From 76e2a4e0ccfa5d780183465db7ee36e9df713987 Mon Sep 17 00:00:00 2001 From: Francesco Cheinasso Date: Mon, 13 Nov 2023 18:00:40 +0100 Subject: [PATCH] Network: Firewall API --- .pre-commit-config.yaml | 2 +- .../v1alpha1/firewall/chain_types.go | 96 ++++++++++++ .../v1alpha1/firewall/rules_types.go | 41 +++++ .../v1alpha1/firewall/table_types.go | 41 +++++ .../firewall/zz_generated.deepcopy.go | 134 +++++++++++++++++ .../v1alpha1/firewallconfiguration_types.go | 78 ++-------- .../v1alpha1/zz_generated.deepcopy.go | 52 +------ ...orking.liqo.io_firewallconfigurations.yaml | 140 +++++++++++------- 8 files changed, 414 insertions(+), 170 deletions(-) create mode 100644 apis/networking/v1alpha1/firewall/chain_types.go create mode 100644 apis/networking/v1alpha1/firewall/rules_types.go create mode 100644 apis/networking/v1alpha1/firewall/table_types.go create mode 100644 apis/networking/v1alpha1/firewall/zz_generated.deepcopy.go diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a246334186..54dbad1d29 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ repos: - id: golangci-lint name: golangci-lint description: Fast linters runner for Go. - entry: golangci-lint run --new + entry: golangci-lint run --new-from-rev HEAD types: [go] language: golang require_serial: true diff --git a/apis/networking/v1alpha1/firewall/chain_types.go b/apis/networking/v1alpha1/firewall/chain_types.go new file mode 100644 index 0000000000..4cd5869ba6 --- /dev/null +++ b/apis/networking/v1alpha1/firewall/chain_types.go @@ -0,0 +1,96 @@ +// Copyright 2019-2023 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewall + +import "math" + +// ChainType defines what this chain will be used for. +// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types +type ChainType string + +// Possible ChainType values. +const ( + ChainTypeFilter ChainType = "filter" + ChainTypeRoute ChainType = "route" + ChainTypeNAT ChainType = "nat" +) + +// ChainPolicy defines what this chain default policy will be. +type ChainPolicy string + +// Possible ChainPolicy values. +const ( + ChainPolicyDrop ChainPolicy = "drop" + ChainPolicyAccept ChainPolicy = "accept" +) + +// ChainHook specifies at which step in packet processing the Chain should be executed. +// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks +type ChainHook string + +// Possible ChainHook values. +var ( + ChainHookPrerouting ChainHook = "prerouting" + ChainHookInput ChainHook = "input" + ChainHookForward ChainHook = "forward" + ChainHookOutput ChainHook = "output" + ChainHookPostrouting ChainHook = "postrouting" + ChainHookIngress ChainHook = "ingress" +) + +// ChainPriority orders the chain relative to Netfilter internal operations. +// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority +type ChainPriority int32 + +// Possible ChainPriority values. +// from /usr/include/linux/netfilter_ipv4.h. +var ( + ChainPriorityFirst ChainPriority = math.MinInt32 + ChainPriorityConntrackDefrag ChainPriority = -400 + ChainPriorityRaw ChainPriority = -300 + ChainPrioritySELinuxFirst ChainPriority = -225 + ChainPriorityConntrack ChainPriority = -200 + ChainPriorityMangle ChainPriority = -150 + ChainPriorityNATDest ChainPriority = -100 + //nolint:revive // We need a variable with zero value. + ChainPriorityFilter ChainPriority = 0 + ChainPrioritySecurity ChainPriority = 50 + ChainPriorityNATSource ChainPriority = 100 + ChainPrioritySELinuxLast ChainPriority = 225 + ChainPriorityConntrackHelper ChainPriority = 300 + ChainPriorityConntrackConfirm ChainPriority = math.MaxInt32 + ChainPriorityLast ChainPriority = math.MaxInt32 +) + +// Chain is a chain of rules to be applied to a table. +// +kubebuilder:object:generate=true +type Chain struct { + // Name is the name of the chain. + Name string `json:"name,omitempty"` + // Rules is a list of rules to be applied to the chain. + Rules RulesSet `json:"rules,omitempty"` + // Type defines what this chain will be used for. + // +kubebuilder:validation:Enum="filter";"route";"nat" + Type ChainType `json:"type,omitempty"` + // Policy defines what this chain default policy will be. + // +kubebuilder:validation:Enum="drop";"accept" + Policy ChainPolicy `json:"policy,omitempty"` + // Hook specifies at which step