]>
Commit | Line | Data |
---|---|---|
b4366f00 DM |
1 | package PVE::API2::Firewall::Cluster; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
1df4ba7e | 5 | use PVE::Exception qw(raise raise_param_exc raise_perm_exc); |
b4366f00 DM |
6 | use PVE::JSONSchema qw(get_standard_option); |
7 | ||
8 | use PVE::Firewall; | |
81d574a7 | 9 | use PVE::API2::Firewall::Aliases; |
86791289 | 10 | use PVE::API2::Firewall::Rules; |
b4366f00 | 11 | use PVE::API2::Firewall::Groups; |
009ee3ac | 12 | use PVE::API2::Firewall::IPSet; |
b4366f00 | 13 | |
1df4ba7e DM |
14 | #fixme: locking? |
15 | ||
b4366f00 DM |
16 | use Data::Dumper; # fixme: remove |
17 | ||
18 | use base qw(PVE::RESTHandler); | |
19 | ||
20 | __PACKAGE__->register_method ({ | |
947d6ea2 | 21 | subclass => "PVE::API2::Firewall::Groups", |
b4366f00 DM |
22 | path => 'groups', |
23 | }); | |
24 | ||
86791289 | 25 | __PACKAGE__->register_method ({ |
947d6ea2 | 26 | subclass => "PVE::API2::Firewall::ClusterRules", |
86791289 DM |
27 | path => 'rules', |
28 | }); | |
29 | ||
c85c87f9 | 30 | __PACKAGE__->register_method ({ |
947d6ea2 | 31 | subclass => "PVE::API2::Firewall::ClusterIPSetList", |
c85c87f9 DM |
32 | path => 'ipset', |
33 | }); | |
34 | ||
81d574a7 | 35 | __PACKAGE__->register_method ({ |
947d6ea2 | 36 | subclass => "PVE::API2::Firewall::ClusterAliases", |
81d574a7 DM |
37 | path => 'aliases', |
38 | }); | |
39 | ||
40 | ||
b4366f00 DM |
41 | __PACKAGE__->register_method({ |
42 | name => 'index', | |
43 | path => '', | |
44 | method => 'GET', | |
45 | permissions => { user => 'all' }, | |
46 | description => "Directory index.", | |
47 | parameters => { | |
48 | additionalProperties => 0, | |
49 | }, | |
50 | returns => { | |
51 | type => 'array', | |
52 | items => { | |
53 | type => "object", | |
54 | properties => {}, | |
55 | }, | |
56 | links => [ { rel => 'child', href => "{name}" } ], | |
57 | }, | |
58 | code => sub { | |
59 | my ($param) = @_; | |
60 | ||
61 | my $result = [ | |
81d574a7 | 62 | { name => 'aliases' }, |
b4366f00 DM |
63 | { name => 'rules' }, |
64 | { name => 'options' }, | |
65 | { name => 'groups' }, | |
9d6f90e6 | 66 | { name => 'ipset' }, |
ebd54ae9 | 67 | { name => 'macros' }, |
947d6ea2 | 68 | { name => 'refs' }, |
b4366f00 DM |
69 | ]; |
70 | ||
71 | return $result; | |
72 | }}); | |
1df4ba7e | 73 | |
e313afe0 | 74 | my $option_properties = $PVE::Firewall::cluster_option_properties; |
271f287b DM |
75 | |
76 | my $add_option_properties = sub { | |
77 | my ($properties) = @_; | |
78 | ||
79 | foreach my $k (keys %$option_properties) { | |
80 | $properties->{$k} = $option_properties->{$k}; | |
81 | } | |
947d6ea2 | 82 | |
271f287b DM |
83 | return $properties; |
84 | }; | |
85 | ||
86 | ||
1df4ba7e DM |
87 | __PACKAGE__->register_method({ |
88 | name => 'get_options', | |
89 | path => 'options', | |
90 | method => 'GET', | |
91 | description => "Get Firewall options.", | |
0ec56841 DM |
92 | permissions => { |
93 | check => ['perm', '/', [ 'Sys.Audit' ]], | |
94 | }, | |
1df4ba7e DM |
95 | parameters => { |
96 | additionalProperties => 0, | |
97 | }, | |
98 | returns => { | |
99 | type => "object", | |
100 | #additionalProperties => 1, | |
271f287b | 101 | properties => $option_properties, |
1df4ba7e DM |
102 | }, |
103 | code => sub { | |
104 | my ($param) = @_; | |
105 | ||
106 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
107 | ||
5d38d64f | 108 | return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options}); |
1df4ba7e DM |
109 | }}); |
110 | ||
1df4ba7e DM |
111 | |
112 | __PACKAGE__->register_method({ | |
113 | name => 'set_options', | |
114 | path => 'options', | |
115 | method => 'PUT', | |
116 | description => "Set Firewall options.", | |
68c90e21 | 117 | protected => 1, |
0ec56841 DM |
118 | permissions => { |
119 | check => ['perm', '/', [ 'Sys.Modify' ]], | |
120 | }, | |
1df4ba7e DM |
121 | parameters => { |
122 | additionalProperties => 0, | |
123 | properties => &$add_option_properties({ | |
124 | delete => { | |
125 | type => 'string', format => 'pve-configid-list', | |
126 | description => "A list of settings you want to delete.", | |
127 | optional => 1, | |
128 | }, | |
5d38d64f | 129 | digest => get_standard_option('pve-config-digest'), |
1df4ba7e DM |
130 | }), |
131 | }, | |
132 | returns => { type => "null" }, | |
133 | code => sub { | |
134 | my ($param) = @_; | |
135 | ||
136 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
137 | ||
5d38d64f DM |
138 | my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options}); |
