]>
Commit | Line | Data |
---|---|---|
009ee3ac DM |
1 | package PVE::API2::Firewall::IPSetBase; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
4a11bba5 | 5 | use PVE::Exception qw(raise raise_param_exc); |
009ee3ac DM |
6 | use PVE::JSONSchema qw(get_standard_option); |
7 | ||
8 | use PVE::Firewall; | |
9 | ||
10 | use base qw(PVE::RESTHandler); | |
11 | ||
75a12a9d | 12 | my $api_properties = { |
009ee3ac DM |
13 | cidr => { |
14 | description => "Network/IP specification in CIDR format.", | |
ae029a88 | 15 | type => 'string', format => 'IPorCIDRorAlias', |
009ee3ac | 16 | }, |
e74a87f5 | 17 | name => get_standard_option('ipset-name'), |
009ee3ac DM |
18 | comment => { |
19 | type => 'string', | |
20 | optional => 1, | |
21 | }, | |
22 | nomatch => { | |
23 | type => 'boolean', | |
24 | optional => 1, | |
25 | }, | |
26 | }; | |
27 | ||
05496017 FG |
28 | sub lock_config { |
29 | my ($class, $param, $code) = @_; | |
30 | ||
31 | die "implement this in subclass"; | |
32 | } | |
33 | ||
009ee3ac DM |
34 | sub load_config { |
35 | my ($class, $param) = @_; | |
36 | ||
37 | die "implement this in subclass"; | |
1210ae94 DM |
38 | |
39 | #return ($cluster_conf, $fw_conf, $ipset); | |
009ee3ac DM |
40 | } |
41 | ||
1210ae94 DM |
42 | sub save_config { |
43 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac DM |
44 | |
45 | die "implement this in subclass"; | |
46 | } | |
47 | ||
9f6845cf DM |
48 | sub rule_env { |
49 | my ($class, $param) = @_; | |
75a12a9d | 50 | |
9f6845cf DM |
51 | die "implement this in subclass"; |
52 | } | |
53 | ||
1210ae94 DM |
54 | sub save_ipset { |
55 | my ($class, $param, $fw_conf, $ipset) = @_; | |
56 | ||
57 | if (!defined($ipset)) { | |
58 | delete $fw_conf->{ipset}->{$param->{name}}; | |
59 | } else { | |
60 | $fw_conf->{ipset}->{$param->{name}} = $ipset; | |
61 | } | |
62 | ||
63 | $class->save_config($param, $fw_conf); | |
64 | } | |
65 | ||
009ee3ac DM |
66 | my $additional_param_hash = {}; |
67 | ||
68 | sub additional_parameters { | |
69 | my ($class, $new_value) = @_; | |
70 | ||
71 | if (defined($new_value)) { | |
72 | $additional_param_hash->{$class} = $new_value; | |
73 | } | |
74 | ||
75 | # return a copy | |
76 | my $copy = {}; | |
77 | my $org = $additional_param_hash->{$class} || {}; | |
78 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
79 | return $copy; | |
80 | } | |
81 | ||
82 | sub register_get_ipset { | |
83 | my ($class) = @_; | |
84 | ||
85 | my $properties = $class->additional_parameters(); | |
86 | ||
87 | $properties->{name} = $api_properties->{name}; | |
88 | ||
89 | $class->register_method({ | |
90 | name => 'get_ipset', | |
91 | path => '', | |
92 | method => 'GET', | |
93 | description => "List IPSet content", | |
9f6845cf | 94 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
009ee3ac DM |
95 | parameters => { |
96 | additionalProperties => 0, | |
97 | properties => $properties, | |
98 | }, | |
99 | returns => { | |
100 | type => 'array', | |
101 | items => { | |
102 | type => "object", | |
103 | properties => { | |
104 | cidr => { | |
105 | type => 'string', | |
106 | }, | |
107 | comment => { | |
108 | type => 'string', | |
109 | optional => 1, | |
110 | }, | |
111 | nomatch => { | |
112 | type => 'boolean', | |
113 | optional => 1, | |
d72c631c | 114 | }, |
75a12a9d | 115 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
009ee3ac DM |
116 | }, |
117 | }, | |
118 | links => [ { rel => 'child', href => "{cidr}" } ], | |
