#fixme: locking?
-use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
return $result;
}});
-my $option_properties = {
- enable => {
- type => 'boolean',
- optional => 1,
- },
- policy_in => {
- description => "Input policy.",
- type => 'string',
- optional => 1,
- enum => ['ACCEPT', 'REJECT', 'DROP'],
- },
- policy_out => {
- description => "Output policy.",
- type => 'string',
- optional => 1,
- enum => ['ACCEPT', 'REJECT', 'DROP'],
- },
-};
+my $option_properties = $PVE::Firewall::cluster_option_properties;
my $add_option_properties = sub {
my ($properties) = @_;
code => sub {
my ($param) = @_;
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ PVE::Firewall::lock_clusterfw_conf(10, sub {
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
- my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
- PVE::Tools::assert_if_modified($digest, $param->{digest});
+ my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
+ PVE::Tools::assert_if_modified($digest, $param->{digest});
- if ($param->{delete}) {
- foreach my $opt (PVE::Tools::split_list($param->{delete})) {
- raise_param_exc({ delete => "no such option '$opt'" })
- if !$option_properties->{$opt};
- delete $cluster_conf->{options}->{$opt};
+ if ($param->{delete}) {
+ foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+ raise_param_exc({ delete => "no such option '$opt'" })
+ if !$option_properties->{$opt};
+ delete $cluster_conf->{options}->{$opt};
+ }
}
- }
- if (defined($param->{enable})) {
- $param->{enable} = $param->{enable} ? 1 : 0;
- }
+ if (defined($param->{enable}) && ($param->{enable} > 1)) {
+ $param->{enable} = time();
+ }
- foreach my $k (keys %$option_properties) {
- next if !defined($param->{$k});
- $cluster_conf->{options}->{$k} = $param->{$k};
- }
+ foreach my $k (keys %$option_properties) {
+ next if !defined($param->{$k});
+ $cluster_conf->{options}->{$k} = $param->{$k};
+ }
+
+ PVE::Firewall::save_clusterfw_conf($cluster_conf);
+ });
- PVE::Firewall::save_clusterfw_conf($cluster_conf);
+ # instant firewall update when using double (anti-lockout) API call
+ # -> not waiting for a firewall update at the first (timestamp enable) set
+ if (defined($param->{enable}) && ($param->{enable} > 1)) {
+ PVE::Firewall::update();
+ }
return undef;
}});
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;