proxysql firewall support

[atimonin]

New feature neeeded for firewall management in proxysql: https://mydbops.wordpress.com/2020/04/21/building-a-mysql-firewall-with-proxysql/

SUMMARY

At least I need now modules to manage mysql_firewall_whitelist_users and mysql_firewall_whitelist_rules

ISSUE TYPE

• Feature Idea I think this should be a separate module, but maybe it's possible to implement it in proxysql_mysql_users

  COMPONENT NAME

ADDITIONAL INFORMATION

[markuman]

I think this should be a separate module, but maybe it's possible to implement it in proxysql_mysql_users

It is impossible to integrate it into proxysql_mysql_users module imo.
I also think it must be result in three new modules. Everything else will be very complicated.

mysql_firewall_whitelist_rules

CREATE TABLE mysql_firewall_whitelist_rules (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    username VARCHAR NOT NULL,
    client_address VARCHAR NOT NULL,
    schemaname VARCHAR NOT NULL,
    flagIN INT NOT NULL DEFAULT 0,
    digest VARCHAR NOT NULL,
    comment VARCHAR NOT NULL,
    PRIMARY KEY (username, client_address, schemaname, flagIN, digest) )

mysql_firewall_whitelist_sqli_fingerprints

CREATE TABLE mysql_firewall_whitelist_sqli_fingerprints (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    fingerprint VARCHAR NOT NULL,
    PRIMARY KEY (fingerprint) )

mysql_firewall_whitelist_users

CREATE TABLE mysql_firewall_whitelist_users (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    username VARCHAR NOT NULL,
    client_address VARCHAR NOT NULL,
    mode VARCHAR CHECK (mode IN ('OFF','DETECTING','PROTECTING')) NOT NULL DEFAULT ('OFF'),
    comment VARCHAR NOT NULL,
    PRIMARY KEY (username, client_address) )

---

What's your usecase?
I've tried firewalling a nextcloud application in the past. But it's nearly impossible.
This will only work properly if

• Your application consists only very few queries
• You've got unit- and integrationtests that 100% covers all needed and available queries, so you've got a realistic chance to collect all necessary queries.
  • when you're using an ORM, the change that you reach 100% decreases massively
• You got a lot of man-power, time and perseverance.

@atimonin do you have some time to implement and contribute those modules?