119 | }, | |
120 | code => sub { | |
121 | my ($param) = @_; | |
122 | ||
1210ae94 | 123 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
009ee3ac | 124 | |
5d38d64f | 125 | return PVE::Firewall::copy_list_with_digest($ipset); |
009ee3ac DM |
126 | }}); |
127 | } | |
128 | ||
1210ae94 DM |
129 | sub register_delete_ipset { |
130 | my ($class) = @_; | |
131 | ||
132 | my $properties = $class->additional_parameters(); | |
133 | ||
134 | $properties->{name} = get_standard_option('ipset-name'); | |
5e3c0cf8 LN |
135 | $properties->{force} = { |
136 | type => 'boolean', | |
137 | optional => 1, | |
138 | description => 'Delete all members of the IPSet, if there are any.', | |
139 | }; | |
1210ae94 DM |
140 | |
141 | $class->register_method({ | |
142 | name => 'delete_ipset', | |
143 | path => '', | |
144 | method => 'DELETE', | |
145 | description => "Delete IPSet", | |
146 | protected => 1, | |
9f6845cf | 147 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
1210ae94 DM |
148 | parameters => { |
149 | additionalProperties => 0, | |
150 | properties => $properties, | |
151 | }, | |
152 | returns => { type => 'null' }, | |
153 | code => sub { | |
154 | my ($param) = @_; | |
75a12a9d | 155 | |
a38849e6 FG |
156 | $class->lock_config($param, sub { |
157 | my ($param) = @_; | |
158 | ||
159 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
1210ae94 | 160 | |
a38849e6 | 161 | die "IPSet '$param->{name}' is not empty\n" |
5e3c0cf8 | 162 | if scalar(@$ipset) && !$param->{force}; |
1210ae94 | 163 | |
a38849e6 FG |
164 | $class->save_ipset($param, $fw_conf, undef); |
165 | ||
166 | }); | |
1210ae94 DM |
167 | |
168 | return undef; | |
169 | }}); | |
170 | } | |
171 | ||
a33c74f6 | 172 | sub register_create_ip { |
009ee3ac DM |
173 | my ($class) = @_; |
174 | ||
175 | my $properties = $class->additional_parameters(); | |
176 | ||
177 | $properties->{name} = $api_properties->{name}; | |
178 | $properties->{cidr} = $api_properties->{cidr}; | |
179 | $properties->{nomatch} = $api_properties->{nomatch}; | |
180 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c | 181 | |
009ee3ac | 182 | $class->register_method({ |
a33c74f6 | 183 | name => 'create_ip', |
009ee3ac DM |
184 | path => '', |
185 | method => 'POST', | |
186 | description => "Add IP or Network to IPSet.", | |
187 | protected => 1, | |
9f6845cf | 188 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
189 | parameters => { |
190 | additionalProperties => 0, | |
191 | properties => $properties, | |
192 | }, | |
193 | returns => { type => "null" }, | |
194 | code => sub { | |
195 | my ($param) = @_; | |
196 | ||
a38849e6 FG |
197 | $class->lock_config($param, sub { |
198 | my ($param) = @_; | |
009ee3ac | 199 | |
a38849e6 | 200 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
75a12a9d | 201 | |
eeed0d90 | 202 | my $cidr = $param->{cidr}; |
5bf304b5 | 203 | if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) { |
eeed0d90 LN |
204 | my $scope = $1 // ""; |
205 | my $alias = $2; | |
aaa87fbb LN |
206 | # on the cluster level |
207 | $cluster_conf = $fw_conf if (!$cluster_conf); | |
891545e8 | 208 | # make sure alias exists (if $cidr is an alias) |
eeed0d90 | 209 | PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope); |
891545e8 | 210 | } else { |
eeed0d90 | 211 | $cidr = PVE::Firewall::clean_cidr($cidr); |
891545e8 FG |
212 | # normalize like config parser, otherwise duplicates might slip through |
213 | $cidr = PVE::Firewall::parse_ip_or_cidr($cidr); | |
