{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://docs.onreza.ru/schemas/firewall-policy-v1.schema.json", "title": "ONREZA Firewall Policy YAML v1", "description": "Schema for authoring ONREZA Firewall policies in YAML. It is an authoring format over the canonical policy model; the dashboard currently publishes canonical JSON.", "type": "object", "additionalProperties": false, "required": ["schemaVersion", "mode", "defaultAction", "rules"], "properties": { "schemaVersion": { "type": "number", "const": 1, "description": "Firewall policy authoring schema version." }, "mode": { "type": "string", "enum": ["shadow", "enforce"], "description": "shadow records decisions without changing responses; enforce applies terminal actions." }, "defaultAction": { "type": "string", "enum": ["allow", "deny"], "description": "Action used when no rule produces a terminal decision." }, "rules": { "maxItems": 200, "type": "array", "items": { "$ref": "#/$defs/rule" }, "description": "Rules run top to bottom. Array order is converted to canonical rule positions when the policy is published." } }, "$defs": { "rule": { "type": "object", "properties": { "id": { "type": "string", "minLength": 1, "maxLength": 64, "pattern": "^[A-Za-z0-9][A-Za-z0-9_-]*$", "description": "Stable rule id used in diffs, metrics and events." }, "name": { "type": "string", "minLength": 1, "maxLength": 120 }, "description": { "type": "string", "maxLength": 500 }, "enabled": { "default": true, "type": "boolean" }, "action": { "$ref": "#/$defs/action" }, "when": { "$ref": "#/$defs/when" } }, "required": ["id", "name", "action", "when"], "additionalProperties": false, "description": "Firewall rule. Server validation also enforces unique rule ids and at most 10 total conditions per rule across all any/all groups.", "x-onreza-refinements": ["unique rule ids per policy", "max 10 total conditions per rule"] }, "action": { "oneOf": [ { "type": "object", "properties": { "type": { "type": "string", "const": "log" } }, "required": ["type"], "additionalProperties": false }, { "type": "object", "properties": { "type": { "type": "string", "const": "allow" } }, "required": ["type"], "additionalProperties": false }, { "type": "object", "properties": { "type": { "type": "string", "const": "deny" }, "statusCode": { "default": 403, "type": "integer", "minimum": 400, "maximum": 499 } }, "required": ["type"], "additionalProperties": false }, { "type": "object", "properties": { "type": { "type": "string", "const": "rate_limit" }, "limit": { "type": "integer", "minimum": 1, "maximum": 100000 }, "windowSeconds": { "type": "integer", "minimum": 10, "maximum": 600 }, "key": { "default": "ip", "type": "string", "enum": ["ip", "ip_path", "ip_host", "host"] } }, "required": ["type", "limit", "windowSeconds"], "additionalProperties": false } ] }, "when": { "type": "object", "properties": { "any": { "minItems": 1, "maxItems": 5, "type": "array", "items": { "$ref": "#/$defs/conditionGroup" }, "description": "OR groups. A rule matches when any group matches." } }, "required": ["any"], "additionalProperties": false, "description": "Rule condition groups." }, "conditionGroup": { "type": "object", "properties": { "all": { "minItems": 1, "maxItems": 10, "type": "array", "items": { "$ref": "#/$defs/condition" }, "description": "AND conditions inside one group." } }, "required": ["all"], "additionalProperties": false, "description": "A rule matches this group when all conditions match." }, "condition": { "type": "object", "properties": { "field": { "type": "string", "enum": [ "client.ip", "geo.country", "geo.continent", "request.host", "request.path", "request.method", "request.header", "request.cookie", "request.query", "ua.raw", "ua.browser", "ua.device" ] }, "op": { "type": "string", "enum": [ "equals", "not_equals", "in", "not_in", "contains", "not_contains", "prefix", "suffix", "regex", "not_regex", "exists", "not_exists", "in_cidr", "not_in_cidr" ] }, "key": { "type": "string", "minLength": 1, "maxLength": 64, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_`|~]+$" }, "value": { "type": "string", "minLength": 1, "maxLength": 1024 }, "values": { "minItems": 1, "maxItems": 100, "type": "array", "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "caseSensitive": { "type": "boolean" } }, "required": ["field", "op"], "additionalProperties": false, "allOf": [ { "not": { "required": ["value", "values"] } }, { "if": { "properties": { "field": { "enum": ["request.header", "request.cookie", "request.query"] } } }, "then": { "required": ["key"] }, "else": { "not": { "required": ["key"] } } }, { "if": { "properties": { "op": { "enum": ["exists", "not_exists"] } } }, "then": { "not": { "anyOf": [ { "required": ["value"] }, { "required": ["values"] } ] } } }, { "if": { "properties": { "op": { "enum": ["in", "not_in", "in_cidr", "not_in_cidr"] } } }, "then": { "required": ["values"] }, "else": { "if": { "properties": { "op": { "not": { "enum": ["exists", "not_exists"] } } } }, "then": { "required": ["value"] } } }, { "if": { "properties": { "op": { "enum": ["in_cidr", "not_in_cidr"] } } }, "then": { "properties": { "field": { "const": "client.ip" }, "values": { "items": { "anyOf": [ { "type": "string", "format": "ipv4", "pattern": "^(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$" }, { "type": "string", "format": "ipv6", "pattern": "^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$" }, { "type": "string", "format": "cidrv4", "pattern": "^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\\/([0-9]|[1-2][0-9]|3[0-2])$" }, { "type": "string", "format": "cidrv6", "pattern": "^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::|([0-9a-fA-F]{1,4})?::([0-9a-fA-F]{1,4}:?){0,6})\\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])$" } ] } } } } }, { "if": { "properties": { "op": { "enum": ["regex", "not_regex"] } } }, "then": { "$ref": "#/$defs/regexConditionValues" } }, { "if": { "properties": { "field": { "const": "geo.country" } } }, "then": { "$ref": "#/$defs/countryConditionValues" } }, { "if": { "properties": { "field": { "const": "geo.continent" } } }, "then": { "$ref": "#/$defs/continentConditionValues" } } ] }, "regexConditionValues": { "properties": { "value": { "type": "string", "maxLength": 512, "format": "regex", "not": { "pattern": "(\\(\\?(?!:)|\\\\[1-9])" }, "description": "Rust regex subset only: no lookaround/lookbehind or backreferences." }, "values": { "type": "array", "items": { "type": "string", "maxLength": 512, "format": "regex", "not": { "pattern": "(\\(\\?(?!:)|\\\\[1-9])" }, "description": "Rust regex subset only: no lookaround/lookbehind or backreferences." } } } }, "countryConditionValues": { "properties": { "value": { "type": "string", "pattern": "^[A-Z]{2}$" }, "values": { "type": "array", "items": { "type": "string", "pattern": "^[A-Z]{2}$" } } } }, "continentConditionValues": { "properties": { "value": { "type": "string", "pattern": "^(AF|AN|AS|EU|NA|OC|SA)$" }, "values": { "type": "array", "items": { "type": "string", "pattern": "^(AF|AN|AS|EU|NA|OC|SA)$" } } } } }, "examples": [ { "schemaVersion": 1, "mode": "shadow", "defaultAction": "allow", "rules": [ { "id": "block-admin-outside-office", "name": "Block admin outside office", "enabled": true, "action": { "type": "deny", "statusCode": 403 }, "when": { "any": [ { "all": [ { "field": "request.path", "op": "prefix", "value": "/admin" }, { "field": "client.ip", "op": "not_in_cidr", "values": ["203.0.113.0/24"] } ] } ] } } ] } ] }