]> git.proxmox.com Git - pve-firewall.git/blame - src/PVE/API2/Firewall/IPSet.pm
projects / pve-firewall.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
api: fix scoping for ipset endpoint
[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm
CommitLineData
009ee3ac
DM		 1package PVE::API2::Firewall::IPSetBase;
2
3use strict;
4use warnings;
4a11bba5 5use PVE::Exception qw(raise raise_param_exc);
009ee3ac
DM		 6use PVE::JSONSchema qw(get_standard_option);
7
8use PVE::Firewall;
9
10use base qw(PVE::RESTHandler);
11
75a12a9d 12my $api_properties = {
009ee3ac
DM		 13 cidr => {
14 description => "Network/IP specification in CIDR format.",
ae029a88 15 type => 'string', format => 'IPorCIDRorAlias',
009ee3ac 16 },
e74a87f5 17 name => get_standard_option('ipset-name'),
009ee3ac
DM		 18 comment => {
19 type => 'string',
20 optional => 1,
21 },
22 nomatch => {
23 type => 'boolean',
24 optional => 1,
25 },
26};
27
05496017
FG		 28sub lock_config {
29 my ($class, $param, $code) = @_;
30
31 die "implement this in subclass";
32}
33
009ee3ac
DM		 34sub load_config {
35 my ($class, $param) = @_;
36
37 die "implement this in subclass";
1210ae94
DM		 38
39 #return ($cluster_conf, $fw_conf, $ipset);
009ee3ac
DM		 40}
41
1210ae94
DM		 42sub save_config {
43 my ($class, $param, $fw_conf) = @_;
009ee3ac
DM		 44
45 die "implement this in subclass";
46}
47
9f6845cf
DM		 48sub rule_env {
49 my ($class, $param) = @_;
75a12a9d 50
9f6845cf
DM		 51 die "implement this in subclass";
52}
53
1210ae94
DM		 54sub save_ipset {
55 my ($class, $param, $fw_conf, $ipset) = @_;
56
57 if (!defined($ipset)) {
58 delete $fw_conf->{ipset}->{$param->{name}};
59 } else {
60 $fw_conf->{ipset}->{$param->{name}} = $ipset;
61 }
62
63 $class->save_config($param, $fw_conf);
64}
65
009ee3ac
DM		 66my $additional_param_hash = {};
67
68sub additional_parameters {
69 my ($class, $new_value) = @_;
70
71 if (defined($new_value)) {
72 $additional_param_hash->{$class} = $new_value;
73 }
74
75 # return a copy
76 my $copy = {};
77 my $org = $additional_param_hash->{$class} || {};
78 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
79 return $copy;
80}
81
82sub register_get_ipset {
83 my ($class) = @_;
84
85 my $properties = $class->additional_parameters();
86
87 $properties->{name} = $api_properties->{name};
88
89 $class->register_method({
90 name => 'get_ipset',
91 path => '',
92 method => 'GET',
93 description => "List IPSet content",
9f6845cf 94 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
009ee3ac
DM		 95 parameters => {
96 additionalProperties => 0,
97 properties => $properties,
98 },
99 returns => {
100 type => 'array',
101 items => {
102 type => "object",
103 properties => {
104 cidr => {
105 type => 'string',
106 },
107 comment => {
108 type => 'string',
109 optional => 1,
110 },
111 nomatch => {
112 type => 'boolean',
113 optional => 1,
d72c631c 114 },
75a12a9d 115 digest => get_standard_option('pve-config-digest', { optional => 0} ),
009ee3ac
DM		 116 },
117 },
118 links => [ { rel => 'child', href => "{cidr}" } ],
119 },
120 code => sub {
121 my ($param) = @_;
122
1210ae94 123 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
009ee3ac 124
5d38d64f 125 return PVE::Firewall::copy_list_with_digest($ipset);
009ee3ac
DM		 126 }});
127}
128
1210ae94
DM		 129sub register_delete_ipset {
130 my ($class) = @_;
131
132 my $properties = $class->additional_parameters();
133
134 $properties->{name} = get_standard_option('ipset-name');
5e3c0cf8
LN		 135 $properties->{force} = {
136 type => 'boolean',
137 optional => 1,
138 description => 'Delete all members of the IPSet, if there are any.',
139 };
1210ae94
DM		 140
141 $class->register_method({
142 name => 'delete_ipset',
143 path => '',
144 method => 'DELETE',
145 description => "Delete IPSet",
146 protected => 1,
9f6845cf 147 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
1210ae94
DM		 148 parameters => {
149 additionalProperties => 0,