214 | } | |
a38849e6 FG |
215 | |
216 | foreach my $entry (@$ipset) { | |
217 | raise_param_exc({ cidr => "address '$cidr' already exists" }) | |
218 | if $entry->{cidr} eq $cidr; | |
219 | } | |
220 | ||
221 | raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" }) | |
222 | if $cidr =~ m!/0+$!; | |
4a11bba5 | 223 | |
1b36f6ec | 224 | |
a38849e6 | 225 | my $data = { cidr => $cidr }; |
7c619bbb | 226 | |
a38849e6 FG |
227 | $data->{nomatch} = 1 if $param->{nomatch}; |
228 | $data->{comment} = $param->{comment} if $param->{comment}; | |
7c619bbb | 229 | |
a38849e6 | 230 | unshift @$ipset, $data; |
009ee3ac | 231 | |
a38849e6 | 232 | $class->save_ipset($param, $fw_conf, $ipset); |
009ee3ac | 233 | |
a38849e6 | 234 | }); |
009ee3ac DM |
235 | |
236 | return undef; | |
237 | }}); | |
238 | } | |
239 | ||
a33c74f6 DM |
240 | sub register_read_ip { |
241 | my ($class) = @_; | |
242 | ||
243 | my $properties = $class->additional_parameters(); | |
244 | ||
245 | $properties->{name} = $api_properties->{name}; | |
246 | $properties->{cidr} = $api_properties->{cidr}; | |
75a12a9d | 247 | |
a33c74f6 DM |
248 | $class->register_method({ |
249 | name => 'read_ip', | |
250 | path => '{cidr}', | |
251 | method => 'GET', | |
252 | description => "Read IP or Network settings from IPSet.", | |
9f6845cf | 253 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
a33c74f6 DM |
254 | protected => 1, |
255 | parameters => { | |
256 | additionalProperties => 0, | |
257 | properties => $properties, | |
258 | }, | |
259 | returns => { type => "object" }, | |
260 | code => sub { | |
261 | my ($param) = @_; | |
262 | ||
1210ae94 | 263 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
a33c74f6 | 264 | |
5d38d64f DM |
265 | my $list = PVE::Firewall::copy_list_with_digest($ipset); |
266 | ||
267 | foreach my $entry (@$list) { | |
d72c631c | 268 | if ($entry->{cidr} eq $param->{cidr}) { |
d72c631c DM |
269 | return $entry; |
270 | } | |
a33c74f6 DM |
271 | } |
272 | ||
273 | raise_param_exc({ cidr => "no such IP/Network" }); | |
274 | }}); | |
275 | } | |
276 | ||
277 | sub register_update_ip { | |
278 | my ($class) = @_; | |
279 | ||
280 | my $properties = $class->additional_parameters(); | |
281 | ||
282 | $properties->{name} = $api_properties->{name}; | |
283 | $properties->{cidr} = $api_properties->{cidr}; | |
284 | $properties->{nomatch} = $api_properties->{nomatch}; | |
285 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c DM |
286 | $properties->{digest} = get_standard_option('pve-config-digest'); |
287 | ||
a33c74f6 DM |
288 | $class->register_method({ |
289 | name => 'update_ip', | |
290 | path => '{cidr}', | |
291 | method => 'PUT', | |
292 | description => "Update IP or Network settings", | |
293 | protected => 1, | |
9f6845cf | 294 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
a33c74f6 DM |
295 | parameters => { |
296 | additionalProperties => 0, | |
297 | properties => $properties, | |
298 | }, | |
299 | returns => { type => "null" }, | |
300 | code => sub { | |
301 | my ($param) = @_; | |
302 | ||
a38849e6 FG |
303 | my $found = $class->lock_config($param, sub { |
304 | my ($param) = @_; | |
305 | ||
306 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
a33c74f6 | 307 | |
a38849e6 FG |
308 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
309 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
d72c631c | 310 | |
a38849e6 FG |
311 | foreach my $entry (@$ipset) { |
