fix(firewall): Add support for firewall flag for LXC/VM net adapters (#295)

2025-07-05 05:24:01 +00:00 · 2023-04-09 19:59:40 -04:00 · 2023-04-09 19:59:40 -04:00 · f4783f8cda
commit f4783f8cda
parent be3995e969
4 changed files with 59 additions and 11 deletions
--- a/docs/resources/virtual_environment_container.md
+++ b/docs/resources/virtual_environment_container.md
@ -142,6 +142,8 @@ output "ubuntu_container_public_key" {
      to `vmbr0`).
    - `enabled` - (Optional) Whether to enable the network device (defaults
      to `true`).
+    - `firewall` - (Optional) Whether this interface's firewall rules should be
+        used (defaults to `false`).
    - `mac_address` - (Optional) The MAC address.
    - `mtu` - (Optional) Maximum transfer unit of the interface. Cannot be
      larger than the bridge's MTU.
@ -170,10 +172,11 @@ output "ubuntu_container_public_key" {
  meta-argument to ignore changes to this attribute.
 - `template` - (Optional) Whether to create a template (defaults to `false`).
 - `unprivileged` - (Optional) Whether the container runs as unprivileged on
-the host (defaults to `false`).
+  the host (defaults to `false`).
 - `vm_id` - (Optional) The virtual machine identifier
 - `features` - (Optional) The container features
-  - `nesting` - (Optional) Whether the container is nested (defaults to `false`)
+    - `nesting` - (Optional) Whether the container is nested (defaults
+      to `false`)

 ## Attribute Reference

--- a/docs/resources/virtual_environment_vm.md
+++ b/docs/resources/virtual_environment_vm.md
@ -327,6 +327,8 @@ output "ubuntu_vm_public_key" {
      to `vmbr0`).
    - `enabled` - (Optional) Whether to enable the network device (defaults
      to `true`).
+    - `firewall` - (Optional) Whether this interface's firewall rules should be
+        used (defaults to `false`).
    - `mac_address` - (Optional) The MAC address.
    - `model` - (Optional) The network device model (defaults to `virtio`).
        - `e1000` - Intel E1000.
--- a/proxmoxtf/resource/container.go
+++ b/proxmoxtf/resource/container.go
@ -47,6 +47,7 @@ const (
 	dvResourceVirtualEnvironmentContainerMemorySwap                        = 0
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceBridge            = "vmbr0"
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceEnabled           = true
+	dvResourceVirtualEnvironmentContainerNetworkInterfaceFirewall          = false
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress        = ""
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit         = 0
 	dvResourceVirtualEnvironmentContainerNetworkInterfaceVLANID            = 0
@ -98,6 +99,7 @@ const (
 	mkResourceVirtualEnvironmentContainerNetworkInterface                  = "network_interface"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge            = "bridge"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled           = "enabled"
+	mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall          = "firewall"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress        = "mac_address"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceName              = "name"
 	mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit         = "rate_limit"
@ -510,6 +512,12 @@ func Container() *schema.Resource {
 							Optional:    true,
 							Default:     dvResourceVirtualEnvironmentContainerNetworkInterfaceEnabled,
 						},
+						mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall: {
+							Type:        schema.TypeBool,
+							Description: "Whether this interface's firewall rules should be used.",
+							Optional:    true,
+							Default:     dvResourceVirtualEnvironmentContainerNetworkInterfaceFirewall,
+						},
 						mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress: {
 							Type:        schema.TypeString,
 							Description: "The MAC address",
@ -888,6 +896,9 @@ func containerCreateClone(ctx context.Context, d *schema.ResourceData, m interfa

 		bridge := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge].(string)
 		enabled := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled].(bool)
+		firewall := types.CustomBool(
+			networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall].(bool),
+		)
 		macAddress := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress].(string)
 		name := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceName].(string)
 		rateLimit := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit].(float64)
@ -899,6 +910,7 @@ func containerCreateClone(ctx context.Context, d *schema.ResourceData, m interfa
 		}

 		networkInterfaceObject.Enabled = enabled
+		networkInterfaceObject.Firewall = &firewall

 		if len(initializationIPConfigIPv4Address) > ni {
 			if initializationIPConfigIPv4Address[ni] != "" {
@ -1418,6 +1430,11 @@ func containerGetExistingNetworkInterface(
 		}

 		networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled] = true
+		if nv.Firewall != nil {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = *nv.Firewall
+		} else {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = false
+		}

 		if nv.MACAddress != nil {
 			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress] = *nv.MACAddress
@ -1776,6 +1793,12 @@ func containerRead(ctx context.Context, d *schema.ResourceData, m interface{}) d

 		networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled] = true

+		if nv.Firewall != nil {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = *nv.Firewall
+		} else {
+			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall] = false
+		}
+
 		if nv.MACAddress != nil {
 			networkInterface[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress] = *nv.MACAddress
 		} else {
@ -2150,6 +2173,9 @@ func containerUpdate(ctx context.Context, d *schema.ResourceData, m interface{})

