improve security group API

diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index cd9199eaeef456069b82fe9ff0879830f89510a3..d7f33b87a85ec6b1fef1ffda47936f0ff7f205fc 100644 (file)
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -27,7 +27,12 @@ __PACKAGE__->register_method({
        type => 'array',
        items => {
            type => "object",
-           properties => {},
+           properties => { 
+               name => {
+                   description => "Security group name.",
+                   type => 'string',
+               },
+           },
        },
        links => [ { rel => 'child', href => "{name}" } ],
     },
@@ -38,7 +43,50 @@ __PACKAGE__->register_method({
 
        my $res = [];
        foreach my $group (keys %{$groups_conf->{rules}}) {
-           push @$res, { name => $group };
+           push @$res, { name => $group, count => scalar(@{$groups_conf->{rules}->{$group}}) };
+       }
+
+       return $res;
+    }});
+
+__PACKAGE__->register_method({
+    name => 'get_rules',
+    path => '{group}',
+    method => 'GET',
+    description => "List security groups rules.",
+    proxyto => 'node',
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           node => get_standard_option('pve-node'),
+           group => {
+               description => "Security group name.",
+               type => 'string',
+           },
+       },
+    },
+    returns => {
+       type => 'array',
+       items => {
+           type => "object",
+           properties => {},
+       },
+    },
+    code => sub {
+       my ($param) = @_;
+
+       my $groups_conf = PVE::Firewall::load_security_groups();
+
+       my $rules = $groups_conf->{rules}->{$param->{group}};
+       die "no such security group\n" if !defined($rules);
+
+       my $digest = $groups_conf->{digest};
+
+       my $res = [];
+
+       my $ind = 0;
+       foreach my $rule (@$rules) {
+           push @$res, PVE::Firewall::cleanup_fw_rule($rule, $digest, $ind++);
        }
 
        return $res;

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d4de6f6eed702f84abd264b3307cb80dc34dcc96..7e3daada50b171af51aa9c0a1f6b5f385459563f 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -635,6 +635,25 @@ sub parse_port_name_number_or_range {
     return ($nbports);
 }
 
+# helper function for API
+sub cleanup_fw_rule {
+    my ($rule, $digest, $pos) = @_;
+
+    my $r = {};
+
+    foreach my $k (keys %$rule) {
+       next if $k eq 'nbdport';
+       next if $k eq 'nbsport';
+       my $v = $rule->{$k};
+       next if !defined($v);
+       $r->{$k} = $v;
+       $r->{digest} = $digest;
+       $r->{pos} = $pos;
+    }
+
+    return $r;
+}
+
 my $bridge_firewall_enabled = 0;
 
 sub enable_bridge_firewall {
@@ -1478,7 +1497,11 @@ sub parse_group_fw_rules {
 
     my $res = { rules => {} };
 
+    my $digest = Digest::SHA->new('sha1');
+
     while (defined(my $line = <$fh>)) {
+       $digest->add($line);
+
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;
 
@@ -1505,6 +1528,8 @@ sub parse_group_fw_rules {
        push @{$res->{$section}->{$group}}, @$rules;
     }
 
+    $res->{digest} = $digest->b64digest;
+
     return $res;
 }
 

diff --git a/src/pvefw b/src/pvefw
index 1671f557ef21b9aa7d79ee1a95e47da6aaf9375d..4cc2fe28195aa435b828421caf09c5d0028fdb43 100755 (executable)
--- a/src/pvefw
+++ b/src/pvefw
@@ -244,6 +244,11 @@ my $cmddef = {
                        my $res = shift;
                        print Dumper($res);
                    }],
+    grouprules => [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'], 
+                   { node => $nodename }, sub {
+                       my $res = shift;
+                       print Dumper($res);
+                   }],
 };
 
 my $cmd = shift;