312 | if($entry->{cidr} eq $param->{cidr}) { | |
313 | $entry->{nomatch} = $param->{nomatch}; | |
314 | $entry->{comment} = $param->{comment}; | |
315 | $class->save_ipset($param, $fw_conf, $ipset); | |
316 | return 1; | |
317 | } | |
a33c74f6 | 318 | } |
a38849e6 FG |
319 | |
320 | return 0; | |
321 | }); | |
322 | ||
323 | return if $found; | |
a33c74f6 DM |
324 | |
325 | raise_param_exc({ cidr => "no such IP/Network" }); | |
326 | }}); | |
327 | } | |
328 | ||
329 | sub register_delete_ip { | |
009ee3ac DM |
330 | my ($class) = @_; |
331 | ||
332 | my $properties = $class->additional_parameters(); | |
333 | ||
334 | $properties->{name} = $api_properties->{name}; | |
335 | $properties->{cidr} = $api_properties->{cidr}; | |
d72c631c DM |
336 | $properties->{digest} = get_standard_option('pve-config-digest'); |
337 | ||
009ee3ac DM |
338 | $class->register_method({ |
339 | name => 'remove_ip', | |
340 | path => '{cidr}', | |
341 | method => 'DELETE', | |
342 | description => "Remove IP or Network from IPSet.", | |
343 | protected => 1, | |
9f6845cf | 344 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
345 | parameters => { |
346 | additionalProperties => 0, | |
347 | properties => $properties, | |
348 | }, | |
349 | returns => { type => "null" }, | |
350 | code => sub { | |
351 | my ($param) = @_; | |
352 | ||
a38849e6 FG |
353 | $class->lock_config($param, sub { |
354 | my ($param) = @_; | |
009ee3ac | 355 | |
a38849e6 | 356 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
d72c631c | 357 | |
a38849e6 FG |
358 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
359 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
75a12a9d | 360 | |
a38849e6 | 361 | my $new = []; |
009ee3ac | 362 | |
a38849e6 FG |
363 | foreach my $entry (@$ipset) { |
364 | push @$new, $entry if $entry->{cidr} ne $param->{cidr}; | |
365 | } | |
366 | ||
367 | $class->save_ipset($param, $fw_conf, $new); | |
368 | }); | |
75a12a9d | 369 | |
009ee3ac DM |
370 | return undef; |
371 | }}); | |
372 | } | |
373 | ||
374 | sub register_handlers { | |
375 | my ($class) = @_; | |
376 | ||
1210ae94 | 377 | $class->register_delete_ipset(); |
009ee3ac | 378 | $class->register_get_ipset(); |
a33c74f6 DM |
379 | $class->register_create_ip(); |
380 | $class->register_read_ip(); | |
381 | $class->register_update_ip(); | |
382 | $class->register_delete_ip(); | |
009ee3ac DM |
383 | } |
384 | ||
385 | package PVE::API2::Firewall::ClusterIPset; | |
386 | ||
387 | use strict; | |
388 | use warnings; | |
389 | ||
390 | use base qw(PVE::API2::Firewall::IPSetBase); | |
391 | ||
9f6845cf DM |
392 | sub rule_env { |
393 | my ($class, $param) = @_; | |
75a12a9d | 394 | |
9f6845cf DM |
395 | return 'cluster'; |
396 | } | |
397 | ||
05496017 FG |
398 | sub lock_config { |
399 | my ($class, $param, $code) = @_; | |
400 | ||
401 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
402 | } | |
403 | ||
009ee3ac DM |
404 | sub load_config { |
405 | my ($class, $param) = @_; | |
406 | ||
407 | my $fw_conf = PVE::Firewall::load_clusterfw_conf(); | |
408 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
409 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
410 | ||
1210ae94 | 411 | return (undef, $fw_conf, $ipset); |
009ee3ac DM |
412 | } |
413 | ||
1210ae94 DM |
414 | sub save_config { |
415 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac | 416 | |
009ee3ac DM |
417 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
418 | } | |
419 | ||
