feat(pydantic): Add ZoneEntries

11 months ago · 7e5608081d
parent e827d4b1c6
commit 7e5608081d
2 changed files with 29 additions and 16 deletions
--- a/example.yaml
+++ b/example.yaml
@ -2,23 +2,23 @@
 zones:
  - name: users-internet-allowed
    include:
-      - rules.yaml
+      files: [example.yaml]
+
  - name: mgmt
    include:
-      - 10.203.0.0/16
+      addrs: [10.203.0.0/16]
+
  - name: adm
    include:
-      - 2a09:6840::/29
-      - 10.128.0.0/16
+      addrs: [2a09:6840::/29, 10.128.0.0/16]
+
  - name: internet
    exclude:
-      - adm
-      - mgmt
+      zones: [adm, mgmt]

 blacklist:
  enabled: true
-  addr:
-    - 0.0.0.0
+  addr: [0.0.0.0]

 reverse_path_filter:
  enabled: true
@ -27,11 +27,13 @@ filter:
  input:
    - iif: lo
      verdict: accept
+
    - src: mgmt
      protocols:
        tcp:
          dport: [22, 240..242]
      verdict: accept
+
    - src: backbone
      protocols:
        ospf: true
@ -39,27 +41,33 @@ filter:
        tcp:
            dport: [179]
      verdict: accept
+
    - protocols:
        icmp: true
      verdict: accept
+
  output:
    - verdict: accept
+
  forward:
    - src: interco-crans
      verdict: accept
+
    - src: users-internet-allowed
      protocols:
        tcp:
          dport: [25]
      verdict: drop
+
    - src: users-internet-allowed
      dest:
-        - internet
-        - 10.0.0.1
+        addrs: [10.0.0.1]
+        zones: [internet]
      verdict: accept

 nat:
-  - src: mgmt
+  - src:
+      zones: [mgmt]
    snat:
      addr: 45.66.108.14
      persistent: true
--- a/nftables.py
+++ b/nftables.py
@ -1,6 +1,5 @@
 #!/usr/bin/env python3

-from __future__ import annotations
 from argparse import ArgumentParser, FileType
 from enum import Enum
 from pydantic import (
@ -49,10 +48,16 @@ class ZoneName(str):
    pass


+class ZoneEntries(RestrictiveBaseModel):
+    addrs: list[IPvAnyNetwork] | None
+    files: list[FilePath] | None
+    zones: list[ZoneName] | None
+
+
 class Zone(RestrictiveBaseModel):
    name: ZoneName
-    exclude: list[IPvAnyNetwork | ZoneName | FilePath] | None
-    include: list[IPvAnyNetwork | ZoneName | FilePath] | None
+    exclude: ZoneEntries | None
+    include: ZoneEntries | None

    @root_validator()
    def validate_mutually_exactly_one(cls, values):
@ -110,7 +115,7 @@ class Rule(RestrictiveBaseModel):


 class ForwardRule(Rule):
-    dest: ZoneName | list[IPvAnyNetwork | ZoneName | FilePath] | None
+    dest: ZoneEntries | None


 class Filter(RestrictiveBaseModel):
@ -126,7 +131,7 @@ class SNat(RestrictiveBaseModel):


 class Nat(RestrictiveBaseModel):
-    src: ZoneName | list[IPvAnyNetwork | ZoneName | FilePath] | None
+    src: ZoneEntries | None
    snat: SNat