feat(fw): Migration 0010 — Firewall-v2-Schema (Fortigate-Style)
Phase-1 firewall_rules (chain/match_expr raw nft) → Fortigate-Niveau: * firewall_address_objects (host/network/range/fqdn) * firewall_address_groups + members junction * firewall_services (proto+port range, builtin-Flag) * firewall_service_groups + members junction * firewall_rules komplett umgebaut: src_zone+addr/group/cidr, dst_zone+addr/group/cidr, service_object_id ODER service_group_id, action accept|drop|reject, log-Flag, priority+enabled * firewall_nat_rules (kind=dnat|snat|masquerade) als separate Tabelle Zonen kommen aus network_interfaces.role (wan|lan|dmz|mgmt|cluster + pseudo-Zone 'any'). Builtin-Inserts: 18 Standard-Services (HTTP/HTTPS/SSH/DNS/SMTP-Familie/ DBs/RDP/WireGuard/Ping) plus 5 Service-Groups (Web, Mail-Submit, Mail-Receive, DNS, Ping). Renderer (internal/firewall/firewall.go) lässt firewall_rules-Query für jetzt aus — Template fällt auf baseline + cluster-peer-set zurück. Volle Render-Logik mit den neuen Joins kommt mit Task #44. Models + Repos + Handlers + Frontend folgen in den nächsten Commits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
@@ -117,30 +117,12 @@ func (g *Generator) loadView(ctx context.Context) (*View, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Custom firewall_rules — only active, ordered by priority.
|
||||
ruleRows, err := g.Pool.Query(ctx, `
|
||||
SELECT chain, match_expr, action, COALESCE(comment, '')
|
||||
FROM firewall_rules
|
||||
WHERE active
|
||||
ORDER BY chain ASC, priority DESC, id ASC`)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("query firewall_rules: %w", err)
|
||||
}
|
||||
defer ruleRows.Close()
|
||||
for ruleRows.Next() {
|
||||
var chain, match, action, comment string
|
||||
if err := ruleRows.Scan(&chain, &match, &action, &comment); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
r := Rule{MatchExpr: match, Action: action, Comment: comment}
|
||||
switch chain {
|
||||
case "input":
|
||||
view.CustomRulesInput = append(view.CustomRulesInput, r)
|
||||
case "forward":
|
||||
view.CustomRulesForward = append(view.CustomRulesForward, r)
|
||||
case "output":
|
||||
view.CustomRulesOutput = append(view.CustomRulesOutput, r)
|
||||
}
|
||||
}
|
||||
return view, ruleRows.Err()
|
||||
// Migration 0010 hat firewall_rules komplett umgebaut (Fortigate-
|
||||
// Style mit address objects + service refs). Phase-2-Renderer
|
||||
// kannte das alte chain/match_expr-Schema. Bis Task #44 die
|
||||
// Render-Logik mit den neuen Joins ersetzt, geben wir hier
|
||||
// keine custom-Rules aus — Output ist nur baseline + cluster set.
|
||||
// Sicher, weil baseline default-deny ist; v2-Rules kommen mit
|
||||
// dem nächsten Renderer-Patch.
|
||||
return view, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user