 			bridge := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceBridge].(string)
 			enabled := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceEnabled].(bool)
+			firewall := types.CustomBool(
+				networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceFirewall].(bool),
+			)
 			macAddress := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceMACAddress].(string)
 			name := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceName].(string)
 			rateLimit := networkInterfaceMap[mkResourceVirtualEnvironmentContainerNetworkInterfaceRateLimit].(float64)
@ -2161,6 +2187,7 @@ func containerUpdate(ctx context.Context, d *schema.ResourceData, m interface{})
 			}

 			networkInterfaceObject.Enabled = enabled
+			networkInterfaceObject.Firewall = &firewall

 			if len(initializationIPConfigIPv4Address) > ni {
 				if initializationIPConfigIPv4Address[ni] != "" {
--- a/proxmoxtf/resource/vm.go
+++ b/proxmoxtf/resource/vm.go
@ -83,6 +83,7 @@ const (
 	dvResourceVirtualEnvironmentVMName                              = ""
 	dvResourceVirtualEnvironmentVMNetworkDeviceBridge               = "vmbr0"
 	dvResourceVirtualEnvironmentVMNetworkDeviceEnabled              = true
+	dvResourceVirtualEnvironmentVMNetworkDeviceFirewall             = false
 	dvResourceVirtualEnvironmentVMNetworkDeviceMACAddress           = ""
 	dvResourceVirtualEnvironmentVMNetworkDeviceModel                = "virtio"
 	dvResourceVirtualEnvironmentVMNetworkDeviceRateLimit            = 0
@ -198,6 +199,7 @@ const (
 	mkResourceVirtualEnvironmentVMNetworkDevice                     = "network_device"
 	mkResourceVirtualEnvironmentVMNetworkDeviceBridge               = "bridge"
 	mkResourceVirtualEnvironmentVMNetworkDeviceEnabled              = "enabled"
+	mkResourceVirtualEnvironmentVMNetworkDeviceFirewall             = "firewall"
 	mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress           = "mac_address"
 	mkResourceVirtualEnvironmentVMNetworkDeviceModel                = "model"
 	mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit            = "rate_limit"
@ -982,6 +984,12 @@ func VM() *schema.Resource {
 							Optional:    true,
 							Default:     dvResourceVirtualEnvironmentVMNetworkDeviceEnabled,
 						},
+						mkResourceVirtualEnvironmentVMNetworkDeviceFirewall: {
+							Type:        schema.TypeBool,
+							Description: "Whether this interface's firewall rules should be used",
+							Optional:    true,
+							Default:     dvResourceVirtualEnvironmentVMNetworkDeviceEnabled,
+						},
 						mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress: {
 							Type:        schema.TypeString,
 							Description: "The MAC address",
@ -2602,17 +2610,19 @@ func vmGetNetworkDeviceObjects(d *schema.ResourceData) proxmox.CustomNetworkDevi
 	for i, networkDeviceEntry := range networkDevice {
 		block := networkDeviceEntry.(map[string]interface{})

-		bridge, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceBridge].(string)
-		enabled, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled].(bool)
-		macAddress, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress].(string)
-		model, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceModel].(string)
-		rateLimit, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit].(float64)
-		vlanID, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceVLANID].(int)
-		mtu, _ := block[mkResourceVirtualEnvironmentVMNetworkDeviceMTU].(int)
+		bridge := block[mkResourceVirtualEnvironmentVMNetworkDeviceBridge].(string)
+		enabled := block[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled].(bool)
+		firewall := types.CustomBool(block[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall].(bool))
+		macAddress := block[mkResourceVirtualEnvironmentVMNetworkDeviceMACAddress].(string)
+		model := block[mkResourceVirtualEnvironmentVMNetworkDeviceModel].(string)
+		rateLimit := block[mkResourceVirtualEnvironmentVMNetworkDeviceRateLimit].(float64)
+		vlanID := block[mkResourceVirtualEnvironmentVMNetworkDeviceVLANID].(int)
+		mtu := block[mkResourceVirtualEnvironmentVMNetworkDeviceMTU].(int)

 		device := proxmox.CustomNetworkDevice{
-			Enabled: enabled,
-			Model:   model,
+			Enabled:  enabled,
+			Firewall: &firewall,
+			Model:    model,
 		}

 		if bridge != "" {
@ -3478,6 +3488,12 @@ func vmReadCustom(

 			networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceEnabled] = nd.Enabled

+			if nd.Firewall != nil {
+				networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall] = *nd.Firewall
+			} else {
+				networkDevice[mkResourceVirtualEnvironmentVMNetworkDeviceFirewall] = false
+			}
+
 			if nd.MACAddress != nil {
 				macAddresses[ni] = *nd.MACAddress
 			} else {