return wantarray ? ($list, $digest) : $list;
};
+my $rename_fw_rules = sub {
+ my ($old, $new, $rules) = @_;
+
+ for my $rule (@{$rules}) {
+ next if ($rule->{type} ne "group" || $rule->{action} ne $old);
+ $rule->{action} = $new;
+ }
+};
+
__PACKAGE__->register_method({
name => 'list_security_groups',
path => '',
code => sub {
my ($param) = @_;
+ my $group = $param->{group};
+ my $rename = $param->{rename};
+ my $comment = $param->{comment};
+
PVE::Firewall::lock_clusterfw_conf(10, sub {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
- if ($param->{rename}) {
+ if ($rename) {
my (undef, $digest) = &$get_security_group_list($cluster_conf);
PVE::Tools::assert_if_modified($digest, $param->{digest});
- raise_param_exc({ group => "Security group '$param->{rename}' does not exist" })
- if !$cluster_conf->{groups}->{$param->{rename}};
+ raise_param_exc({ group => "Security group '$rename' does not exist" })
+ if !$cluster_conf->{groups}->{$rename};
# prevent overwriting an existing group
- raise_param_exc({ group => "Security group '$param->{group}' does already exist" })
- if $cluster_conf->{groups}->{$param->{group}} &&
- $param->{group} ne $param->{rename};
-
- my $data = delete $cluster_conf->{groups}->{$param->{rename}};
- $cluster_conf->{groups}->{$param->{group}} = $data;
- if (my $comment = delete $cluster_conf->{group_comments}->{$param->{rename}}) {
- $cluster_conf->{group_comments}->{$param->{group}} = $comment;
+ raise_param_exc({ group => "Security group '$group' does already exist" })
+ if $cluster_conf->{groups}->{$group} &&
+ $group ne $rename;
+
+ if ($rename eq $group) {
+ $cluster_conf->{group_comments}->{$rename} = $comment if defined($comment);
+ PVE::Firewall::save_clusterfw_conf($cluster_conf);
+ return;
}
- $cluster_conf->{group_comments}->{$param->{group}} = $param->{comment} if defined($param->{comment});
+
+ # Create an exact copy of the old security group
+ $cluster_conf->{groups}->{$group} = $cluster_conf->{groups}->{$rename};
+ $cluster_conf->{group_comments}->{$group} = $cluster_conf->{group_comments}->{$rename};
+
+ # Update comment if provided
+ $cluster_conf->{group_comments}->{$group} = $comment if defined($comment);
+
+ # Write the copy to the cluster config, so that if something fails inbetween, the new firewall
+ # rules won't be broken when the new name is referenced
+ PVE::Firewall::save_clusterfw_conf($cluster_conf);
+
+ # Update all the host configs to the new copy
+ my $hosts = PVE::Cluster::get_nodelist();
+ foreach my $host (@$hosts) {
+ PVE::Firewall::lock_hostfw_conf($host, 10, sub {
+ my $host_conf_path = "/etc/pve/nodes/$host/host.fw";
+ my $host_conf = PVE::Firewall::load_hostfw_conf($cluster_conf, $host_conf_path);
+
+ if(defined($host_conf)) {
+ &$rename_fw_rules($rename,
+ $group,
+ $host_conf->{rules});
+ PVE::Firewall::save_hostfw_conf($host_conf, $host_conf_path);
+ }
+ });
+ }
+
+ # Update all the VM configs
+ my $vms = PVE::Cluster::get_vmlist();
+ foreach my $vm (keys %{$vms->{ids}}) {
+ PVE::Firewall::lock_vmfw_conf($vm, 10, sub {
+ my $vm_type = $vms->{ids}->{$vm}->{type} eq "lxc" ? "ct" : "vm";
+ my $vm_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $vm_type, $vm, "/etc/pve/firewall");
+
+ if (defined($vm_conf)) {
+ &$rename_fw_rules($rename,
+ $group,
+ $vm_conf->{rules});
+ PVE::Firewall::save_vmfw_conf($vm, $vm_conf);
+ }
+ });
+ }
+
+ # And also update the cluster itself
+ &$rename_fw_rules($rename,
+ $group,
+ $cluster_conf->{rules});
+
+ # Now that everything has been updated, the old rule can be deleted
+ delete $cluster_conf->{groups}->{$rename};
+ delete $cluster_conf->{group_comments}->{$rename};
} else {
foreach my $name (keys %{$cluster_conf->{groups}}) {
raise_param_exc({ group => "Security group '$name' already exists" })
- if $name eq $param->{group};
+ if $name eq $group;
}
- $cluster_conf->{groups}->{$param->{group}} = [];
- $cluster_conf->{group_comments}->{$param->{group}} = $param->{comment} if defined($param->{comment});
+ $cluster_conf->{groups}->{$group} = [];
+ $cluster_conf->{group_comments}->{$group} = $comment if defined($comment);
}
PVE::Firewall::save_clusterfw_conf($cluster_conf);
}
}
-sub lock_hostfw_conf {
- my ($timeout, $code, @param) = @_;
+sub lock_hostfw_conf : prototype($$$@) {
+ my ($node, $timeout, $code, @param) = @_;
+
+ $node = $nodename if !defined($node);
- my $res = PVE::Cluster::cfs_lock_firewall("host-$nodename", $timeout, $code, @param);
+ my $res = PVE::Cluster::cfs_lock_firewall("host-$node", $timeout, $code, @param);
die $@ if $@;
return $res;
}
sub save_hostfw_conf {
- my ($hostfw_conf) = @_;
+ my ($hostfw_conf, $filename) = @_;
+
+ $filename = $hostfw_conf_filename if !defined($filename);
my $raw = '';
}
if ($raw) {
- PVE::Tools::file_set_contents($hostfw_conf_filename, $raw);
+ PVE::Tools::file_set_contents($filename, $raw);
} else {
- unlink $hostfw_conf_filename;
+ unlink $filename;
}
}
projects / pve-firewall.git / commitdiff