github/go-unifi
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: support Zone-Based Firewalls (#33)

Browse Source 
* feat: support Zone-Based Firewalls

* chore: add usage example of zone-based firewall

* chore: add note to readme to support unifi controller v2

* fix: invalid path for reordering firewall zone policies
This commit is contained in:
Mateusz Filipowicz
2025-02-20 18:48:04 +01:00
committed by GitHub
parent 16f71e7fe9
commit 637809c663
13 changed files with 703 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
unifi/client.generated.go generated
View File

@@ -255,6 +255,46 @@ type Client interface {
// ==== end of client methods for FirewallRule resource ====
// ==== client methods for FirewallZone resource ====
// CreateFirewallZone creates a resource
CreateFirewallZone(ctx context.Context, site string, f *FirewallZone) (*FirewallZone, error)
// DeleteFirewallZone deletes a resource
DeleteFirewallZone(ctx context.Context, site string, id string) error
// GetFirewallZone retrieves a resource
GetFirewallZone(ctx context.Context, site string, id string) (*FirewallZone, error)
// ListFirewallZone lists the resources
ListFirewallZone(ctx context.Context, site string) ([]FirewallZone, error)
// UpdateFirewallZone updates a resource
UpdateFirewallZone(ctx context.Context, site string, f *FirewallZone) (*FirewallZone, error)
ListFirewallZoneMatrix(ctx context.Context, site string) ([]FirewallZoneMatrix, error)
// ==== client methods for FirewallZonePolicy resource ====
// CreateFirewallZonePolicy creates a resource
CreateFirewallZonePolicy(ctx context.Context, site string, f *FirewallZonePolicy) (*FirewallZonePolicy, error)
// DeleteFirewallZonePolicy deletes a resource
DeleteFirewallZonePolicy(ctx context.Context, site string, id string) error
// GetFirewallZonePolicy retrieves a resource
GetFirewallZonePolicy(ctx context.Context, site string, id string) (*FirewallZonePolicy, error)
// ListFirewallZonePolicy lists the resources
ListFirewallZonePolicy(ctx context.Context, site string) ([]FirewallZonePolicy, error)
// UpdateFirewallZonePolicy updates a resource
UpdateFirewallZonePolicy(ctx context.Context, site string, f *FirewallZonePolicy) (*FirewallZonePolicy, error)
// ==== end of client methods for FirewallZonePolicy resource ====
// ==== end of client methods for FirewallZone resource ====
// ==== client methods for HeatMap resource ====
// CreateHeatMap creates a resource

100
unifi/firewall_zone.generated.go generated Normal file
View File

@@ -0,0 +1,100 @@
// Code generated from ace.jar fields *.json files
// DO NOT EDIT.
package unifi
import (
"context"
"encoding/json"
"fmt"
)
// just to fix compile issues with the import
var (
_ context.Context
_ fmt.Formatter
_ json.Marshaler
)
type FirewallZone struct {
ID string `json:"_id,omitempty"`
SiteID string `json:"site_id,omitempty"`
Hidden bool `json:"attr_hidden,omitempty"`
HiddenID string `json:"attr_hidden_id,omitempty"`
NoDelete bool `json:"attr_no_delete,omitempty"`
NoEdit bool `json:"attr_no_edit,omitempty"`
Name string `json:"name,omitempty"`
NetworkIDs []string `json:"network_ids"`
}
func (dst *FirewallZone) UnmarshalJSON(b []byte) error {
type Alias FirewallZone
aux := &struct {
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
return nil
}
func (c *client) listFirewallZone(ctx context.Context, site string) ([]FirewallZone, error) {
var respBody []FirewallZone
err := c.Get(ctx, fmt.Sprintf("%s/site/%s/firewall/zone", c.apiPaths.ApiV2Path, site), nil, &respBody)
if err != nil {
return nil, err
}
return respBody, nil
}
func (c *client) getFirewallZone(ctx context.Context, site, id string) (*FirewallZone, error) {
var respBody FirewallZone
err := c.Get(ctx, fmt.Sprintf("%s/site/%s/firewall/zone/%s", c.apiPaths.ApiV2Path, site, id), nil, &respBody)
if err != nil {
return nil, err
}
if respBody.ID == "" {
return nil, ErrNotFound
}
return &respBody, nil
}
func (c *client) deleteFirewallZone(ctx context.Context, site, id string) error {
err := c.Delete(ctx, fmt.Sprintf("%s/site/%s/firewall/zone/%s", c.apiPaths.ApiV2Path, site, id), struct{}{}, nil)
if err != nil {
return err
}
return nil
}
func (c *client) createFirewallZone(ctx context.Context, site string, d *FirewallZone) (*FirewallZone, error) {
var respBody FirewallZone
err := c.Post(ctx, fmt.Sprintf("%s/site/%s/firewall/zone", c.apiPaths.ApiV2Path, site), d, &respBody)
if err != nil {
return nil, err
}
return &respBody, nil
}
func (c *client) updateFirewallZone(ctx context.Context, site string, d *FirewallZone) (*FirewallZone, error) {
var respBody FirewallZone
err := c.Put(ctx, fmt.Sprintf("%s/site/%s/firewall/zone/%s", c.apiPaths.ApiV2Path, site, d.ID), d, &respBody)
if err != nil {
return nil, err
}
return &respBody, nil
}

