use base qw(PVE::RESTHandler);
-my $api_properties = {
+my $api_properties = {
pos => {
description => "Rule position.",
type => 'integer',
sub rule_env {
my ($class, $param) = @_;
-
+
die "implement this in subclass";
}
return $copy;
}
-my $rules_modify_permissions = sub {
- my ($rule_env) = @_;
-
- if ($rule_env eq 'host') {
- return {
- check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
- };
- } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
- return {
- check => ['perm', '/', [ 'Sys.Modify' ]],
- };
- } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
- return {
- check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
- }
- }
-
- return undef;
-};
-
-my $rules_audit_permissions = sub {
- my ($rule_env) = @_;
-
- if ($rule_env eq 'host') {
- return {
- check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
- };
- } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
- return {
- check => ['perm', '/', [ 'Sys.Audit' ]],
- };
- } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
- return {
- check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
- }
- }
-
- return undef;
-};
-
sub register_get_rules {
my ($class) = @_;
path => '',
method => 'GET',
description => "List rules.",
- permissions => &$rules_audit_permissions($rule_env),
+ permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
my $properties = $class->additional_parameters();
$properties->{pos} = $api_properties->{pos};
-
+
my $rule_env = $class->rule_env();
$class->register_method({
path => '{pos}',
method => 'GET',
description => "Get single rule data.",
- permissions => &$rules_audit_permissions($rule_env),
+ permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
returns => {
type => "object",
properties => {
+ action => {
+ type => 'string',
+ },
+ comment => {
+ type => 'string',
+ optional => 1,
+ },
+ dest => {
+ type => 'string',
+ optional => 1,
+ },
+ dport => {
+ type => 'string',
+ optional => 1,
+ },
+ enable => {
+ type => 'integer',
+ optional => 1,
+ },
+ log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
+ description => 'Log level for firewall rule',
+ }),
+ iface => {
+ type => 'string',
+ optional => 1,
+ },
+ ipversion => {
+ type => 'integer',
+ optional => 1,
+ },
+ macro => {
+ type => 'string',
+ optional => 1,
+ },
pos => {
type => 'integer',
- }
+ },
+ proto => {
+ type => 'string',
+ optional => 1,
+ },
+ source => {
+ type => 'string',
+ optional => 1,
+ },
+ sport => {
+ type => 'string',
+ optional => 1,
+ },
+ type => {
+ type => 'string',
+ },
},
},
code => sub {
my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
-
+
die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
-
+
my $rule = $list->[$param->{pos}];
$rule->{pos} = $param->{pos};
my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
$create_rule_properties->{action}->{optional} = 0;
$create_rule_properties->{type}->{optional} = 0;
-
+
my $rule_env = $class->rule_env();
$class->register_method({
method => 'POST',
description => "Create new rule.",
protected => 1,
- permissions => &$rules_modify_permissions($rule_env),
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $create_rule_properties,
my $properties = $class->additional_parameters();
$properties->{pos} = $api_properties->{pos};
-
+
my $rule_env = $class->rule_env();
$properties->{moveto} = {
method => 'PUT',
description => "Modify rule data.",
protected => 1,
- permissions => &$rules_modify_permissions($rule_env),
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $update_rule_properties,
PVE::Tools::assert_if_modified($digest, $param->{digest});
die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-
+
my $rule = $rules->[$param->{pos}];
my $moveto = $param->{moveto};
$rules = $newrules;
} else {
PVE::Firewall::copy_rule_data($rule, $param);
-
+
PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
$properties->{pos} = $api_properties->{pos};
$properties->{digest} = get_standard_option('pve-config-digest');
-
+
my $rule_env = $class->rule_env();
$class->register_method({
method => 'DELETE',
description => "Delete rule.",
protected => 1,
- permissions => &$rules_modify_permissions($rule_env),
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
PVE::Tools::assert_if_modified($digest, $param->{digest});
-
+
die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-
+
splice(@$rules, $param->{pos}, 1);
-
+
$class->save_rules($param, $fw_conf, $rules);
return undef;
sub rule_env {
my ($class, $param) = @_;
-
+
return 'group';
}
method => 'DELETE',
description => "Delete security group.",
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
- properties => {
+ properties => {
group => get_standard_option('pve-security-group-name'),
},
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
-
+
my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);
- die "Security group '$param->{group}' is not empty\n"
+ die "Security group '$param->{group}' is not empty\n"
if scalar(@$rules);
__PACKAGE__->save_rules($param, $cluster_conf, undef);
sub rule_env {
my ($class, $param) = @_;
-
+
return 'cluster';
}
sub rule_env {
my ($class, $param) = @_;
-
+
return 'host';
}
use base qw(PVE::API2::Firewall::RulesBase);
-__PACKAGE__->additional_parameters({
+__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
- vmid => get_standard_option('pve-vmid'),
+ vmid => get_standard_option('pve-vmid'),
});
sub rule_env {
my ($class, $param) = @_;
-
+
return 'vm';
}
use base qw(PVE::API2::Firewall::RulesBase);
-__PACKAGE__->additional_parameters({
+__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
- vmid => get_standard_option('pve-vmid'),
+ vmid => get_standard_option('pve-vmid'),
});
sub rule_env {
my ($class, $param) = @_;
-
+
return 'ct';
}