139 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
140 | ||
1df4ba7e DM |
141 | if ($param->{delete}) { |
142 | foreach my $opt (PVE::Tools::split_list($param->{delete})) { | |
947d6ea2 | 143 | raise_param_exc({ delete => "no such option '$opt'" }) |
1df4ba7e DM |
144 | if !$option_properties->{$opt}; |
145 | delete $cluster_conf->{options}->{$opt}; | |
146 | } | |
147 | } | |
148 | ||
72d055fc AG |
149 | if (defined($param->{enable}) && ($param->{enable} > 1)) { |
150 | $param->{enable} = time(); | |
271f287b DM |
151 | } |
152 | ||
153 | foreach my $k (keys %$option_properties) { | |
154 | next if !defined($param->{$k}); | |
947d6ea2 | 155 | $cluster_conf->{options}->{$k} = $param->{$k}; |
1df4ba7e DM |
156 | } |
157 | ||
1df4ba7e DM |
158 | PVE::Firewall::save_clusterfw_conf($cluster_conf); |
159 | ||
c05492d6 AG |
160 | # instant firewall update when using double (anti-lockout) API call |
161 | # -> not waiting for a firewall update at the first (timestamp enable) set | |
162 | if (defined($param->{enable}) && ($param->{enable} > 1)) { | |
163 | PVE::Firewall::update(); | |
164 | } | |
165 | ||
1df4ba7e DM |
166 | return undef; |
167 | }}); | |
ebd54ae9 DM |
168 | |
169 | __PACKAGE__->register_method({ | |
170 | name => 'get_macros', | |
171 | path => 'macros', | |
172 | method => 'GET', | |
173 | description => "List available macros", | |
0ec56841 | 174 | permissions => { user => 'all' }, |
ebd54ae9 DM |
175 | parameters => { |
176 | additionalProperties => 0, | |
177 | }, | |
178 | returns => { | |
179 | type => 'array', | |
180 | items => { | |
181 | type => "object", | |
182 | properties => { | |
183 | macro => { | |
184 | description => "Macro name.", | |
185 | type => 'string', | |
186 | }, | |
187 | descr => { | |
188 | description => "More verbose description (if available).", | |
189 | type => 'string', | |
190 | } | |
191 | }, | |
192 | }, | |
193 | }, | |
194 | code => sub { | |
195 | my ($param) = @_; | |
196 | ||
197 | my $res = []; | |
198 | ||
199 | my ($macros, $descr) = PVE::Firewall::get_macros(); | |
200 | ||
201 | foreach my $macro (keys %$macros) { | |
202 | push @$res, { macro => $macro, descr => $descr->{$macro} || $macro }; | |
203 | } | |
204 | ||
205 | return $res; | |
206 | }}); | |
207 | ||
947d6ea2 DM |
208 | __PACKAGE__->register_method({ |
209 | name => 'refs', | |
210 | path => 'refs', | |
211 | method => 'GET', | |
212 | description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.", | |
0ec56841 DM |
213 | permissions => { |
214 | check => ['perm', '/', [ 'Sys.Audit' ]], | |
215 | }, | |
947d6ea2 DM |
216 | parameters => { |
217 | additionalProperties => 0, | |
f2c0865c DM |
218 | properties => { |
219 | type => { | |
220 | description => "Only list references of specified type.", | |
221 | type => 'string', | |
222 | enum => ['alias', 'ipset'], | |
223 | optional => 1, | |
224 | }, | |
225 | }, | |
947d6ea2 DM |
226 | }, |
227 | returns => { | |
228 | type => 'array', | |
229 | items => { | |
230 | type => "object", | |
231 | properties => { | |
232 | type => { | |
233 | type => 'string', | |
234 | enum => ['alias', 'ipset'], | |
235 | }, | |
236 | name => { | |
237 | type => 'string', | |
238 | }, | |
239 | ref => { | |
240 | type => 'string', | |
241 | }, | |
242 | comment => { | |
243 | type => 'string', | |
244 | optional => 1, | |
245 | }, | |
246 | }, | |
247 | }, | |
248 | }, | |
249 | code => sub { | |
250 | my ($param) = @_; | |
251 | ||
252 | my $conf = PVE::Firewall::load_clusterfw_conf(); | |
253 | ||
254 | my $res = []; | |
255 | ||
f2c0865c DM |
256 | if (!$param->{type} || $param->{type} eq 'ipset') { |
257 | foreach my $name (keys %{$conf->{ipset}}) { | |
258 | my $data = { | |
259 | type => 'ipset', | |
260 | name => $name, | |
261 | ref => "+$name", | |
262 | }; | |
263 | if (my $comment = $conf->{ipset_comments}->{$name}) { | |
264 | $data->{comment} = $comment; | |
265 | } | |
266 | push @$res, $data; | |
947d6ea2 | 267 | } |
947d6ea2 DM |
268 | } |
269 | ||
f2c0865c DM |
270 | if (!$param->{type} || $param->{type} eq 'alias') { |
271 | foreach my $name (keys %{$conf->{aliases}}) { | |
272 | my $e = $conf->{aliases}->{$name}; | |
273 | my $data = { | |
274 | type => 'alias', | |
275 | name => $name, | |
276 | ref => $name, | |
277 | }; | |
278 | $data->{comment} = $e->{comment} if $e->{comment}; | |
279 | push @$res, $data; | |
280 | } | |
947d6ea2 DM |
281 | } |
282 | ||
283 | return $res; | |
284 | }}); | |
285 | ||
ebd54ae9 | 286 | 1; |