metal-stack · Gerrit91 · Feb 15, 2024 · Jan 22, 2024 · Jan 22, 2024 · Jan 22, 2024
@@ -2,6 +2,7 @@ package metal
 
 import (
 	"fmt"
+	"net"
 	"os"
 	"strings"
 	"time"
@@ -147,6 +148,99 @@ type MachineAllocation struct {
 	MachineSetup     *MachineSetup     `rethinkdb:"setup" json:"setup"`
 	Role             Role              `rethinkdb:"role" json:"role"`
 	VPN              *MachineVPN       `rethinkdb:"vpn" json:"vpn"`
+	Egress           []EgressRule      `rethinkdb:"egress" json:"egress"`
+	Ingress          []IngressRule     `rethinkdb:"ingress" json:"ingress"`
+}
+
+type EgressRule struct {
+	Protocol  Protocol `rethinkdb:"protocol" json:"protocol"`
+	Ports     []int    `rethinkdb:"ports" json:"ports"`
+	FromCIDRs []string `rethinkdb:"from_cidrs" json:"from_cidrs"`
+	Comment   string   `rethinkdb:"comment" json:"comment"`
+}
+
+type IngressRule struct {
+	Protocol Protocol `rethinkdb:"protocol" json:"protocol"`
+	Ports    []int    `rethinkdb:"ports" json:"ports"`
+	ToCIDRs  []string `rethinkdb:"to_cidrs" json:"from_cidrs"`
+	Comment  string   `rethinkdb:"comment" json:"comment"`
+}
+
+type Protocol string
+
+const (
+	ProtocolTCP Protocol = "TCP"
+	ProtocolUDP Protocol = "UDP"
+)
+
+func ProtocolFromString(s string) (Protocol, error) {
+	switch strings.ToLower(s) {
+	case "tcp":
+		return ProtocolTCP, nil
+	case "udp":
+		return ProtocolTCP, nil
+	default:
+		return Protocol(""), fmt.Errorf("no such protocol: %s", s)
+	}
+}
+
+func (r EgressRule) Validate() error {
+	switch r.Protocol {
+	case ProtocolTCP, ProtocolUDP:
+		// ok
+	default:
+		return fmt.Errorf("invalid procotol: %s", r.Protocol)
+	}
+
+	if err := validatePorts(r.Ports); err != nil {
+		return err
+	}
+
+	if err := validateCIDRs(r.FromCIDRs); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r IngressRule) Validate() error {
+	switch r.Protocol {
+	case ProtocolTCP, ProtocolUDP:
+		// ok
+	default:
+		return fmt.Errorf("invalid procotol: %s", r.Protocol)
+	}
+
+	if err := validatePorts(r.Ports); err != nil {
+		return err
+	}
+
+	if err := validateCIDRs(r.ToCIDRs); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func validatePorts(ports []int) error {
+	for _, port := range ports {
+		if port < 0 || port > 65535 {
+			return fmt.Errorf("port is out of range")
+		}
+	}
+
+	return nil
+}
+
+func validateCIDRs(cidrs []string) error {
+	for _, cidr := range cidrs {
+		_, _, err := net.ParseCIDR(cidr)
+		if err != nil {
+			return fmt.Errorf("invalid cidr: %w", err)
+		}
+	}
+
+	return nil
 }
 
 // A MachineSetup stores the data used for machine reinstallations.

@@ -206,7 +206,7 @@ func (r *firewallResource) allocateFirewall(request *restful.Request, response *
 		return
 	}
 
-	spec, err := createMachineAllocationSpec(r.ds, requestPayload.MachineAllocateRequest, metal.RoleFirewall, user)
+	spec, err := createMachineAllocationSpec(r.ds, requestPayload.MachineAllocateRequest, &requestPayload.FirewallAllocateRequest, user)
 	if err != nil {
 		r.sendError(request, response, httperrors.BadRequest(err))
 		return

@@ -76,6 +76,8 @@ type machineAllocationSpec struct {
 	Role               metal.Role
 	VPN                *metal.MachineVPN
 	PlacementTags      []string
+	EgressRules        []metal.EgressRule
+	IngressRules       []metal.IngressRule
 }
 