150 properties => $properties,
151 },
152 returns => { type => 'null' },
153 code => sub {
154 my ($param) = @_;
75a12a9d 155
a38849e6
FG		 156 $class->lock_config($param, sub {
157 my ($param) = @_;
158
159 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
1210ae94 160
a38849e6 161 die "IPSet '$param->{name}' is not empty\n"
5e3c0cf8 162 if scalar(@$ipset) && !$param->{force};
1210ae94 163
a38849e6
FG		 164 $class->save_ipset($param, $fw_conf, undef);
165
166 });
1210ae94
DM		 167
168 return undef;
169 }});
170}
171
a33c74f6 172sub register_create_ip {
009ee3ac
DM		 173 my ($class) = @_;
174
175 my $properties = $class->additional_parameters();
176
177 $properties->{name} = $api_properties->{name};
178 $properties->{cidr} = $api_properties->{cidr};
179 $properties->{nomatch} = $api_properties->{nomatch};
180 $properties->{comment} = $api_properties->{comment};
d72c631c 181
009ee3ac 182 $class->register_method({
a33c74f6 183 name => 'create_ip',
009ee3ac
DM		 184 path => '',
185 method => 'POST',
186 description => "Add IP or Network to IPSet.",
187 protected => 1,
9f6845cf 188 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
009ee3ac
DM		 189 parameters => {
190 additionalProperties => 0,
191 properties => $properties,
192 },
193 returns => { type => "null" },
194 code => sub {
195 my ($param) = @_;
196
a38849e6
FG		 197 $class->lock_config($param, sub {
198 my ($param) = @_;
009ee3ac 199
a38849e6 200 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
75a12a9d 201
eeed0d90 202 my $cidr = $param->{cidr};
5bf304b5 203 if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
eeed0d90
LN		 204 my $scope = $1 // "";
205 my $alias = $2;
aaa87fbb
LN		 206 # on the cluster level
207 $cluster_conf = $fw_conf if (!$cluster_conf);
891545e8 208 # make sure alias exists (if $cidr is an alias)
eeed0d90 209 PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
891545e8 210 } else {
eeed0d90 211 $cidr = PVE::Firewall::clean_cidr($cidr);
891545e8
FG		 212 # normalize like config parser, otherwise duplicates might slip through
213 $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
214 }
a38849e6
FG		 215
216 foreach my $entry (@$ipset) {
217 raise_param_exc({ cidr => "address '$cidr' already exists" })
218 if $entry->{cidr} eq $cidr;
219 }
220
221 raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
222 if $cidr =~ m!/0+$!;
4a11bba5 223
1b36f6ec 224
a38849e6 225 my $data = { cidr => $cidr };
7c619bbb 226
a38849e6
FG		 227 $data->{nomatch} = 1 if $param->{nomatch};
228 $data->{comment} = $param->{comment} if $param->{comment};
7c619bbb 229
a38849e6 230 unshift @$ipset, $data;
009ee3ac 231
a38849e6 232 $class->save_ipset($param, $fw_conf, $ipset);
009ee3ac 233
a38849e6 234 });
009ee3ac
DM		 235
236 return undef;
237 }});
238}
239
a33c74f6
DM		 240sub register_read_ip {
241 my ($class) = @_;
242
243 my $properties = $class->additional_parameters();
244
245 $properties->{name} = $api_properties->{name};
246 $properties->{cidr} = $api_properties->{cidr};
75a12a9d 247
a33c74f6
DM		 248 $class->register_method({
249 name => 'read_ip',
250 path => '{cidr}',
251 method => 'GET',
252 description => "Read IP or Network settings from IPSet.",
9f6845cf 253 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
a33c74f6
DM		 254 protected => 1,
255 parameters => {
256 additionalProperties => 0,
257 properties => $properties,
258 },
259 returns => { type => "object" },
260 code => sub {
261 my ($param) = @_;
262
1210ae94 263 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
a33c74f6 264
5d38d64f
DM		 265 my $list = PVE::Firewall::copy_list_with_digest($ipset);
266
267 foreach my $entry (@$list) {
d72c631c 268 if ($entry->{cidr} eq $param->{cidr}) {
d72c631c
DM		 269 return $entry;
270 }
a33c74f6
DM		 271 }
272
273 raise_param_exc({ cidr => "no such IP/Network" });
274 }});
275}
276
277sub register_update_ip {
278 my ($class) = @_;
279
280 my $properties = $class->additional_parameters();