420 | __PACKAGE__->register_handlers(); | |
421 | ||
1210ae94 DM |
422 | package PVE::API2::Firewall::VMIPset; |
423 | ||
424 | use strict; | |
425 | use warnings; | |
426 | use PVE::JSONSchema qw(get_standard_option); | |
427 | ||
428 | use base qw(PVE::API2::Firewall::IPSetBase); | |
429 | ||
9f6845cf DM |
430 | sub rule_env { |
431 | my ($class, $param) = @_; | |
75a12a9d | 432 | |
9f6845cf DM |
433 | return 'vm'; |
434 | } | |
435 | ||
75a12a9d | 436 | __PACKAGE__->additional_parameters({ |
1210ae94 | 437 | node => get_standard_option('pve-node'), |
75a12a9d | 438 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
439 | }); |
440 | ||
05496017 FG |
441 | sub lock_config { |
442 | my ($class, $param, $code) = @_; | |
443 | ||
444 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
445 | } | |
446 | ||
1210ae94 DM |
447 | sub load_config { |
448 | my ($class, $param) = @_; | |
449 | ||
450 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
451 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
452 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
453 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
454 | ||
455 | return ($cluster_conf, $fw_conf, $ipset); | |
456 | } | |
457 | ||
458 | sub save_config { | |
459 | my ($class, $param, $fw_conf) = @_; | |
460 | ||
461 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
462 | } | |
463 | ||
464 | __PACKAGE__->register_handlers(); | |
465 | ||
466 | package PVE::API2::Firewall::CTIPset; | |
467 | ||
468 | use strict; | |
469 | use warnings; | |
470 | use PVE::JSONSchema qw(get_standard_option); | |
471 | ||
472 | use base qw(PVE::API2::Firewall::IPSetBase); | |
473 | ||
9f6845cf DM |
474 | sub rule_env { |
475 | my ($class, $param) = @_; | |
75a12a9d | 476 | |
9f6845cf DM |
477 | return 'ct'; |
478 | } | |
479 | ||
75a12a9d | 480 | __PACKAGE__->additional_parameters({ |
1210ae94 | 481 | node => get_standard_option('pve-node'), |
75a12a9d | 482 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
483 | }); |
484 | ||
05496017 FG |
485 | sub lock_config { |
486 | my ($class, $param, $code) = @_; | |
487 | ||
488 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
489 | } | |
490 | ||
1210ae94 DM |
491 | sub load_config { |
492 | my ($class, $param) = @_; | |
493 | ||
494 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
495 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
496 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
497 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
498 | ||
499 | return ($cluster_conf, $fw_conf, $ipset); | |
500 | } | |
501 | ||
502 | sub save_config { | |
503 | my ($class, $param, $fw_conf) = @_; | |
504 | ||
505 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
506 | } | |
507 | ||
508 | __PACKAGE__->register_handlers(); | |
509 | ||
c85c87f9 DM |
510 | package PVE::API2::Firewall::BaseIPSetList; |
511 | ||
512 | use strict; | |
513 | use warnings; | |
e74a87f5 | 514 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 | 515 | use PVE::Exception qw(raise_param_exc); |
e74a87f5 | 516 | use PVE::Firewall; |
c85c87f9 DM |
517 | |
518 | use base qw(PVE::RESTHandler); | |
519 | ||
05496017 FG |
520 | sub lock_config { |
521 | my ($class, $param, $code) = @_; | |
522 | ||
523 | die "implement this in subclass"; | |
524 | } | |
525 | ||
1210ae94 DM |
526 | sub load_config { |
527 | my ($class, $param) = @_; | |
75a12a9d | 528 | |
1210ae94 DM |
529 | die "implement this in subclass"; |
530 | ||