23
unifi/firewall_zone.go Normal file
View File

@@ -0,0 +1,23 @@
package unifi
import "context"
func (c *client) ListFirewallZone(ctx context.Context, site string) ([]FirewallZone, error) {
return c.listFirewallZone(ctx, site)
}
func (c *client) GetFirewallZone(ctx context.Context, site, id string) (*FirewallZone, error) {
return c.getFirewallZone(ctx, site, id)
}
func (c *client) DeleteFirewallZone(ctx context.Context, site, id string) error {
return c.deleteFirewallZone(ctx, site, id)
}
func (c *client) CreateFirewallZone(ctx context.Context, site string, d *FirewallZone) (*FirewallZone, error) {
return c.createFirewallZone(ctx, site, d)
}
func (c *client) UpdateFirewallZone(ctx context.Context, site string, d *FirewallZone) (*FirewallZone, error) {
return c.updateFirewallZone(ctx, site, d)
}

125
unifi/firewall_zone_matrix.generated.go generated Normal file
View File

@@ -0,0 +1,125 @@
// Code generated from ace.jar fields *.json files
// DO NOT EDIT.
package unifi
import (
"context"
"encoding/json"
"fmt"
)
// just to fix compile issues with the import
var (
_ context.Context
_ fmt.Formatter
_ json.Marshaler
)
type FirewallZoneMatrix struct {
ID string `json:"_id,omitempty"`
SiteID string `json:"site_id,omitempty"`
Hidden bool `json:"attr_hidden,omitempty"`
HiddenID string `json:"attr_hidden_id,omitempty"`
NoDelete bool `json:"attr_no_delete,omitempty"`
NoEdit bool `json:"attr_no_edit,omitempty"`
Data []FirewallZoneMatrixData `json:"data,omitempty"`
Name string `json:"name,omitempty"`
ZoneKey string `json:"zone_key,omitempty"`
}
func (dst *FirewallZoneMatrix) UnmarshalJSON(b []byte) error {
type Alias FirewallZoneMatrix
aux := &struct {
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
return nil
}
type FirewallZoneMatrixData struct {
Action string `json:"action,omitempty"`
PolicyCount int `json:"policy_count,omitempty"`
}
func (dst *FirewallZoneMatrixData) UnmarshalJSON(b []byte) error {
type Alias FirewallZoneMatrixData
aux := &struct {
PolicyCount emptyStringInt `json:"policy_count"`
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
dst.PolicyCount = int(aux.PolicyCount)
return nil
}
func (c *client) listFirewallZoneMatrix(ctx context.Context, site string) ([]FirewallZoneMatrix, error) {
var respBody []FirewallZoneMatrix
err := c.Get(ctx, fmt.Sprintf("%s/site/%s/firewall/zone-matrix", c.apiPaths.ApiV2Path, site), nil, &respBody)
if err != nil {
return nil, err
}
return respBody, nil
}
func (c *client) getFirewallZoneMatrix(ctx context.Context, site, id string) (*FirewallZoneMatrix, error) {
var respBody FirewallZoneMatrix
err := c.Get(ctx, fmt.Sprintf("%s/site/%s/firewall/zone-matrix/%s", c.apiPaths.ApiV2Path, site, id), nil, &respBody)
if err != nil {
return nil, err
}
if respBody.ID == "" {
return nil, ErrNotFound
}
return &respBody, nil
}
func (c *client) deleteFirewallZoneMatrix(ctx context.Context, site, id string) error {
err := c.Delete(ctx, fmt.Sprintf("%s/site/%s/firewall/zone-matrix/%s", c.apiPaths.ApiV2Path, site, id), struct{}{}, nil)
if err != nil {
return err
}
return nil
}
func (c *client) createFirewallZoneMatrix(ctx context.Context, site string, d *FirewallZoneMatrix) (*FirewallZoneMatrix, error) {
var respBody FirewallZoneMatrix
err := c.Post(ctx, fmt.Sprintf("%s/site/%s/firewall/zone-matrix", c.apiPaths.ApiV2Path, site), d, &respBody)
if err != nil {
return nil, err
}
return &respBody, nil
}
func (c *client) updateFirewallZoneMatrix(ctx context.Context, site string, d *FirewallZoneMatrix) (*FirewallZoneMatrix, error) {
var respBody FirewallZoneMatrix
err := c.Put(ctx, fmt.Sprintf("%s/site/%s/firewall/zone-matrix/%s", c.apiPaths.ApiV2Path, site, d.ID), d, &respBody)
if err != nil {
return nil, err
}
return &respBody, nil
}