281
282 $properties->{name} = $api_properties->{name};
283 $properties->{cidr} = $api_properties->{cidr};
284 $properties->{nomatch} = $api_properties->{nomatch};
285 $properties->{comment} = $api_properties->{comment};
d72c631c
DM		 286 $properties->{digest} = get_standard_option('pve-config-digest');
287
a33c74f6
DM		 288 $class->register_method({
289 name => 'update_ip',
290 path => '{cidr}',
291 method => 'PUT',
292 description => "Update IP or Network settings",
293 protected => 1,
9f6845cf 294 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
a33c74f6
DM		 295 parameters => {
296 additionalProperties => 0,
297 properties => $properties,
298 },
299 returns => { type => "null" },
300 code => sub {
301 my ($param) = @_;
302
a38849e6
FG		 303 my $found = $class->lock_config($param, sub {
304 my ($param) = @_;
305
306 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
a33c74f6 307
a38849e6
FG		 308 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
309 PVE::Tools::assert_if_modified($digest, $param->{digest});
d72c631c 310
a38849e6
FG		 311 foreach my $entry (@$ipset) {
312 if($entry->{cidr} eq $param->{cidr}) {
313 $entry->{nomatch} = $param->{nomatch};
314 $entry->{comment} = $param->{comment};
315 $class->save_ipset($param, $fw_conf, $ipset);
316 return 1;
317 }
a33c74f6 318 }
a38849e6
FG		 319
320 return 0;
321 });
322
323 return if $found;
a33c74f6
DM		 324
325 raise_param_exc({ cidr => "no such IP/Network" });
326 }});
327}
328
329sub register_delete_ip {
009ee3ac
DM		 330 my ($class) = @_;
331
332 my $properties = $class->additional_parameters();
333
334 $properties->{name} = $api_properties->{name};
335 $properties->{cidr} = $api_properties->{cidr};
d72c631c
DM		 336 $properties->{digest} = get_standard_option('pve-config-digest');
337
009ee3ac
DM		 338 $class->register_method({
339 name => 'remove_ip',
340 path => '{cidr}',
341 method => 'DELETE',
342 description => "Remove IP or Network from IPSet.",
343 protected => 1,
9f6845cf 344 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
009ee3ac
DM		 345 parameters => {
346 additionalProperties => 0,
347 properties => $properties,
348 },
349 returns => { type => "null" },
350 code => sub {
351 my ($param) = @_;
352
a38849e6
FG		 353 $class->lock_config($param, sub {
354 my ($param) = @_;
009ee3ac 355
a38849e6 356 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
d72c631c 357
a38849e6
FG		 358 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
359 PVE::Tools::assert_if_modified($digest, $param->{digest});
75a12a9d 360
a38849e6 361 my $new = [];
009ee3ac 362
a38849e6
FG		 363 foreach my $entry (@$ipset) {
364 push @$new, $entry if $entry->{cidr} ne $param->{cidr};
365 }
366
367 $class->save_ipset($param, $fw_conf, $new);
368 });
75a12a9d 369
009ee3ac
DM		 370 return undef;
371 }});
372}
373
374sub register_handlers {
375 my ($class) = @_;
376
1210ae94 377 $class->register_delete_ipset();
009ee3ac 378 $class->register_get_ipset();
a33c74f6
DM		 379 $class->register_create_ip();
380 $class->register_read_ip();
381 $class->register_update_ip();
382 $class->register_delete_ip();
009ee3ac
DM		 383}
384
385package PVE::API2::Firewall::ClusterIPset;
386
387use strict;
388use warnings;
389
390use base qw(PVE::API2::Firewall::IPSetBase);
391
9f6845cf
DM		 392sub rule_env {
393 my ($class, $param) = @_;
75a12a9d 394
9f6845cf
DM		 395 return 'cluster';
396}
397
05496017
FG		 398sub lock_config {
399 my ($class, $param, $code) = @_;
400
401 PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
402}
403
009ee3ac
DM		 404sub load_config {
405 my ($class, $param) = @_;
406
407 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
408 my $ipset = $fw_conf->{ipset}->{$param->{name}};
409 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
410
1210ae94 411 return (undef, $fw_conf, $ipset);
009ee3ac
DM		 412}
413
1210ae94
DM		 414sub save_config {
415 my ($class, $param, $fw_conf) = @_;
009ee3ac 416
009ee3ac