531 | #return ($cluster_conf, $fw_conf); | |
532 | } | |
533 | ||
534 | sub save_config { | |
535 | my ($class, $param, $fw_conf) = @_; | |
536 | ||
537 | die "implement this in subclass"; | |
538 | } | |
539 | ||
9f6845cf DM |
540 | sub rule_env { |
541 | my ($class, $param) = @_; | |
75a12a9d | 542 | |
9f6845cf DM |
543 | die "implement this in subclass"; |
544 | } | |
545 | ||
1210ae94 DM |
546 | my $additional_param_hash_list = {}; |
547 | ||
548 | sub additional_parameters { | |
549 | my ($class, $new_value) = @_; | |
550 | ||
551 | if (defined($new_value)) { | |
552 | $additional_param_hash_list->{$class} = $new_value; | |
553 | } | |
554 | ||
555 | # return a copy | |
556 | my $copy = {}; | |
557 | my $org = $additional_param_hash_list->{$class} || {}; | |
558 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
559 | return $copy; | |
560 | } | |
561 | ||
5d38d64f DM |
562 | my $get_ipset_list = sub { |
563 | my ($fw_conf) = @_; | |
564 | ||
565 | my $res = []; | |
53bbbf31 | 566 | foreach my $name (sort keys %{$fw_conf->{ipset}}) { |
75a12a9d | 567 | my $data = { |
5d38d64f DM |
568 | name => $name, |
569 | }; | |
570 | if (my $comment = $fw_conf->{ipset_comments}->{$name}) { | |
571 | $data->{comment} = $comment; | |
572 | } | |
573 | push @$res, $data; | |
574 | } | |
575 | ||
576 | my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res); | |
577 | ||
578 | return wantarray ? ($list, $digest) : $list; | |
579 | }; | |
580 | ||
c85c87f9 DM |
581 | sub register_index { |
582 | my ($class) = @_; | |
583 | ||
1210ae94 DM |
584 | my $properties = $class->additional_parameters(); |
585 | ||
c85c87f9 DM |
586 | $class->register_method({ |
587 | name => 'ipset_index', | |
588 | path => '', | |
589 | method => 'GET', | |
590 | description => "List IPSets", | |
9f6845cf | 591 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
c85c87f9 DM |
592 | parameters => { |
593 | additionalProperties => 0, | |
1210ae94 | 594 | properties => $properties, |
c85c87f9 DM |
595 | }, |
596 | returns => { | |
597 | type => 'array', | |
598 | items => { | |
599 | type => "object", | |
75a12a9d | 600 | properties => { |
e74a87f5 | 601 | name => get_standard_option('ipset-name'), |
d72c631c | 602 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
75a12a9d | 603 | comment => { |
d72c631c DM |
604 | type => 'string', |
605 | optional => 1, | |
606 | } | |
c85c87f9 DM |
607 | }, |
608 | }, | |
609 | links => [ { rel => 'child', href => "{name}" } ], | |
610 | }, | |
611 | code => sub { | |
612 | my ($param) = @_; | |
75a12a9d | 613 | |
1210ae94 | 614 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
c85c87f9 | 615 | |
75a12a9d | 616 | return &$get_ipset_list($fw_conf); |
c85c87f9 DM |
617 | }}); |
618 | } | |
619 | ||
620 | sub register_create { | |
621 | my ($class) = @_; | |
622 | ||
1210ae94 DM |
623 | my $properties = $class->additional_parameters(); |
624 | ||
625 | $properties->{name} = get_standard_option('ipset-name'); | |
626 | ||
627 | $properties->{comment} = { type => 'string', optional => 1 }; | |
628 | ||
629 | $properties->{digest} = get_standard_option('pve-config-digest'); | |
630 | ||
631 | $properties->{rename} = get_standard_option('ipset-name', { | |
632 | description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.", | |
633 | optional => 1 }); | |
634 | ||
c85c87f9 DM |
635 | $class->register_method({ |
636 | name => 'create_ipset', | |
637 | path => '', | |
638 | method => 'POST', | |