9
unifi/firewall_zone_matrix.go Normal file
View File

@@ -0,0 +1,9 @@
package unifi
import (
"context"
)
func (c *client) ListFirewallZoneMatrix(ctx context.Context, site string) ([]FirewallZoneMatrix, error) {
return c.listFirewallZoneMatrix(ctx, site)
}

224
unifi/firewall_zone_policy.generated.go generated Normal file
View File

@@ -0,0 +1,224 @@
// Code generated from ace.jar fields *.json files
// DO NOT EDIT.
package unifi
import (
"context"
"encoding/json"
"fmt"
)
// just to fix compile issues with the import
var (
_ context.Context
_ fmt.Formatter
_ json.Marshaler
)
type FirewallZonePolicy struct {
ID string `json:"_id,omitempty"`
SiteID string `json:"site_id,omitempty"`
Hidden bool `json:"attr_hidden,omitempty"`
HiddenID string `json:"attr_hidden_id,omitempty"`
NoDelete bool `json:"attr_no_delete,omitempty"`
NoEdit bool `json:"attr_no_edit,omitempty"`
Action string `json:"action,omitempty" validate:"omitempty,oneof=ALLOW BLOCK REJECT"` // ALLOW|BLOCK|REJECT
ConnectionStateType string `json:"connection_state_type,omitempty" validate:"omitempty,oneof=ALL RESPOND_ONLY CUSTOM"` // ALL|RESPOND_ONLY|CUSTOM
ConnectionStates []string `json:"connection_states,omitempty" validate:"omitempty,oneof=ESTABLISHED NEW RELATED INVALID"` // ESTABLISHED|NEW|RELATED|INVALID
Description string `json:"description,omitempty"`
Destination FirewallZonePolicyDestination `json:"destination,omitempty"`
Enabled bool `json:"enabled"`
IPVersion string `json:"ip_version,omitempty" validate:"omitempty,oneof=BOTH IPV4 IPV6"` // BOTH|IPV4|IPV6
Index int `json:"index,omitempty"` // ^[0-9][0-9]?$|^
Logging bool `json:"logging"`
MatchIPSec bool `json:"match_ip_sec"`
MatchIPSecType string `json:"match_ip_sec_type,omitempty" validate:"omitempty,oneof=MATCH_IP_SEC MATCH_NON_IP_SEC"` // MATCH_IP_SEC|MATCH_NON_IP_SEC
MatchOppositeProtocol bool `json:"match_opposite_protocol"`
Name string `json:"name,omitempty"`
Predefined bool `json:"predefined"`
Protocol string `json:"protocol,omitempty" validate:"omitempty,oneof=all tcp_udp tcp udp ah dccp eigrp esp gre icmp icmpv6 igmp igp ip ipcomp ipip ipv6 isis l2tp manet mobility-header mpls-in-ip number ospf pim pup rdp rohc rspf rcvp sctp shim6 skip st vmtp vrrp wesp xtp"` // all|tcp_udp|tcp|udp|ah|dccp|eigrp|esp|gre|icmp|icmpv6|igmp|igp|ip|ipcomp|ipip|ipv6|isis|l2tp|manet|mobility-header|mpls-in-ip|number|ospf|pim|pup|rdp|rohc|rspf|rcvp|sctp|shim6|skip|st|vmtp|vrrp|wesp|xtp
Schedule FirewallZonePolicySchedule `json:"schedule,omitempty"`
Source FirewallZonePolicySource `json:"source,omitempty"`
}
func (dst *FirewallZonePolicy) UnmarshalJSON(b []byte) error {
type Alias FirewallZonePolicy
aux := &struct {
Index emptyStringInt `json:"index"`
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
dst.Index = int(aux.Index)
return nil
}
type FirewallZonePolicyDestination struct {
AppCategoryIDs []string `json:"app_category_ids,omitempty"`
AppIDs []string `json:"app_ids,omitempty"`
IPs []string `json:"ips,omitempty" validate:"omitempty,ipv4"` // ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^$
MatchMAC bool `json:"match_mac"`
MatchOppositeIPs bool `json:"match_opposite_ips"`
MatchOppositePorts bool `json:"match_opposite_ports"`
MatchingTarget string `json:"matching_target,omitempty" validate:"omitempty,oneof=ANY APP APP_CATEGORY IP REGION WEB"` // ANY|APP|APP_CATEGORY|IP|REGION|WEB
MatchingTargetType string `json:"matching_target_type,omitempty" validate:"omitempty,oneof=ANY OBJECT SPECIFIC"` // ANY|OBJECT|SPECIFIC
Port int `json:"port,omitempty"` // ^[0-9][0-9]?$|^
PortGroupID string `json:"port_group_id"`
PortMatchingType string `json:"port_matching_type,omitempty" validate:"omitempty,oneof=ANY SPECIFIC OBJECT"` // ANY|SPECIFIC|OBJECT
Regions []string `json:"regions,omitempty"`
WebDomains []string `json:"web_domains,omitempty"`
ZoneID string `json:"zone_id"`
}
func (dst *FirewallZonePolicyDestination) UnmarshalJSON(b []byte) error {
type Alias FirewallZonePolicyDestination
aux := &struct {
Port emptyStringInt `json:"port"`
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
dst.Port = int(aux.Port)
return nil
}
type FirewallZonePolicySchedule struct {
Date int `json:"date,omitempty"` // ^$|^(20[0-9]{2})-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01])$