DM		 417 PVE::Firewall::save_clusterfw_conf($fw_conf);
418}
419
420__PACKAGE__->register_handlers();
421
1210ae94
DM		 422package PVE::API2::Firewall::VMIPset;
423
424use strict;
425use warnings;
426use PVE::JSONSchema qw(get_standard_option);
427
428use base qw(PVE::API2::Firewall::IPSetBase);
429
9f6845cf
DM		 430sub rule_env {
431 my ($class, $param) = @_;
75a12a9d 432
9f6845cf
DM		 433 return 'vm';
434}
435
75a12a9d 436__PACKAGE__->additional_parameters({
1210ae94 437 node => get_standard_option('pve-node'),
75a12a9d 438 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 439});
440
05496017
FG		 441sub lock_config {
442 my ($class, $param, $code) = @_;
443
444 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
445}
446
1210ae94
DM		 447sub load_config {
448 my ($class, $param) = @_;
449
450 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
451 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
452 my $ipset = $fw_conf->{ipset}->{$param->{name}};
453 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
454
455 return ($cluster_conf, $fw_conf, $ipset);
456}
457
458sub save_config {
459 my ($class, $param, $fw_conf) = @_;
460
461 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
462}
463
464__PACKAGE__->register_handlers();
465
466package PVE::API2::Firewall::CTIPset;
467
468use strict;
469use warnings;
470use PVE::JSONSchema qw(get_standard_option);
471
472use base qw(PVE::API2::Firewall::IPSetBase);
473
9f6845cf
DM		 474sub rule_env {
475 my ($class, $param) = @_;
75a12a9d 476
9f6845cf
DM		 477 return 'ct';
478}
479
75a12a9d 480__PACKAGE__->additional_parameters({
1210ae94 481 node => get_standard_option('pve-node'),
75a12a9d 482 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 483});
484
05496017
FG		 485sub lock_config {
486 my ($class, $param, $code) = @_;
487
488 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
489}
490
1210ae94
DM		 491sub load_config {
492 my ($class, $param) = @_;
493
494 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
495 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
496 my $ipset = $fw_conf->{ipset}->{$param->{name}};
497 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
498
499 return ($cluster_conf, $fw_conf, $ipset);
500}
501
502sub save_config {
503 my ($class, $param, $fw_conf) = @_;
504
505 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
506}
507
508__PACKAGE__->register_handlers();
509
c85c87f9
DM		 510package PVE::API2::Firewall::BaseIPSetList;
511
512use strict;
513use warnings;
e74a87f5 514use PVE::JSONSchema qw(get_standard_option);
c85c87f9 515use PVE::Exception qw(raise_param_exc);
e74a87f5 516use PVE::Firewall;
c85c87f9
DM		 517
518use base qw(PVE::RESTHandler);
519
05496017
FG		 520sub lock_config {
521 my ($class, $param, $code) = @_;
522
523 die "implement this in subclass";
524}
525
1210ae94
DM		 526sub load_config {
527 my ($class, $param) = @_;
75a12a9d 528
1210ae94
DM		 529 die "implement this in subclass";
530
531 #return ($cluster_conf, $fw_conf);
532}
533
534sub save_config {
535 my ($class, $param, $fw_conf) = @_;
536
537 die "implement this in subclass";
538}
539
9f6845cf
DM		 540sub rule_env {
541 my ($class, $param) = @_;
75a12a9d 542
9f6845cf
DM		 543 die "implement this in subclass";
544}
545
1210ae94
DM		 546my $additional_param_hash_list = {};
547
548sub additional_parameters {
549 my ($class, $new_value) = @_;
550
551 if (defined($new_value)) {
552 $additional_param_hash_list->{$class} = $new_value;
553 }
554
555 # return a copy
556 my $copy = {};
557 my $org = $additional_param_hash_list->{$class} || {};
558 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
559 return $copy;
560}
561
5d38d64f
DM		 562my $get_ipset_list = sub {
563 my ($fw_conf) = @_;
564
565 my $res = [];
53bbbf31 566 foreach my $name (sort keys %{$fw_conf->{ipset}}) {
75a12a9d 567 my $data = {
5d38d64f
DM		 568 name => $name,
569 };
570 if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