639 | description => "Create new IPSet", | |
640 | protected => 1, | |
9f6845cf | 641 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
c85c87f9 DM |
642 | parameters => { |
643 | additionalProperties => 0, | |
1210ae94 | 644 | properties => $properties, |
c85c87f9 DM |
645 | }, |
646 | returns => { type => 'null' }, | |
647 | code => sub { | |
648 | my ($param) = @_; | |
75a12a9d | 649 | |
a38849e6 FG |
650 | $class->lock_config($param, sub { |
651 | my ($param) = @_; | |
c85c87f9 | 652 | |
a38849e6 | 653 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
5d38d64f | 654 | |
a38849e6 FG |
655 | if ($param->{rename}) { |
656 | my (undef, $digest) = &$get_ipset_list($fw_conf); | |
657 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
5d38d64f | 658 | |
a38849e6 FG |
659 | raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" }) |
660 | if !$fw_conf->{ipset}->{$param->{rename}}; | |
5da1a229 | 661 | |
a38849e6 FG |
662 | # prevent overwriting existing ipset |
663 | raise_param_exc({ name => "IPSet '$param->{name}' does already exist"}) | |
664 | if $fw_conf->{ipset}->{$param->{name}} && | |
665 | $param->{name} ne $param->{rename}; | |
5d38d64f | 666 | |
a38849e6 FG |
667 | my $data = delete $fw_conf->{ipset}->{$param->{rename}}; |
668 | $fw_conf->{ipset}->{$param->{name}} = $data; | |
669 | if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) { | |
670 | $fw_conf->{ipset_comments}->{$param->{name}} = $comment; | |
671 | } | |
672 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
673 | } else { | |
674 | foreach my $name (keys %{$fw_conf->{ipset}}) { | |
675 | raise_param_exc({ name => "IPSet '$name' already exists" }) | |
676 | if $name eq $param->{name}; | |
677 | } | |
678 | ||
679 | $fw_conf->{ipset}->{$param->{name}} = []; | |
680 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
681 | } | |
bc374ca7 | 682 | |
a38849e6 FG |
683 | $class->save_config($param, $fw_conf); |
684 | }); | |
c85c87f9 DM |
685 | |
686 | return undef; | |
687 | }}); | |
688 | } | |
689 | ||
1210ae94 | 690 | sub register_handlers { |
c85c87f9 DM |
691 | my ($class) = @_; |
692 | ||
1210ae94 DM |
693 | $class->register_index(); |
694 | $class->register_create(); | |
695 | } | |
c85c87f9 | 696 | |
1210ae94 | 697 | package PVE::API2::Firewall::ClusterIPSetList; |
c85c87f9 | 698 | |
1210ae94 DM |
699 | use strict; |
700 | use warnings; | |
701 | use PVE::Firewall; | |
5d38d64f | 702 | |
1210ae94 DM |
703 | use base qw(PVE::API2::Firewall::BaseIPSetList); |
704 | ||
9f6845cf DM |
705 | sub rule_env { |
706 | my ($class, $param) = @_; | |
75a12a9d | 707 | |
9f6845cf DM |
708 | return 'cluster'; |
709 | } | |
710 | ||
05496017 FG |
711 | sub lock_config { |
712 | my ($class, $param, $code) = @_; | |
713 | ||
714 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
715 | } | |
716 | ||
1210ae94 DM |
717 | sub load_config { |
718 | my ($class, $param) = @_; | |
75a12a9d | 719 | |
1210ae94 DM |
720 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
721 | return (undef, $cluster_conf); | |
722 | } | |
c85c87f9 | 723 | |
1210ae94 DM |
724 | sub save_config { |
725 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 726 | |
1210ae94 DM |
727 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
728 | } | |
c85c87f9 | 729 | |
1210ae94 DM |
730 | __PACKAGE__->register_handlers(); |
731 | ||
732 | __PACKAGE__->register_method ({ | |
75a12a9d | 733 | subclass => "PVE::API2::Firewall::ClusterIPset", |
1210ae94 | 734 | path => '{name}', |
