1 package PVE
::API2
::Firewall
::Cluster
;
5 use PVE
::Exception
qw(raise raise_param_exc raise_perm_exc);
6 use PVE
::JSONSchema
qw(get_standard_option);
9 use PVE
::API2
::Firewall
::Aliases
;
10 use PVE
::API2
::Firewall
::Rules
;
11 use PVE
::API2
::Firewall
::Groups
;
12 use PVE
::API2
::Firewall
::IPSet
;
17 use base
qw(PVE::RESTHandler);
19 __PACKAGE__-
>register_method ({
20 subclass
=> "PVE::API2::Firewall::Groups",
24 __PACKAGE__-
>register_method ({
25 subclass
=> "PVE::API2::Firewall::ClusterRules",
29 __PACKAGE__-
>register_method ({
30 subclass
=> "PVE::API2::Firewall::ClusterIPSetList",
34 __PACKAGE__-
>register_method ({
35 subclass
=> "PVE::API2::Firewall::ClusterAliases",
40 __PACKAGE__-
>register_method({
44 permissions
=> { user
=> 'all' },
45 description
=> "Directory index.",
47 additionalProperties
=> 0,
55 links
=> [ { rel
=> 'child', href
=> "{name}" } ],
61 { name
=> 'aliases' },
63 { name
=> 'options' },
73 my $option_properties = $PVE::Firewall
::cluster_option_properties
;
75 my $add_option_properties = sub {
76 my ($properties) = @_;
78 foreach my $k (keys %$option_properties) {
79 $properties->{$k} = $option_properties->{$k};
86 __PACKAGE__-
>register_method({
87 name
=> 'get_options',
90 description
=> "Get Firewall options.",
92 check
=> ['perm', '/', [ 'Sys.Audit' ]],
95 additionalProperties
=> 0,
99 #additionalProperties => 1,
100 properties
=> $option_properties,
105 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
107 return PVE
::Firewall
::copy_opject_with_digest
($cluster_conf->{options
});
111 __PACKAGE__-
>register_method({
112 name
=> 'set_options',
115 description
=> "Set Firewall options.",
118 check
=> ['perm', '/', [ 'Sys.Modify' ]],
121 additionalProperties
=> 0,
122 properties
=> &$add_option_properties({
124 type
=> 'string', format
=> 'pve-configid-list',
125 description
=> "A list of settings you want to delete.",
128 digest
=> get_standard_option
('pve-config-digest'),
131 returns
=> { type
=> "null" },
135 PVE
::Firewall
::lock_clusterfw_conf
(10, sub {
136 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
138 my (undef, $digest) = PVE
::Firewall
::copy_opject_with_digest
($cluster_conf->{options
});
139 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
141 if ($param->{delete}) {
142 foreach my $opt (PVE
::Tools
::split_list
($param->{delete})) {
143 raise_param_exc
({ delete => "no such option '$opt'" })
144 if !$option_properties->{$opt};
145 delete $cluster_conf->{options
}->{$opt};
149 if (defined($param->{enable
}) && ($param->{enable
} > 1)) {
150 $param->{enable
} = time();
153 foreach my $k (keys %$option_properties) {
154 next if !defined($param->{$k});
155 $cluster_conf->{options
}->{$k} = $param->{$k};
158 PVE
::Firewall
::save_clusterfw_conf
($cluster_conf);
161 # instant firewall update when using double (anti-lockout) API call
162 # -> not waiting for a firewall update at the first (timestamp enable) set
163 if (defined($param->{enable
}) && ($param->{enable
} > 1)) {
164 PVE
::Firewall
::update
();
170 __PACKAGE__-
>register_method({
171 name
=> 'get_macros',
174 description
=> "List available macros",
175 permissions
=> { user
=> 'all' },
177 additionalProperties
=> 0,
185 description
=> "Macro name.",
189 description
=> "More verbose description (if available).",
200 my ($macros, $descr) = PVE
::Firewall
::get_macros
();
202 foreach my $macro (keys %$macros) {
203 push @$res, { macro => $macro, descr
=> $descr->{$macro} || $macro };
209 __PACKAGE__-
>register_method({
213 description
=> "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
215 check
=> ['perm', '/', [ 'Sys.Audit' ]],
218 additionalProperties
=> 0,
221 description
=> "Only list references of specified type.",
223 enum
=> ['alias', 'ipset'],
235 enum
=> ['alias', 'ipset'],
253 my $conf = PVE
::Firewall
::load_clusterfw_conf
();
257 if (!$param->{type
} || $param->{type
} eq 'ipset') {
258 foreach my $name (keys %{$conf->{ipset
}}) {
264 if (my $comment = $conf->{ipset_comments
}->{$name}) {
265 $data->{comment
} = $comment;
271 if (!$param->{type
} || $param->{type
} eq 'alias') {
272 foreach my $name (keys %{$conf->{aliases
}}) {
273 my $e = $conf->{aliases
}->{$name};
279 $data->{comment
} = $e->{comment
} if $e->{comment
};