0307dc68bb
Models (internal/models/): * FirewallAddressObject (host|network|range|fqdn) * FirewallAddressGroup mit MemberIDs gorm:"-"-Slice * FirewallService (proto+ports, builtin-Flag) * FirewallServiceGroup mit MemberIDs * FirewallRule (v2-Shape, src/dst nullable refs, exactly-one-of-Validation in Handler-Layer) * FirewallNATRule (kind=dnat|snat|masquerade, alle nullable) Repos (internal/services/firewall/, ein Paket): * AddressObjectsRepo, AddressGroupsRepo (mit Members-Junction-Ops) * ServicesRepo (refused Update/Delete für builtin=TRUE Rows), ServiceGroupsRepo * RulesRepo, NATRulesRepo Jeweils Standard-CRUD; Group-Repos handhaben Members atomic in einer TX (Update ersetzt komplette Membership). Handler + Renderer-Rewrite + Frontend folgen in den nächsten Commits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
44 lines
2.5 KiB
Go
44 lines
2.5 KiB
Go
package models
|
|
|
|
import "time"
|
|
|
|
// FirewallRule is the v2 (Fortigate-style) policy row. Source and
|
|
// destination each carry exactly one of:
|
|
// - <Side>AddressObjectID → primitive address object
|
|
// - <Side>AddressGroupID → address group
|
|
// - <Side>CIDR → inline CIDR
|
|
// - all three nil → "any"
|
|
//
|
|
// Same rule applies to ServiceObjectID / ServiceGroupID — exactly one
|
|
// or both nil for "any service".
|
|
//
|
|
// Validation lives in the handler layer (DB doesn't enforce
|
|
// "exactly one" because expressive CHECK constraints get unwieldy).
|
|
type FirewallRule struct {
|
|
ID int64 `gorm:"primaryKey" json:"id"`
|
|
Name *string `gorm:"column:name" json:"name,omitempty"`
|
|
Priority int `gorm:"column:priority" json:"priority"`
|
|
Enabled bool `gorm:"column:enabled" json:"enabled"`
|
|
Action string `gorm:"column:action" json:"action"` // accept|drop|reject
|
|
|
|
SrcZone string `gorm:"column:src_zone" json:"src_zone"`
|
|
SrcAddressObjectID *int64 `gorm:"column:src_address_object_id" json:"src_address_object_id,omitempty"`
|
|
SrcAddressGroupID *int64 `gorm:"column:src_address_group_id" json:"src_address_group_id,omitempty"`
|
|
SrcCIDR *string `gorm:"column:src_cidr" json:"src_cidr,omitempty"`
|
|
|
|
DstZone string `gorm:"column:dst_zone" json:"dst_zone"`
|
|
DstAddressObjectID *int64 `gorm:"column:dst_address_object_id" json:"dst_address_object_id,omitempty"`
|
|
DstAddressGroupID *int64 `gorm:"column:dst_address_group_id" json:"dst_address_group_id,omitempty"`
|
|
DstCIDR *string `gorm:"column:dst_cidr" json:"dst_cidr,omitempty"`
|
|
|
|
ServiceObjectID *int64 `gorm:"column:service_object_id" json:"service_object_id,omitempty"`
|
|
ServiceGroupID *int64 `gorm:"column:service_group_id" json:"service_group_id,omitempty"`
|
|
|
|
Log bool `gorm:"column:log" json:"log"`
|
|
Comment *string `gorm:"column:comment" json:"comment,omitempty"`
|
|
CreatedAt time.Time `gorm:"column:created_at" json:"created_at"`
|
|
UpdatedAt time.Time `gorm:"column:updated_at" json:"updated_at"`
|
|
}
|
|
|
|
func (FirewallRule) TableName() string { return "firewall_rules" }
|