feat(network): add configurable VM egress firewall policies and WireGuard-based host routing
This commit is contained in:
@@ -20,6 +20,10 @@ export interface ISmartVMOptions {
|
||||
bridgeName?: string;
|
||||
/** Network subnet in CIDR notation. Defaults to '172.30.0.0/24'. */
|
||||
subnet?: string;
|
||||
/** VM egress firewall configuration. */
|
||||
firewall?: IFirewallConfig;
|
||||
/** Host-side WireGuard egress routing configuration for VM traffic. */
|
||||
wireguard?: TWireGuardConfig;
|
||||
/** Directory for cached base images. Defaults to /tmp/.smartvm/base-images. */
|
||||
baseImageCacheDir?: string;
|
||||
/** Maximum number of cached base image bundles. Defaults to 2. */
|
||||
@@ -153,6 +157,67 @@ export interface IMicroVMRuntimeOptions {
|
||||
ephemeralWritableDrives?: boolean;
|
||||
}
|
||||
|
||||
/** Firewall action for VM egress traffic. */
|
||||
export type TFirewallAction = 'allow' | 'deny';
|
||||
|
||||
/** Firewall protocol selector for VM egress traffic. */
|
||||
export type TFirewallProtocol = 'all' | 'tcp' | 'udp' | 'icmp';
|
||||
|
||||
/** One ordered VM egress firewall rule. */
|
||||
export interface IFirewallRule {
|
||||
/** Rule action. */
|
||||
action: TFirewallAction;
|
||||
/** Destination IPv4 address or CIDR. Omit to match all destinations. */
|
||||
to?: string;
|
||||
/** Protocol to match. Defaults to all. */
|
||||
protocol?: TFirewallProtocol;
|
||||
/** Destination port or ports for tcp/udp rules. */
|
||||
ports?: number | number[];
|
||||
/** Optional human-readable rule label. */
|
||||
comment?: string;
|
||||
}
|
||||
|
||||
/** VM egress firewall policy. */
|
||||
export interface IFirewallEgressConfig {
|
||||
/** Final action when no rule matches. Defaults to allow. */
|
||||
defaultAction?: TFirewallAction;
|
||||
/** Ordered rules; first match wins. */
|
||||
rules?: IFirewallRule[];
|
||||
}
|
||||
|
||||
/** Firewall configuration. */
|
||||
export interface IFirewallConfig {
|
||||
/** Egress firewall for traffic leaving the VM subnet. */
|
||||
egress?: IFirewallEgressConfig;
|
||||
}
|
||||
|
||||
/** Common WireGuard routing options. */
|
||||
export interface IWireGuardBaseConfig {
|
||||
/** Route all VM subnet traffic through this WireGuard interface. Defaults to true. */
|
||||
routeAllVmTraffic?: boolean;
|
||||
/** Drop VM traffic that would leave through a non-WireGuard interface. Defaults to true. */
|
||||
failClosed?: boolean;
|
||||
/** Linux routing table number for VM WireGuard egress. Defaults to 51820. */
|
||||
routeTable?: number;
|
||||
}
|
||||
|
||||
/** Managed WireGuard interface created and removed by smartvm. */
|
||||
export interface IWireGuardManagedConfig extends IWireGuardBaseConfig {
|
||||
/** wg-quick-style WireGuard config text. Hook fields are rejected. */
|
||||
config: string;
|
||||
/** Interface name to create. Defaults to svwg0. */
|
||||
interfaceName?: string;
|
||||
}
|
||||
|
||||
/** Existing WireGuard interface owned outside smartvm. */
|
||||
export interface IWireGuardExistingInterfaceConfig extends IWireGuardBaseConfig {
|
||||
/** Existing WireGuard interface to route VM traffic through. */
|
||||
existingInterface: string;
|
||||
}
|
||||
|
||||
/** WireGuard egress configuration. */
|
||||
export type TWireGuardConfig = IWireGuardManagedConfig | IWireGuardExistingInterfaceConfig;
|
||||
|
||||
/**
|
||||
* Firecracker boot source configuration.
|
||||
*/
|
||||
@@ -353,6 +418,10 @@ export interface INetworkManagerOptions {
|
||||
bridgeName?: string;
|
||||
/** Subnet in CIDR notation. Defaults to '172.30.0.0/24'. */
|
||||
subnet?: string;
|
||||
/** VM egress firewall configuration. */
|
||||
firewall?: IFirewallConfig;
|
||||
/** Host-side WireGuard egress routing configuration for VM traffic. */
|
||||
wireguard?: TWireGuardConfig;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user