 // allocationNetwork is intermediate struct to create machine networks from regular networks during machine allocation
@@ -976,7 +978,7 @@ func (r *machineResource) allocateMachine(request *restful.Request, response *re
 		return
 	}
 
-	spec, err := createMachineAllocationSpec(r.ds, requestPayload, metal.RoleMachine, user)
+	spec, err := createMachineAllocationSpec(r.ds, requestPayload, nil, user)
 	if err != nil {
 		r.sendError(request, response, httperrors.BadRequest(err))
 		return
@@ -997,39 +999,92 @@ func (r *machineResource) allocateMachine(request *restful.Request, response *re
 	r.send(request, response, http.StatusOK, resp)
 }
 
-func createMachineAllocationSpec(ds *datastore.RethinkStore, requestPayload v1.MachineAllocateRequest, role metal.Role, user *security.User) (*machineAllocationSpec, error) {
+func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.MachineAllocateRequest, firewallRequest *v1.FirewallAllocateRequest, user *security.User) (*machineAllocationSpec, error) {
 	var uuid string
-	if requestPayload.UUID != nil {
-		uuid = *requestPayload.UUID
+	if machineRequest.UUID != nil {
+		uuid = *machineRequest.UUID
 	}
 	var name string
-	if requestPayload.Name != nil {
-		name = *requestPayload.Name
+	if machineRequest.Name != nil {
+		name = *machineRequest.Name
 	}
 	var description string
-	if requestPayload.Description != nil {
-		description = *requestPayload.Description
+	if machineRequest.Description != nil {
+		description = *machineRequest.Description
 	}
 	hostname := "metal"
-	if requestPayload.Hostname != nil {
-		hostname = *requestPayload.Hostname
+	if machineRequest.Hostname != nil {
+		hostname = *machineRequest.Hostname
 	}
 	var userdata string
-	if requestPayload.UserData != nil {
-		userdata = *requestPayload.UserData
+	if machineRequest.UserData != nil {
+		userdata = *machineRequest.UserData
 	}
-	if requestPayload.Networks == nil {
+	if machineRequest.Networks == nil {
 		return nil, errors.New("network ids cannot be nil")
 	}
-	if len(requestPayload.Networks) <= 0 {
+	if len(machineRequest.Networks) <= 0 {
 		return nil, errors.New("network ids cannot be empty")
 	}
 
-	image, err := ds.FindImage(requestPayload.ImageID)
+	image, err := ds.FindImage(machineRequest.ImageID)
 	if err != nil {
 		return nil, err
 	}
 
+	var (
+		egress  []metal.EgressRule
+		ingress []metal.IngressRule
+		role    = metal.RoleMachine
+	)
+
+	if firewallRequest != nil {
+		role = metal.RoleFirewall
+
+		for _, ruleSpec := range firewallRequest.Egress {
+			ruleSpec := ruleSpec
+
+			protocol, err := metal.ProtocolFromString(ruleSpec.Protocol)
+			if err != nil {
+				return nil, err
+			}
+
+			rule := metal.EgressRule{
+				Protocol:  protocol,
+				Ports:     ruleSpec.Ports,
+				FromCIDRs: ruleSpec.FromCIDRs,
+				Comment:   ruleSpec.Comment,
+			}
+
+			if err := rule.Validate(); err != nil {
+				return nil, err
+			}
+
+			egress = append(egress, rule)
+		}
+
+		for _, ruleSpec := range firewallRequest.Ingress {
+			ruleSpec := ruleSpec
+
+			protocol, err := metal.ProtocolFromString(ruleSpec.Protocol)
+			if err != nil {
+				return nil, err
+			}
+
+			rule := metal.IngressRule{
+				Protocol: protocol,
+				Ports:    ruleSpec.Ports,
+				Comment:  ruleSpec.Comment,
+			}
+
+			if err := rule.Validate(); err != nil {
+				return nil, err
+			}
+
+			ingress = append(ingress, rule)
+		}
+	}
+
 	imageFeatureType := metal.ImageFeatureMachine
 	if role == metal.RoleFirewall {
 		imageFeatureType = metal.ImageFeatureFirewall
@@ -1039,8 +1094,8 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, requestPayload v1.M
 		return nil, fmt.Errorf("given image is not usable for a %s, features: %s", imageFeatureType, image.ImageFeatureString())
 	}
 