DateEnd int `json:"date_end,omitempty"` // ^$|^(20[0-9]{2})-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01])$
DateStart int `json:"date_start,omitempty"` // ^$|^(20[0-9]{2})-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01])$
Mode string `json:"mode,omitempty" validate:"omitempty,oneof=ALWAYS EVERY_DAY EVERY_WEEK ONE_TIME_ONLY CUSTOM"` // ALWAYS|EVERY_DAY|EVERY_WEEK|ONE_TIME_ONLY|CUSTOM
RepeatOnDays []string `json:"repeat_on_days,omitempty" validate:"omitempty,oneof=mon tue wed thu fri sat sun"` // mon|tue|wed|thu|fri|sat|sun
TimeAllDay bool `json:"time_all_day"`
TimeRangeEnd string `json:"time_range_end,omitempty"` // ^[0-9][0-9]:[0-9][0-9]$
TimeRangeStart string `json:"time_range_start,omitempty"` // ^[0-9][0-9]:[0-9][0-9]$
}
func (dst *FirewallZonePolicySchedule) UnmarshalJSON(b []byte) error {
type Alias FirewallZonePolicySchedule
aux := &struct {
Date emptyStringInt `json:"date"`
DateEnd emptyStringInt `json:"date_end"`
DateStart emptyStringInt `json:"date_start"`
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
dst.Date = int(aux.Date)
dst.DateEnd = int(aux.DateEnd)
dst.DateStart = int(aux.DateStart)
return nil
}
type FirewallZonePolicySource struct {
ClientMACs []string `json:"client_macs,omitempty" validate:"omitempty,mac"` // ^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$
IPs []string `json:"ips,omitempty" validate:"omitempty,ipv4"` // ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$|^$
MAC string `json:"mac,omitempty" validate:"omitempty,mac"` // ^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$
MatchMAC bool `json:"match_mac"`
MatchOppositeIPs bool `json:"match_opposite_ips"`
MatchOppositeNetworks bool `json:"match_opposite_networks"`
MatchOppositePorts bool `json:"match_opposite_ports"`
MatchingTarget string `json:"matching_target,omitempty" validate:"omitempty,oneof=ANY CLIENT NETWORK IP MAC"` // ANY|CLIENT|NETWORK|IP|MAC
MatchingTargetType string `json:"matching_target_type,omitempty" validate:"omitempty,oneof=OBJECT SPECIFIC"` // OBJECT|SPECIFIC
NetworkIDs []string `json:"network_ids,omitempty"`
Port int `json:"port,omitempty"` // ^[0-9][0-9]?$|^
PortGroupID string `json:"port_group_id"`
PortMatchingType string `json:"port_matching_type,omitempty" validate:"omitempty,oneof=ANY SPECIFIC OBJECT"` // ANY|SPECIFIC|OBJECT
ZoneID string `json:"zone_id"`
}
func (dst *FirewallZonePolicySource) UnmarshalJSON(b []byte) error {
type Alias FirewallZonePolicySource
aux := &struct {
Port emptyStringInt `json:"port"`
*Alias
}{
Alias: (*Alias)(dst),
}
err := json.Unmarshal(b, &aux)
if err != nil {
return fmt.Errorf("unable to unmarshal alias: %w", err)
}
dst.Port = int(aux.Port)
return nil
}
func (c *client) listFirewallZonePolicy(ctx context.Context, site string) ([]FirewallZonePolicy, error) {
var respBody []FirewallZonePolicy
err := c.Get(ctx, fmt.Sprintf("%s/site/%s/firewall-policies", c.apiPaths.ApiV2Path, site), nil, &respBody)
if err != nil {
return nil, err
}
return respBody, nil
}
func (c *client) getFirewallZonePolicy(ctx context.Context, site, id string) (*FirewallZonePolicy, error) {
var respBody FirewallZonePolicy
err := c.Get(ctx, fmt.Sprintf("%s/site/%s/firewall-policies/%s", c.apiPaths.ApiV2Path, site, id), nil, &respBody)
if err != nil {
return nil, err
}
if respBody.ID == "" {
return nil, ErrNotFound
}
return &respBody, nil
}
func (c *client) deleteFirewallZonePolicy(ctx context.Context, site, id string) error {
err := c.Delete(ctx, fmt.Sprintf("%s/site/%s/firewall-policies/%s", c.apiPaths.ApiV2Path, site, id), struct{}{}, nil)
if err != nil {
return err
}
return nil
}
func (c *client) createFirewallZonePolicy(ctx context.Context, site string, d *FirewallZonePolicy) (*FirewallZonePolicy, error) {
var respBody FirewallZonePolicy
err := c.Post(ctx, fmt.Sprintf("%s/site/%s/firewall-policies", c.apiPaths.ApiV2Path, site), d, &respBody)
if err != nil {
return nil, err
}
return &respBody, nil
}
func (c *client) updateFirewallZonePolicy(ctx context.Context, site string, d *FirewallZonePolicy) (*FirewallZonePolicy, error) {
var respBody FirewallZonePolicy
err := c.Put(ctx, fmt.Sprintf("%s/site/%s/firewall-policies/%s", c.apiPaths.ApiV2Path, site, d.ID), d, &respBody)
if err != nil {
return nil, err
}
return &respBody, nil
}

