feat(fw): Models + Repos für Firewall-v2 (6 Entities)

Models (internal/models/): * FirewallAddressObject (host|network|range|fqdn) * FirewallAddressGroup mit MemberIDs gorm:"-"-Slice * FirewallService (proto+ports, builtin-Flag) * FirewallServiceGroup mit MemberIDs * FirewallRule (v2-Shape, src/dst nullable refs, exactly-one-of-Validation in Handler-Layer) * FirewallNATRule (kind=dnat|snat|masquerade, alle nullable) Repos (internal/services/firewall/, ein Paket): * AddressObjectsRepo, AddressGroupsRepo (mit Members-Junction-Ops) * ServicesRepo (refused Update/Delete für builtin=TRUE Rows), ServiceGroupsRepo * RulesRepo, NATRulesRepo Jeweils Standard-CRUD; Group-Repos handhaben Members atomic in einer TX (Update ersetzt komplette Membership). Handler + Renderer-Rewrite + Frontend folgen in den nächsten Commits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 09:40:08 +02:00
parent e517783c42
commit 0307dc68bb
13 changed files with 1009 additions and 0 deletions
--- a/internal/models/firewall_address_group.go
+++ b/internal/models/firewall_address_group.go
@@ -0,0 +1,18 @@
+package models
+
+import "time"
+
+type FirewallAddressGroup struct {
+	ID          int64     `gorm:"primaryKey"               json:"id"`
+	Name        string    `gorm:"column:name;uniqueIndex"  json:"name"`
+	Description *string   `gorm:"column:description"       json:"description,omitempty"`
+	CreatedAt   time.Time `gorm:"column:created_at"        json:"created_at"`
+	UpdatedAt   time.Time `gorm:"column:updated_at"        json:"updated_at"`
+
+	// MemberIDs is filled by the repo's Get/List joiners — not a real
+	// column. JSON-omitted when empty so the bare-create response
+	// stays terse.
+	MemberIDs []int64 `gorm:"-" json:"member_ids,omitempty"`
+}
+
+func (FirewallAddressGroup) TableName() string { return "firewall_address_groups" }
--- a/internal/models/firewall_address_object.go
+++ b/internal/models/firewall_address_object.go
@@ -0,0 +1,15 @@
+package models
+
+import "time"
+
+type FirewallAddressObject struct {
+	ID          int64     `gorm:"primaryKey"               json:"id"`
+	Name        string    `gorm:"column:name;uniqueIndex"  json:"name"`
+	Kind        string    `gorm:"column:kind"              json:"kind"` // host|network|range|fqdn
+	Value       string    `gorm:"column:value"             json:"value"`
+	Description *string   `gorm:"column:description"       json:"description,omitempty"`
+	CreatedAt   time.Time `gorm:"column:created_at"        json:"created_at"`
+	UpdatedAt   time.Time `gorm:"column:updated_at"        json:"updated_at"`
+}
+
+func (FirewallAddressObject) TableName() string { return "firewall_address_objects" }
--- a/internal/models/firewall_nat_rule.go
+++ b/internal/models/firewall_nat_rule.go
@@ -0,0 +1,40 @@
+package models
+
+import "time"
+
+// FirewallNATRule covers the three nft NAT shapes in one table:
+//
+//   - kind=dnat:       in_zone + match_dport_* → target_addr [+ target_port_*]
+//                      (port-forward incoming traffic)
+//   - kind=snat:       out_zone + match_src_cidr → target_addr
+//                      (rewrite source IP to a fixed address)
+//   - kind=masquerade: out_zone [+ match_src_cidr]
+//                      (rewrite source to out-iface IP — typical lan→wan)
+//
+// Validation of kind-specific field combinations lives in the
+// handler.
+type FirewallNATRule struct {
+	ID              int64     `gorm:"primaryKey"                  json:"id"`
+	Name            *string   `gorm:"column:name"                 json:"name,omitempty"`
+	Priority        int       `gorm:"column:priority"             json:"priority"`
+	Enabled         bool      `gorm:"column:enabled"              json:"enabled"`
+	Kind            string    `gorm:"column:kind"                 json:"kind"` // dnat|snat|masquerade
+
+	InZone          *string   `gorm:"column:in_zone"              json:"in_zone,omitempty"`
+	OutZone         *string   `gorm:"column:out_zone"             json:"out_zone,omitempty"`
+	Proto           *string   `gorm:"column:proto"                json:"proto,omitempty"`
+	MatchSrcCIDR    *string   `gorm:"column:match_src_cidr"       json:"match_src_cidr,omitempty"`
+	MatchDstCIDR    *string   `gorm:"column:match_dst_cidr"       json:"match_dst_cidr,omitempty"`
+	MatchDPortStart *int      `gorm:"column:match_dport_start"    json:"match_dport_start,omitempty"`
+	MatchDPortEnd   *int      `gorm:"column:match_dport_end"      json:"match_dport_end,omitempty"`
+
+	TargetAddr      *string   `gorm:"column:target_addr"          json:"target_addr,omitempty"`
+	TargetPortStart *int      `gorm:"column:target_port_start"    json:"target_port_start,omitempty"`
+	TargetPortEnd   *int      `gorm:"column:target_port_end"      json:"target_port_end,omitempty"`
+
+	Comment         *string   `gorm:"column:comment"              json:"comment,omitempty"`
+	CreatedAt       time.Time `gorm:"column:created_at"           json:"created_at"`
+	UpdatedAt       time.Time `gorm:"column:updated_at"           json:"updated_at"`
+}
+
+func (FirewallNATRule) TableName() string { return "firewall_nat_rules" }
--- a/internal/models/firewall_rule.go
+++ b/internal/models/firewall_rule.go
@@ -0,0 +1,43 @@
+package models
+
+import "time"
+
+// FirewallRule is the v2 (Fortigate-style) policy row. Source and
+// destination each carry exactly one of:
+//   - <Side>AddressObjectID  → primitive address object
+//   - <Side>AddressGroupID   → address group
+//   - <Side>CIDR             → inline CIDR
+//   - all three nil          → "any"
+//
+// Same rule applies to ServiceObjectID / ServiceGroupID — exactly one
+// or both nil for "any service".