-	partitionID := requestPayload.PartitionID
-	sizeID := requestPayload.SizeID
+	partitionID := machineRequest.PartitionID
+	sizeID := machineRequest.SizeID
 
 	if uuid == "" && partitionID == "" {
 		return nil, errors.New("when no machine id is given, a partition id must be specified")
@@ -1072,19 +1127,21 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, requestPayload v1.M
 		Name:               name,
 		Description:        description,
 		Hostname:           hostname,
-		ProjectID:          requestPayload.ProjectID,
+		ProjectID:          machineRequest.ProjectID,
 		PartitionID:        partitionID,
 		Machine:            m,
 		Size:               size,
 		Image:              image,
-		SSHPubKeys:         requestPayload.SSHPubKeys,
+		SSHPubKeys:         machineRequest.SSHPubKeys,
 		UserData:           userdata,
-		Tags:               requestPayload.Tags,
-		Networks:           requestPayload.Networks,
-		IPs:                requestPayload.IPs,
+		Tags:               machineRequest.Tags,
+		Networks:           machineRequest.Networks,
+		IPs:                machineRequest.IPs,
 		Role:               role,
-		FilesystemLayoutID: requestPayload.FilesystemLayoutID,
-		PlacementTags:      requestPayload.PlacementTags,
+		FilesystemLayoutID: machineRequest.FilesystemLayoutID,
+		PlacementTags:      machineRequest.PlacementTags,
+		EgressRules:        egress,
+		IngressRules:       ingress,
 	}, nil
 }
 
@@ -1170,6 +1227,8 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam
 		MachineNetworks: []*metal.MachineNetwork{},
 		Role:            allocationSpec.Role,
 		VPN:             allocationSpec.VPN,
+		Egress:          allocationSpec.EgressRules,
+		Ingress:         allocationSpec.IngressRules,
 	}
 	rollbackOnError := func(err error) error {
 		if err != nil {
@@ -1211,6 +1270,20 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam
 		return nil, rollbackOnError(fmt.Errorf("unable to make networks:%w", err))
 	}
 
+	for _, n := range networks {
+		n := n
+
+		if n.networkType != metal.PrivatePrimaryUnshared {
+			continue
+		}
+
+		for _, rule := range allocationSpec.IngressRules {
+			rule := rule
+
+			rule.ToCIDRs = n.network.Prefixes.String()
+		}
+	}
+
 	// refetch the machine to catch possible updates after dealing with the network...
 	machine, err := ds.FindMachineByID(machineCandidate.ID)
 	if err != nil {

@@ -2,10 +2,26 @@ package v1
 
 type FirewallCreateRequest struct {
 	MachineAllocateRequest
-	// HA if set to true firewall is created in ha configuration
-	//
-	// Deprecated: will be removed in the next release
-	HA *bool `json:"ha" description:"if set to true, this firewall is set up in a High Available manner" optional:"true"`
+	FirewallAllocateRequest
+}
+
+type FirewallAllocateRequest struct {
+	Egress  []FirewallEgressRule  `json:"egress,omitempty" description:"list of egress rules to be deployed during firewall allocation" optional:"true"`
+	Ingress []FirewallIngressRule `json:"ingress,omitempty" description:"list of ingress rules to be deployed during firewall allocation" optional:"true"`
+}
+
+type FirewallEgressRule struct {
+	Protocol  string   `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"`
+	Ports     []int    `json:"ports" description:"the ports affected by this rule"`
+	FromCIDRs []string `json:"from_cidrs" description:"the cidrs affected by this rule"`
+	Comment   string   `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"`
+}
+
+type FirewallIngressRule struct {
+	Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"`
+	Ports    []int  `json:"ports" description:"the ports affected by this rule"`
+	// no ToCIDRs, destination is always the node network
+	Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"`
 }
 
 type FirewallResponse struct {