571 $data->{comment} = $comment;
572 }
573 push @$res, $data;
574 }
575
576 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
577
578 return wantarray ? ($list, $digest) : $list;
579};
580
c85c87f9
DM		 581sub register_index {
582 my ($class) = @_;
583
1210ae94
DM		 584 my $properties = $class->additional_parameters();
585
c85c87f9
DM		 586 $class->register_method({
587 name => 'ipset_index',
588 path => '',
589 method => 'GET',
590 description => "List IPSets",
9f6845cf 591 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
c85c87f9
DM		 592 parameters => {
593 additionalProperties => 0,
1210ae94 594 properties => $properties,
c85c87f9
DM		 595 },
596 returns => {
597 type => 'array',
598 items => {
599 type => "object",
75a12a9d 600 properties => {
e74a87f5 601 name => get_standard_option('ipset-name'),
d72c631c 602 digest => get_standard_option('pve-config-digest', { optional => 0} ),
75a12a9d 603 comment => {
d72c631c
DM		 604 type => 'string',
605 optional => 1,
606 }
c85c87f9
DM		 607 },
608 },
609 links => [ { rel => 'child', href => "{name}" } ],
610 },
611 code => sub {
612 my ($param) = @_;
75a12a9d 613
1210ae94 614 my ($cluster_conf, $fw_conf) = $class->load_config($param);
c85c87f9 615
75a12a9d 616 return &$get_ipset_list($fw_conf);
c85c87f9
DM		 617 }});
618}
619
620sub register_create {
621 my ($class) = @_;
622
1210ae94
DM		 623 my $properties = $class->additional_parameters();
624
625 $properties->{name} = get_standard_option('ipset-name');
626
627 $properties->{comment} = { type => 'string', optional => 1 };
628
629 $properties->{digest} = get_standard_option('pve-config-digest');
630
631 $properties->{rename} = get_standard_option('ipset-name', {
632 description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
633 optional => 1 });
634
c85c87f9
DM		 635 $class->register_method({
636 name => 'create_ipset',
637 path => '',
638 method => 'POST',
639 description => "Create new IPSet",
640 protected => 1,
9f6845cf 641 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
c85c87f9
DM		 642 parameters => {
643 additionalProperties => 0,
1210ae94 644 properties => $properties,
c85c87f9
DM		 645 },
646 returns => { type => 'null' },
647 code => sub {
648 my ($param) = @_;
75a12a9d 649
a38849e6
FG		 650 $class->lock_config($param, sub {
651 my ($param) = @_;
c85c87f9 652
a38849e6 653 my ($cluster_conf, $fw_conf) = $class->load_config($param);
5d38d64f 654
a38849e6
FG		 655 if ($param->{rename}) {
656 my (undef, $digest) = &$get_ipset_list($fw_conf);
657 PVE::Tools::assert_if_modified($digest, $param->{digest});
5d38d64f 658
a38849e6
FG		 659 raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" })
660 if !$fw_conf->{ipset}->{$param->{rename}};
5da1a229 661
a38849e6
FG		 662 # prevent overwriting existing ipset
663 raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
664 if $fw_conf->{ipset}->{$param->{name}} &&
665 $param->{name} ne $param->{rename};
5d38d64f 666
a38849e6
FG		 667 my $data = delete $fw_conf->{ipset}->{$param->{rename}};
668 $fw_conf->{ipset}->{$param->{name}} = $data;
669 if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
670 $fw_conf->{ipset_comments}->{$param->{name}} = $comment;
671 }
672 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
673 } else {
674 foreach my $name (keys %{$fw_conf->{ipset}}) {
675 raise_param_exc({ name => "IPSet '$name' already exists" })
676 if $name eq $param->{name};
677 }
678
679 $fw_conf->{ipset}->{$param->{name}} = [];
680 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
681 }
bc374ca7 682
a38849e6
FG		 683 $class->save_config($param, $fw_conf);
684 });
c85c87f9
DM		 685
686 return undef;
687 }});
688}
689
1210ae94 690sub register_handlers {
c85c87f9
DM		 691 my ($class) = @_;
692
1210ae94
DM		 693 $class->register_index();
694 $class->register_create();
695}
c85c87f9 696
1210ae94 697package PVE::API2::Firewall::ClusterIPSetList;
c85c87f9 698
1210ae94