+//
+// Validation lives in the handler layer (DB doesn't enforce
+// "exactly one" because expressive CHECK constraints get unwieldy).
+type FirewallRule struct {
+	ID                  int64     `gorm:"primaryKey"                       json:"id"`
+	Name                *string   `gorm:"column:name"                      json:"name,omitempty"`
+	Priority            int       `gorm:"column:priority"                  json:"priority"`
+	Enabled             bool      `gorm:"column:enabled"                   json:"enabled"`
+	Action              string    `gorm:"column:action"                    json:"action"` // accept|drop|reject
+
+	SrcZone             string    `gorm:"column:src_zone"                  json:"src_zone"`
+	SrcAddressObjectID  *int64    `gorm:"column:src_address_object_id"     json:"src_address_object_id,omitempty"`
+	SrcAddressGroupID   *int64    `gorm:"column:src_address_group_id"      json:"src_address_group_id,omitempty"`
+	SrcCIDR             *string   `gorm:"column:src_cidr"                  json:"src_cidr,omitempty"`
+
+	DstZone             string    `gorm:"column:dst_zone"                  json:"dst_zone"`
+	DstAddressObjectID  *int64    `gorm:"column:dst_address_object_id"     json:"dst_address_object_id,omitempty"`
+	DstAddressGroupID   *int64    `gorm:"column:dst_address_group_id"      json:"dst_address_group_id,omitempty"`
+	DstCIDR             *string   `gorm:"column:dst_cidr"                  json:"dst_cidr,omitempty"`
+
+	ServiceObjectID     *int64    `gorm:"column:service_object_id"         json:"service_object_id,omitempty"`
+	ServiceGroupID      *int64    `gorm:"column:service_group_id"          json:"service_group_id,omitempty"`
+
+	Log                 bool      `gorm:"column:log"                       json:"log"`
+	Comment             *string   `gorm:"column:comment"                   json:"comment,omitempty"`
+	CreatedAt           time.Time `gorm:"column:created_at"                json:"created_at"`
+	UpdatedAt           time.Time `gorm:"column:updated_at"                json:"updated_at"`
+}
+
+func (FirewallRule) TableName() string { return "firewall_rules" }
--- a/internal/models/firewall_service.go
+++ b/internal/models/firewall_service.go
@@ -0,0 +1,17 @@
+package models
+
+import "time"
+
+type FirewallService struct {
+	ID          int64     `gorm:"primaryKey"               json:"id"`
+	Name        string    `gorm:"column:name;uniqueIndex"  json:"name"`
+	Proto       string    `gorm:"column:proto"             json:"proto"` // tcp|udp|icmp|icmpv6|any
+	PortStart   *int      `gorm:"column:port_start"        json:"port_start,omitempty"`
+	PortEnd     *int      `gorm:"column:port_end"          json:"port_end,omitempty"`
+	Builtin     bool      `gorm:"column:builtin"           json:"builtin"`
+	Description *string   `gorm:"column:description"       json:"description,omitempty"`
+	CreatedAt   time.Time `gorm:"column:created_at"        json:"created_at"`
+	UpdatedAt   time.Time `gorm:"column:updated_at"        json:"updated_at"`
+}
+
+func (FirewallService) TableName() string { return "firewall_services" }
--- a/internal/models/firewall_service_group.go
+++ b/internal/models/firewall_service_group.go
@@ -0,0 +1,15 @@
+package models
+
+import "time"
+
+type FirewallServiceGroup struct {
+	ID          int64     `gorm:"primaryKey"               json:"id"`
+	Name        string    `gorm:"column:name;uniqueIndex"  json:"name"`
+	Description *string   `gorm:"column:description"       json:"description,omitempty"`
+	CreatedAt   time.Time `gorm:"column:created_at"        json:"created_at"`
+	UpdatedAt   time.Time `gorm:"column:updated_at"        json:"updated_at"`
+
+	MemberIDs []int64 `gorm:"-" json:"member_ids,omitempty"`
+}
+
+func (FirewallServiceGroup) TableName() string { return "firewall_service_groups" }