in packet processing the Chain should be executed. + // +kubebuilder:validation:Enum="prerouting";"input";"forward";"output";"postrouting";"ingress" + Hook ChainHook `json:"hook,omitempty"` + // Priority orders the chain relative to Netfilter internal operations. + // +kubebuilder:default=0 + Priority ChainPriority `json:"priority,omitempty"` +} diff --git a/apis/networking/v1alpha1/firewall/rules_types.go b/apis/networking/v1alpha1/firewall/rules_types.go new file mode 100644 index 0000000000..861c7deb11 --- /dev/null +++ b/apis/networking/v1alpha1/firewall/rules_types.go @@ -0,0 +1,41 @@ +// Copyright 2019-2023 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewall + +// NatRule is a rule to be applied to a NAT chain. +// +kubebuilder:object:generate=true +type NatRule struct { +} + +// FilterRule is a rule to be applied to a filter chain. +// +kubebuilder:object:generate=true +type FilterRule struct { +} + +// RouteRule is a rule to be applied to a route chain. +// +kubebuilder:object:generate=true +type RouteRule struct { +} + +// RulesSet is a set of rules to be applied to a chain. +// +kubebuilder:object:generate=true +type RulesSet struct { + // NatRules is a list of rules to be applied to the chain. + NatRules []NatRule `json:"natRules,omitempty"` + // FilterRules is a list of rules to be applied to the chain. + FilterRules []FilterRule `json:"filterRules,omitempty"` + // RouteRules is a list of rules to be applied to the chain. + RouteRules []RouteRule `json:"routeRules,omitempty"` +} diff --git a/apis/networking/v1alpha1/firewall/table_types.go b/apis/networking/v1alpha1/firewall/table_types.go new file mode 100644 index 0000000000..5a4ef2ed27 --- /dev/null +++ b/apis/networking/v1alpha1/firewall/table_types.go @@ -0,0 +1,41 @@ +// Copyright 2019-2023 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package firewall + +// TableFamily specifies the family of the table. +type TableFamily string + +// Possible TableFamily values. +// https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +const ( + TableFamilyINet TableFamily = "INET" + TableFamilyIPv4 TableFamily = "IPV4" + TableFamilyIPv6 TableFamily = "IPV6" + TableFamilyARP TableFamily = "ARP" + TableFamilyNetdev TableFamily = "NETDEV" + TableFamilyBridge TableFamily = "BRIDGE" +) + +// Table is a generic table to be applied to a chain. +// +kubebuilder:object:generate=true +type Table struct { + // Name is the name of the table. + Name string `json:"name,omitempty"` + // Chains is a list of chains to be applied to the table. + Chains []Chain `json:"chains,omitempty"` + // Family is the family of the table. + // +kubebuilder:validation:Enum="INET";"IPV4";"IPV6";"ARP";"NETDEV";"BRIDGE" + Family TableFamily `json:"family,omitempty"` +} diff --git a/apis/networking/v1alpha1/firewall/zz_generated.deepcopy.go b/apis/networking/v1alpha1/firewall/zz_generated.deepcopy.go new file mode 100644 index 0000000000..ed0a8137c0 --- /dev/null +++ b/apis/networking/v1alpha1/firewall/zz_generated.deepcopy.go @@ -0,0 +1,134 @@ +//go:build !ignore_autogenerated + +// Copyright 2019-2023 The Liqo Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by controller-gen. DO NOT EDIT. + +package firewall + +import () + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Chain) DeepCopyInto(out *Chain) { + *out = *in + in.Rules.DeepCopyInto(&out.Rules) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Chain. +func (in *Chain) DeepCopy() *Chain { + if in == nil { + return nil + } + out := new(Chain) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FilterRule) DeepCopyInto(out *FilterRule) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterRule. +func (in *FilterRule) DeepCopy() *FilterRule { + if in == nil { + return nil + } + out := new(FilterRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NatRule) DeepCopyInto(out *NatRule) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NatRule. +func (in *NatRule) DeepCopy() *NatRule { + if in == nil { + return nil + } + out := new(NatRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RouteRule) DeepCopyInto(out *RouteRule) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteRule. +func (in *RouteRule) DeepCopy() *RouteRule { + if in == nil { + return