feat(fw): Models + Repos für Firewall-v2 (6 Entities)

Models (internal/models/): * FirewallAddressObject (host|network|range|fqdn) * FirewallAddressGroup mit MemberIDs gorm:"-"-Slice * FirewallService (proto+ports, builtin-Flag) * FirewallServiceGroup mit MemberIDs * FirewallRule (v2-Shape, src/dst nullable refs, exactly-one-of-Validation in Handler-Layer) * FirewallNATRule (kind=dnat|snat|masquerade, alle nullable) Repos (internal/services/firewall/, ein Paket): * AddressObjectsRepo, AddressGroupsRepo (mit Members-Junction-Ops) * ServicesRepo (refused Update/Delete für builtin=TRUE Rows), ServiceGroupsRepo * RulesRepo, NATRulesRepo Jeweils Standard-CRUD; Group-Repos handhaben Members atomic in einer TX (Update ersetzt komplette Membership). Handler + Renderer-Rewrite + Frontend folgen in den nächsten Commits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 09:40:08 +02:00
parent e517783c42
commit 0307dc68bb
13 changed files with 1009 additions and 0 deletions
--- a/internal/services/firewall/natrules.go
+++ b/internal/services/firewall/natrules.go
@@ -0,0 +1,139 @@
+package firewall
+
+import (
+	"context"
+	"errors"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/models"
+)
+
+var ErrNATRuleNotFound = errors.New("nat rule not found")
+
+type NATRulesRepo struct {
+	Pool *pgxpool.Pool
+}
+
+func NewNATRulesRepo(pool *pgxpool.Pool) *NATRulesRepo { return &NATRulesRepo{Pool: pool} }
+
+const natRuleBaseSelect = `
+SELECT id, name, priority, enabled, kind,
+       in_zone, out_zone, proto,
+       match_src_cidr, match_dst_cidr, match_dport_start, match_dport_end,
+       target_addr, target_port_start, target_port_end,
+       comment, created_at, updated_at
+FROM firewall_nat_rules
+`
+
+func (r *NATRulesRepo) List(ctx context.Context) ([]models.FirewallNATRule, error) {
+	rows, err := r.Pool.Query(ctx, natRuleBaseSelect+" ORDER BY priority DESC, id ASC")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := make([]models.FirewallNATRule, 0, 8)
+	for rows.Next() {
+		x, err := scanNATRule(rows)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, *x)
+	}
+	return out, rows.Err()
+}
+
+func (r *NATRulesRepo) Get(ctx context.Context, id int64) (*models.FirewallNATRule, error) {
+	row := r.Pool.QueryRow(ctx, natRuleBaseSelect+" WHERE id = $1", id)
+	x, err := scanNATRule(row)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNATRuleNotFound
+		}
+		return nil, err
+	}
+	return x, nil
+}
+
+func (r *NATRulesRepo) Create(ctx context.Context, x models.FirewallNATRule) (*models.FirewallNATRule, error) {
+	row := r.Pool.QueryRow(ctx, `
+INSERT INTO firewall_nat_rules (
+    name, priority, enabled, kind,
+    in_zone, out_zone, proto,
+    match_src_cidr, match_dst_cidr, match_dport_start, match_dport_end,
+    target_addr, target_port_start, target_port_end,
+    comment
+) VALUES (
+    $1, $2, $3, $4,
+    $5, $6, $7,
+    $8, $9, $10, $11,
+    $12, $13, $14,
+    $15
+)
+RETURNING id, name, priority, enabled, kind,
+          in_zone, out_zone, proto,
+          match_src_cidr, match_dst_cidr, match_dport_start, match_dport_end,
+          target_addr, target_port_start, target_port_end,
+          comment, created_at, updated_at`,
+		x.Name, x.Priority, x.Enabled, x.Kind,
+		x.InZone, x.OutZone, x.Proto,
+		x.MatchSrcCIDR, x.MatchDstCIDR, x.MatchDPortStart, x.MatchDPortEnd,
+		x.TargetAddr, x.TargetPortStart, x.TargetPortEnd,
+		x.Comment)
+	return scanNATRule(row)
+}
+
+func (r *NATRulesRepo) Update(ctx context.Context, id int64, x models.FirewallNATRule) (*models.FirewallNATRule, error) {
+	row := r.Pool.QueryRow(ctx, `
+UPDATE firewall_nat_rules SET
+   name = $1, priority = $2, enabled = $3, kind = $4,
+   in_zone = $5, out_zone = $6, proto = $7,
+   match_src_cidr = $8, match_dst_cidr = $9, match_dport_start = $10, match_dport_end = $11,
+   target_addr = $12, target_port_start = $13, target_port_end = $14,
+   comment = $15, updated_at = NOW()
+WHERE id = $16
+RETURNING id, name, priority, enabled, kind,
+          in_zone, out_zone, proto,
+          match_src_cidr, match_dst_cidr, match_dport_start, match_dport_end,
+          target_addr, target_port_start, target_port_end,
+          comment, created_at, updated_at`,
+		x.Name, x.Priority, x.Enabled, x.Kind,
+		x.InZone, x.OutZone, x.Proto,
+		x.MatchSrcCIDR, x.MatchDstCIDR, x.MatchDPortStart, x.MatchDPortEnd,
+		x.TargetAddr, x.TargetPortStart, x.TargetPortEnd,
+		x.Comment, id)
+	out, err := scanNATRule(row)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNATRuleNotFound
+		}
+		return nil, err
+	}
+	return out, nil
+}
+
+func (r *NATRulesRepo) Delete(ctx context.Context, id int64) error {
+	tag, err := r.Pool.Exec(ctx, `DELETE FROM firewall_nat_rules WHERE id = $1`, id)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return ErrNATRuleNotFound
+	}
+	return nil
+}
+
+func scanNATRule(row interface{ Scan(...any) error }) (*models.FirewallNATRule, error) {
+	var x models.FirewallNATRule
+	if err := row.Scan(
+		&x.ID, &x.Name, &x.Priority, &x.Enabled, &x.Kind,
+		&x.InZone, &x.OutZone, &x.Proto,
+		&x.MatchSrcCIDR, &x.MatchDstCIDR, &x.MatchDPortStart, &x.MatchDPortEnd,
+		&x.TargetAddr, &x.TargetPortStart, &x.TargetPortEnd,
+		&x.Comment, &x.CreatedAt, &x.UpdatedAt,
+	); err != nil {
+		return nil, err
+	}
+	return &x, nil
+}