44
unifi/firewall_zone_policy.go Normal file
View File

@@ -0,0 +1,44 @@
package unifi
import (
"context"
"fmt"
)
type FirewallPolicyOrderUpdate struct {
DestinationZoneId string `json:"destination_zone_id"`
SourceZoneId string `json:"source_zone_id"`
AfterPredefinedIds []string `json:"after_predefined_ids"`
BeforePredefinedIds []string `json:"before_predefined_ids"`
}
func (c *client) ListFirewallZonePolicy(ctx context.Context, site string) ([]FirewallZonePolicy, error) {
return c.listFirewallZonePolicy(ctx, site)
}
func (c *client) GetFirewallZonePolicy(ctx context.Context, site, id string) (*FirewallZonePolicy, error) {
return c.getFirewallZonePolicy(ctx, site, id)
}
func (c *client) DeleteFirewallZonePolicy(ctx context.Context, site, id string) error {
return c.deleteFirewallZonePolicy(ctx, site, id)
}
func (c *client) CreateFirewallZonePolicy(ctx context.Context, site string, d *FirewallZonePolicy) (*FirewallZonePolicy, error) {
return c.createFirewallZonePolicy(ctx, site, d)
}
func (c *client) UpdateFirewallZonePolicy(ctx context.Context, site string, d *FirewallZonePolicy) (*FirewallZonePolicy, error) {
return c.updateFirewallZonePolicy(ctx, site, d)
}
func (c *client) ReorderFirewallPolicies(ctx context.Context, site string, d *FirewallPolicyOrderUpdate) ([]FirewallZonePolicy, error) {
var res []FirewallZonePolicy
err := c.Put(ctx, fmt.Sprintf("%s/site/%s/firewall-policies/batch-reorder", c.apiPaths.ApiV2Path, site), d, res)
if err != nil {
return nil, err
}
// TODO raise error if returned length is not equal to the length of the reordered policies?
return res, nil
}