75a12a9d TL |
735 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
736 | fragmentDelimiter => '', | |
1210ae94 DM |
737 | }); |
738 | ||
739 | package PVE::API2::Firewall::VMIPSetList; | |
740 | ||
741 | use strict; | |
742 | use warnings; | |
743 | use PVE::JSONSchema qw(get_standard_option); | |
744 | use PVE::Firewall; | |
745 | ||
746 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
747 | ||
75a12a9d | 748 | __PACKAGE__->additional_parameters({ |
1210ae94 | 749 | node => get_standard_option('pve-node'), |
75a12a9d | 750 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
751 | }); |
752 | ||
9f6845cf DM |
753 | sub rule_env { |
754 | my ($class, $param) = @_; | |
75a12a9d | 755 | |
9f6845cf DM |
756 | return 'vm'; |
757 | } | |
758 | ||
05496017 FG |
759 | sub lock_config { |
760 | my ($class, $param, $code) = @_; | |
761 | ||
762 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
763 | } | |
764 | ||
1210ae94 DM |
765 | sub load_config { |
766 | my ($class, $param) = @_; | |
75a12a9d | 767 | |
1210ae94 DM |
768 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
769 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
770 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
771 | } |
772 | ||
1210ae94 DM |
773 | sub save_config { |
774 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 775 | |
1210ae94 | 776 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
777 | } |
778 | ||
1210ae94 DM |
779 | __PACKAGE__->register_handlers(); |
780 | ||
781 | __PACKAGE__->register_method ({ | |
75a12a9d | 782 | subclass => "PVE::API2::Firewall::VMIPset", |
1210ae94 | 783 | path => '{name}', |
75a12a9d TL |
784 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
785 | fragmentDelimiter => '', | |
1210ae94 DM |
786 | }); |
787 | ||
788 | package PVE::API2::Firewall::CTIPSetList; | |
c85c87f9 DM |
789 | |
790 | use strict; | |
791 | use warnings; | |
1210ae94 | 792 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 DM |
793 | use PVE::Firewall; |
794 | ||
795 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
796 | ||
75a12a9d | 797 | __PACKAGE__->additional_parameters({ |
1210ae94 | 798 | node => get_standard_option('pve-node'), |
75a12a9d | 799 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
800 | }); |
801 | ||
9f6845cf DM |
802 | sub rule_env { |
803 | my ($class, $param) = @_; | |
75a12a9d | 804 | |
9f6845cf DM |
805 | return 'ct'; |
806 | } | |
807 | ||
05496017 FG |
808 | sub lock_config { |
809 | my ($class, $param, $code) = @_; | |
810 | ||
811 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
812 | } | |
813 | ||
c85c87f9 | 814 | sub load_config { |
1210ae94 | 815 | my ($class, $param) = @_; |
75a12a9d | 816 | |
1210ae94 DM |
817 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
818 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
819 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
820 | } |
821 | ||
822 | sub save_config { | |
1210ae94 | 823 | my ($class, $param, $fw_conf) = @_; |
c85c87f9 | 824 | |
1210ae94 | 825 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
826 | } |
827 | ||
828 | __PACKAGE__->register_handlers(); | |
829 | ||
830 | __PACKAGE__->register_method ({ | |
75a12a9d | 831 | subclass => "PVE::API2::Firewall::CTIPset", |
c85c87f9 | 832 | path => '{name}', |
75a12a9d TL |
833 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
834 | fragmentDelimiter => '', | |
c85c87f9 DM |
835 | }); |
836 | ||
009ee3ac | 837 | 1; |