firewall"
mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress = "mac_address"
mkResourceVirtualEnvironmentContainerNetworkInterfaceName = "name"
mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit = "rate_limit"
Expand Down Expand Up @@ -510,6 +512,12 @@ func Container() *schema.Resource {
Optional: true,
Default: dvResourceVirtualEnvironmentContainerNetworkInterfaceEnabled,
},
mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall: {
Type: schema.TypeBool,
Description: "Whether this interface's firewall rules should be used.",
Optional: true,
Default: dvResourceVirtualEnvironmentContainerNetworkInterfaceFirewall,
},
mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress: {
Type: schema.TypeString,
Description: "The MAC address",
Expand Down Expand Up @@ -888,6 +896,9 @@ func containerCreateClone(ctx context.Context, d *schema.ResourceData, m interfa

bridge := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge].(string)
enabled := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled].(bool)
firewall := types.CustomBool(
networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall].(bool),
)
macAddress := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress].(string)
name := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceName].(string)
rateLimit := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit].(float64)
Expand All @@ -899,6 +910,7 @@ func containerCreateClone(ctx context.Context, d *schema.ResourceData, m interfa
}

networkInterfaceObject.Enabled = enabled
networkInterfaceObject.Firewall = &firewall

if len(initializationIPConfigIPv4Address) > ni {
if initializationIPConfigIPv4Address[ni] != "" {
Expand Down Expand Up @@ -1418,6 +1430,11 @@ func containerGetExistingNetworkInterface(
}

networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled] = true
if nv.Firewall != nil {
networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = *nv.Firewall
} else {
networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = false
}

if nv.MACAddress != nil {
networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress] = *nv.MACAddress
Expand Down Expand Up @@ -1776,6 +1793,12 @@ func containerRead(ctx context.Context, d *schema.ResourceData, m interface{}) d

networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled] = true

if nv.Firewall != nil {
networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = *nv.Firewall
} else {
networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = false
}

if nv.MACAddress != nil {
networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress] = *nv.MACAddress
} else {
Expand Down Expand Up @@ -2150,6 +2173,9 @@ func containerUpdate(ctx context.Context, d *schema.ResourceData, m interface{})

bridge := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge].(string)
enabled := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled].(bool)
firewall := types.CustomBool(
networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall].(bool),
)
macAddress := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress].(string)
name := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceName].(string)
rateLimit := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit].(float64)
Expand All @@ -2161,6 +2187,7 @@ func containerUpdate(ctx context.Context, d *schema.ResourceData, m interface{})
}

networkInterfaceObject.Enabled = enabled
networkInterfaceObject.Firewall = &firewall

if len(initializationIPConfigIPv4Address) > ni {
if initializationIPConfigIPv4Address[ni] != "" {
Expand Down
34 changes: 25 additions & 9 deletions proxmoxtf/resource/vm.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ const (
dvResourceVirtualEnvironmentVMName = ""
dvResourceVirtualEnvironmentVMNetworkDeviceBridge = "vmbr0"
dvResourceVirtualEnvironmentVMNetworkDeviceEnabled = true
dvResourceVirtualEnvironmentVMNetworkDeviceFirewall = false
dvResourceVirtualEnvironmentVMNetworkDeviceMACAddress = ""
dvResourceVirtualEnvironmentVMNetworkDeviceModel = "virtio"
dvResourceVirtualEnvironmentVMNetworkDeviceRateLimit = 0
Expand Down Expand Up @@ -198,6 +199,7 @@ const (
mkResourceVirtualEnvironmentVMNetworkDevice = "network_device"
mkResourceVirtualEnvironmentVMNetworkDeviceBridge = "bridge"
mkResourceVirtualEnvironmentVMNetworkDeviceEnabled = "enabled"
mkResourceVirtualEnvironmentVMNetworkDeviceFirewall = "firewall"
mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress = "mac_address"
mkResourceVirtualEnvironmentVMNetworkDeviceModel = "model"
mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit = "rate_limit"
Expand Down Expand Up @@ -982,6 +984,12 @@ func VM() *schema.Resource {
Optional: true,
Default: dvResourceVirtualEnvironmentVMNetworkDeviceEnabled,
},
mkResourceVirtualEnvironmentVMNetworkDeviceFirewall: {
Type: schema.TypeBool,
Description: "Whether this interface's firewall rules should be used",
Optional: true,
Default: dvResourceVirtualEnvironmentVMNetworkDeviceEnabled,
},
mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress: {
Type: schema.TypeString,
Description: "The MAC address",
Expand Down Expand Up @@ -2602,17 +2610,19 @@ func vmGetNetworkDeviceObjects(d *schema.ResourceData) proxmox.CustomNetworkDevi
for i, networkDeviceEntry := range networkDevice {
block := networkDeviceEntry.(map[string]interface{})

bridge, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceBridge].(string)
enabled, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled].(bool)
macAddress, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress].(string)
model, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceModel].(string)
rateLimit, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit].(float64)
vlanID, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceVLANID].(int)
mtu, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceMTU].(int)
bridge := block[mkResourceVirtualEnvironmentVMNetworkDeviceBridge].(string)
enabled := block[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled].(bool)
firewall := types.CustomBool(block[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall].(bool))
macAddress := block[mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress].(string)
model := block[mkResourceVirtualEnvironmentVMNetworkDeviceModel].(string)
rateLimit := block[mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit].(float64)
vlanID := block[mkResourceVirtualEnvironmentVMNetworkDeviceVLANID].(int)
mtu := block[mkResourceVirtualEnvironmentVMNetworkDeviceMTU].(int)

device := proxmox.CustomNetworkDevice{
Enabled: enabled,
Model: model,
Enabled: enabled,
Firewall: &firewall,
Model: model,
}

if bridge != "" {
Expand Down Expand Up @@ -3478,6 +3488,12 @@ func vmReadCustom(

networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled] = nd.Enabled

if nd.Firewall != nil {
networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall] = *nd.Firewall
} else {
networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall] = false
}

if nd.MACAddress != nil {
macAddresses[ni] = *nd.MACAddress
} else {
Expand Down

0 comments on commit f4783f8

Please sign in to comment.