nil + } + out := new(RouteRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesSet) DeepCopyInto(out *RulesSet) { + *out = *in + if in.NatRules != nil { + in, out := &in.NatRules, &out.NatRules + *out = make([]NatRule, len(*in)) + copy(*out, *in) + } + if in.FilterRules != nil { + in, out := &in.FilterRules, &out.FilterRules + *out = make([]FilterRule, len(*in)) + copy(*out, *in) + } + if in.RouteRules != nil { + in, out := &in.RouteRules, &out.RouteRules + *out = make([]RouteRule, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesSet. +func (in *RulesSet) DeepCopy() *RulesSet { + if in == nil { + return nil + } + out := new(RulesSet) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Table) DeepCopyInto(out *Table) { + *out = *in + if in.Chains != nil { + in, out := &in.Chains, &out.Chains + *out = make([]Chain, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Table. +func (in *Table) DeepCopy() *Table { + if in == nil { + return nil + } + out := new(Table) + in.DeepCopyInto(out) + return out +} diff --git a/apis/networking/v1alpha1/firewallconfiguration_types.go b/apis/networking/v1alpha1/firewallconfiguration_types.go index b911f1ccf6..aba398fc2e 100644 --- a/apis/networking/v1alpha1/firewallconfiguration_types.go +++ b/apis/networking/v1alpha1/firewallconfiguration_types.go @@ -16,87 +16,33 @@ package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" + + firewallapi "github.com/liqotech/liqo/apis/networking/v1alpha1/firewall" ) // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. -// FirewallConfigurationResource the name of the firewallconfiguration resources. -var FirewallConfigurationResource = "firewallconfigurations" - -// FirewallConfigurationKind is the kind name used to register the FirewallConfiguration CRD. -var FirewallConfigurationKind = "FirewallConfiguration" - -// FirewallConfigurationGroupResource is group resource used to register these objects. -var FirewallConfigurationGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: FirewallConfigurationResource} - -// FirewallConfigurationGroupVersionResource is groupResourceVersion used to register these objects. -var FirewallConfigurationGroupVersionResource = GroupVersion.WithResource(FirewallConfigurationResource) - -// AddRemove contains the commands to add or remove rules. -type AddRemove struct { - // Add contains the commands to add rules. - Add []string `json:"add,omitempty"` - // Remove contains the commands to remove rules. - Remove []string `json:"remove,omitempty"` -} - // FirewallConfigurationSpec defines the desired state of FirewallConfiguration. type FirewallConfigurationSpec struct { - // Command to add or remove rules. - Command AddRemove `json:"command,omitempty"` - // ExpectedRule contains the expected rule. - ExpectedRule string `json:"expectedRule,omitempty"` - // Table contains the table where the rule is applied. - Table string `json:"table,omitempty"` + // Table contains the rules to be applied to the firewall. + Table firewallapi.Table `json:"table,omitempty"` } -// FirewallConfigurationConditionType represents different conditions that a firewallconfiguration could assume. -type FirewallConfigurationConditionType string +// FirewallConfigurationStatusCondition defines the observed state of FirewallConfiguration. +type FirewallConfigurationStatusCondition string const ( - // FirewallConfigurationConditionApplied represents the condition applied. - FirewallConfigurationConditionApplied FirewallConfigurationConditionType = "Applied" - // FirewallConfigurationConditionError represents the condition error. - FirewallConfigurationConditionError FirewallConfigurationConditionType = "Error" - // FirewallConfigurationConditionPending represents the condition pending. - FirewallConfigurationConditionPending FirewallConfigurationConditionType = "Pending" + // FirewallConfigurationStatusConditionApplied is true if the configuration has been applied to the firewall. + FirewallConfigurationStatusConditionApplied FirewallConfigurationStatusCondition = "Applied" + // FirewallConfigurationStatusConditionError is true if the configuration has not been applied to the firewall. + FirewallConfigurationStatusConditionError FirewallConfigurationStatusCondition = "Error" ) -// FirewallConfigurationConditionStatusType represents the status of a firewallconfiguration condition. -type FirewallConfigurationConditionStatusType string - -const ( - // FirewallConfigurationConditionStatusTrue represents the condition status true. - FirewallConfigurationConditionStatusTrue FirewallConfigurationConditionStatusType = "True" - // FirewallConfigurationConditionStatusFalse represents the condition status false. - FirewallConfigurationConditionStatusFalse FirewallConfigurationConditionStatusType = "False" - // FirewallConfigurationConditionStatusUnknown represents the condition status unknown. - FirewallConfigurationConditionStatusUnknown FirewallConfigurationConditionStatusType = "Unknown" -) - -// FirewallConfigurationCondition contains details about state of the firewallconfiguration. -type FirewallConfigurationCondition struct { - // Type of the firewallconfiguration condition. - // +kubebuilder:validation:Enum="Applied" - Type FirewallConfigurationConditionType `json:"type"` - // Status of the condition. - // +kubebuilder:validation:Enum="True";"False";"Unknown" - // +kubebuilder:default="Unknown" - Status FirewallConfigurationConditionStatusType `json:"status"` - // LastTransitionTime -> timestamp for when the condition last transitioned from one status to another. - LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` - // Reason -> Machine-readable, UpperCamelCase text indicating the reason for the condition's last transition. - Reason string `json:"reason,omitempty"` - // Message -> Human-readable message indicating details about the last status transition. - Message string `json:"message,omitempty"` -} - // FirewallConfigurationStatus defines the observed state of FirewallConfiguration. type FirewallConfigurationStatus struct { - // Conditions contains the conditions of the firewallconfiguration. - Conditions []FirewallConfigurationCondition `json:"conditions,omitempty"` + // Applied is true if the configuration has been applied to the firewall. + Condition FirewallConfigurationStatusCondition `json:"condition,omitempty"` } // +kubebuilder:object:root=true diff --git a/apis/networking/v1alpha1/zz_generated.deepcopy.go b/apis/networking/v1alpha1/zz_generated.deepcopy.go index e61ae90295..c0b9b96ec5 100644 --- a/apis/networking/v1alpha1/zz_generated.deepcopy.go +++ b/apis/networking/v1alpha1/zz_generated.deepcopy.go @@ -24,31 +24,6 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AddRemove) DeepCopyInto(out *AddRemove) { - *out = *in - if in.Add != nil { - in, out := &in.Add, &out.Add - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Remove != nil { - in, out := &in.Remove, &out.Remove - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AddRemove. -func (in *AddRemove) DeepCopy() *AddRemove { - if in == nil { - return nil - } - out := new(AddRemove) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterConfig) DeepCopyInto(out *ClusterConfig) { *out = *in @@ -484,7 +459,7 @@ func (in *FirewallConfiguration) DeepCopyInto(out *FirewallConfiguration) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) + out.Status = in.Status } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallConfiguration. @@ -505,22 +480,6 @@ func (in *FirewallConfiguration) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FirewallConfigurationCondition) DeepCopyInto(out *FirewallConfigurationCondition) { - *out = *in - in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallConfigurationCondition. -func (in *FirewallConfigurationCondition) DeepCopy() *FirewallConfigurationCondition { - if in == nil { - return nil - } - out := new(FirewallConfigurationCondition) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FirewallConfigurationList) DeepCopyInto(out *FirewallConfigurationList) { *out = *in @@ -556,7 +515,7 @@ func (in *FirewallConfigurationList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FirewallConfigurationSpec) DeepCopyInto(out *FirewallConfigurationSpec) { *out = *in - in.Command.DeepCopyInto(&out.Command) + in.Table.DeepCopyInto(&out.Table) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallConfigurationSpec. @@ -572,13 +531,6 @@ func (in *FirewallConfigurationSpec) DeepCopy() *FirewallConfigurationSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FirewallConfigurationStatus) DeepCopyInto(out *FirewallConfigurationStatus) { *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]FirewallConfigurationCondition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallConfigurationStatus. diff --git a/deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml b/deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml index 3b63b30b16..1035f0b9f1 100644 --- a/deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml +++ b/deployments/liqo/charts/liqo-crds/crds/networking.liqo.io_firewallconfigurations.yaml @@ -37,68 +37,102 @@ spec: spec: description: FirewallConfigurationSpec defines the desired state of FirewallConfiguration. properties: - command: - description: Command to add or remove rules. + table: + description: Table contains the rules to be applied to the firewall. properties: - add: - description: Add contains the commands to add rules. - items: - type: string - type: array - remove: - description: Remove contains the commands to remove rules. + chains: + description: Chains is a list of chains to be applied to the table. items: - type: string + description: Chain is a chain of rules to be applied to a table. + properties: + hook: + description: Hook specifies at which step in packet processing + the Chain should be executed. + enum: + - prerouting + - input + - forward + - output + - postrouting + - ingress + type: string + name: + description: Name is the name of the chain. + type: string + policy: + description: Policy defines what this chain default policy + will be. + enum: + - drop + - accept + type: string + priority: + default: 0 + description: Priority orders the chain relative to Netfilter + internal operations. + format: int32 + type: integer + rules: + description: Rules is a list of rules to be applied to the + chain. + properties: + filterRules: + description: FilterRules is a list of rules to be applied + to the chain. + items: + description: FilterRule is a rule to be applied to + a filter chain. + type: object + type: array + natRules: + description: NatRules is a list of rules to be applied + to the chain. + items: + description: NatRule is a rule to be applied to a + NAT chain. + type: object + type: array + routeRules: + description: RouteRules is a list of rules to be applied + to the chain. + items: + description: RouteRule is a rule to be applied to + a route chain. + type: object + type: array + type: object + type: + description: Type defines what this chain will be used for. + enum: + - filter + - route + - nat + type: string + type: object type: array + family: + description: Family is the family of the table. + enum: + - INET + - IPV4 + - IPV6 + - ARP + - NETDEV + - BRIDGE + type: string + name: + description: Name is the name of the table. + type: string type: object - expectedRule: - description: ExpectedRule contains the expected rule. - type: string - table: - description: Table contains the table where the rule is applied. - type: string type: object status: description: FirewallConfigurationStatus defines the observed state of FirewallConfiguration. properties: - conditions: - description: Conditions contains the conditions of the firewallconfiguration. - items: - description: FirewallConfigurationCondition contains details about - state of the firewallconfiguration. - properties: - lastTransitionTime: - description: LastTransitionTime -> timestamp for when the condition - last transitioned from one status to another. - format: date-time - type: string - message: - description: Message -> Human-readable message indicating details - about the last status transition. - type: string - reason: - description: Reason -> Machine-readable, UpperCamelCase text - indicating the reason for the condition's last transition. - type: string - status: - default: Unknown - description: Status of the condition. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the firewallconfiguration condition. - enum: - - Applied - type: string - required: - - status - - type - type: object - type: array + condition: + description: Applied is true if the configuration has been applied + to the firewall. + type: string type: object type: object served: true