Proposal: Split `proxmox_firewall` and new firewall features

[PendaGTP]

Summary

Split proxmox_firewall into four sub-modules and introduce three new module to manage new firewall options (cluster-level node-level and vm/lxc-level)

Context

Currently, the module proxmox_firewall manages "lot of things", which makes it difficult to maintain and, in my opinion, impractical for users.
I propose to split it into smaller module and focusing on one feature at a time.

Current the module handle (each one will be new dedicated module):

• Security Group
• Rules
• Alias
• IP Sets

The module doesn't handle (each one will be new dedicated module):

• Firewall options on node-level and VM/container-level
• Firewall options on cluster-level (Feat/add new module proxmox cluster firewall #297)

I think we can work on these modules without removing "proxmox_firewall," but gradually indicate in the module documentation the recommendation to use a dedicated module, then deprecate the "proxmox_firewall" module.

I don't think all modules should comes on a same time, they can be added one by one, without impacting users.

Bellow modules that I have in mind that could fit well. For each module I can draft module documention if this can helps use define module interface.

As mentionned this is a proposal, a starting point for thinking about the path we want to take for managing firewall features. Please feel free to share your thoughts.

Related issues (just for tracking):

• RFC:: Firewall config options #205
• Proxmox firewall does not correctly handle existing rules #278

Firewall modules proposal

proxmox_firewall_rules

Description: Manages cluster-level, node-level or VM/container-level firewall rules
API:

• /api2/json/cluster/firewall/rules
• /api2/json/nodes/{node}/firewall/rules
• /api2/json/nodes/{node}/lxc/{vmid}/firewall/rules
• /api2/json/nodes/{node}/qemu/{vmid}/firewall/rules

proxmox_cluster_firewall_security_group

Description: Manages security group defined at cluster level
API:

• /api2/json/cluster/firewall/groups/

proxmox_firewall_options

Description: Manages firewall options on VM/container-level
API:

• /api2/json/nodes/{node}/qemu/{vmid}/firewall/options
• /api2/json/nodes/{node}/lxc/{vmid}/firewall/options

proxmox_node_firewall_options

Description: Manages firewall options on node-level
API:

• /api2/json/nodes/{node}/firewall/options

proxmox_firewall_ipset

Description: Manage IPSET at cluster-level, VM/container-level
API:

• /api2/json/cluster/firewall/ipset
• /api2/json/nodes/{node}/qemu/{vmid}/firewall/ipset
• /api2/json/nodes/{node}/lxc/{vmid}/firewall/ipset

proxmox_firewall_alias

Description: Manage IP addresses association of networks with a name
API:

• /api2/json/cluster/firewall/aliases
• /api2/json/nodes/{node}/qemu/{vmid}/firewall/aliases
• /api2/json/nodes/{node}/lxc/{vmid}/firewall/aliases

[IamLunchbox]

Thank you for raising this issue and propising a solution :)

This is definetely a good time to think about the refactor, since we would deprecate a module this could be a good target for 2.0.0.

Overall I think the granularity is quite good. It would be nice to have not too small modules, but combing too many api paths leads to too many (and nested) dictionary options, so I think your approach is the appropriate one.

The only thing I am noticing: Why split the options into three modules, when the other options are usually combined? Do you think the cluster/node/vm options are so different, that each of them requires its own module? Or would combing it lead to too many type specific options?

[PendaGTP]

@IamLunchbox Thanks!

Yes spliting node-level options, cluster-level options and container/lxc options make sense. Options are really differents.

Node-level have "lot of" options, cluster-level basic options, container/lxc minimal options.

I could write each module documentation first if this helps see differences.

[IamLunchbox]

I believe you, don't worry ;)