DM		 699use strict;
700use warnings;
701use PVE::Firewall;
5d38d64f 702
1210ae94
DM		 703use base qw(PVE::API2::Firewall::BaseIPSetList);
704
9f6845cf
DM		 705sub rule_env {
706 my ($class, $param) = @_;
75a12a9d 707
9f6845cf
DM		 708 return 'cluster';
709}
710
05496017
FG		 711sub lock_config {
712 my ($class, $param, $code) = @_;
713
714 PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
715}
716
1210ae94
DM		 717sub load_config {
718 my ($class, $param) = @_;
75a12a9d 719
1210ae94
DM		 720 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
721 return (undef, $cluster_conf);
722}
c85c87f9 723
1210ae94
DM		 724sub save_config {
725 my ($class, $param, $fw_conf) = @_;
c85c87f9 726
1210ae94
DM		 727 PVE::Firewall::save_clusterfw_conf($fw_conf);
728}
c85c87f9 729
1210ae94
DM		 730__PACKAGE__->register_handlers();
731
732__PACKAGE__->register_method ({
75a12a9d 733 subclass => "PVE::API2::Firewall::ClusterIPset",
1210ae94 734 path => '{name}',
75a12a9d
TL		 735 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
736 fragmentDelimiter => '',
1210ae94
DM		 737});
738
739package PVE::API2::Firewall::VMIPSetList;
740
741use strict;
742use warnings;
743use PVE::JSONSchema qw(get_standard_option);
744use PVE::Firewall;
745
746use base qw(PVE::API2::Firewall::BaseIPSetList);
747
75a12a9d 748__PACKAGE__->additional_parameters({
1210ae94 749 node => get_standard_option('pve-node'),
75a12a9d 750 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 751});
752
9f6845cf
DM		 753sub rule_env {
754 my ($class, $param) = @_;
75a12a9d 755
9f6845cf
DM		 756 return 'vm';
757}
758
05496017
FG		 759sub lock_config {
760 my ($class, $param, $code) = @_;
761
762 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
763}
764
1210ae94
DM		 765sub load_config {
766 my ($class, $param) = @_;
75a12a9d 767
1210ae94
DM		 768 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
769 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
770 return ($cluster_conf, $fw_conf);
c85c87f9
DM		 771}
772
1210ae94
DM		 773sub save_config {
774 my ($class, $param, $fw_conf) = @_;
c85c87f9 775
1210ae94 776 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
c85c87f9
DM		 777}
778
1210ae94
DM		 779__PACKAGE__->register_handlers();
780
781__PACKAGE__->register_method ({
75a12a9d 782 subclass => "PVE::API2::Firewall::VMIPset",
1210ae94 783 path => '{name}',
75a12a9d
TL		 784 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
785 fragmentDelimiter => '',
1210ae94
DM		 786});
787
788package PVE::API2::Firewall::CTIPSetList;
c85c87f9
DM		 789
790use strict;
791use warnings;
1210ae94 792use PVE::JSONSchema qw(get_standard_option);
c85c87f9
DM		 793use PVE::Firewall;
794
795use base qw(PVE::API2::Firewall::BaseIPSetList);
796
75a12a9d 797__PACKAGE__->additional_parameters({
1210ae94 798 node => get_standard_option('pve-node'),
75a12a9d 799 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 800});
801
9f6845cf
DM		 802sub rule_env {
803 my ($class, $param) = @_;
75a12a9d 804
9f6845cf
DM		 805 return 'ct';
806}
807
05496017
FG		 808sub lock_config {
809 my ($class, $param, $code) = @_;
810
811 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
812}
813
c85c87f9 814sub load_config {
1210ae94 815 my ($class, $param) = @_;
75a12a9d 816
1210ae94
DM		 817 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
818 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
819 return ($cluster_conf, $fw_conf);
c85c87f9
DM		 820}
821
822sub save_config {
1210ae94 823 my ($class, $param, $fw_conf) = @_;
c85c87f9 824
1210ae94 825 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
c85c87f9
DM		 826}
827
828__PACKAGE__->register_handlers();
829
830__PACKAGE__->register_method ({
75a12a9d 831 subclass => "PVE::API2::Firewall::CTIPset",
c85c87f9 832 path => '{name}',
75a12a9d
TL		 833 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
834 fragmentDelimiter => '',
c85c87f9
DM		 835});
836
009ee3ac 8371;
Firewall test scripts