]>
Commit | Line | Data |
---|---|---|
b4366f00 DM |
1 | package PVE::API2::Firewall::Cluster; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
1df4ba7e | 5 | use PVE::Exception qw(raise raise_param_exc raise_perm_exc); |
b4366f00 DM |
6 | use PVE::JSONSchema qw(get_standard_option); |
7 | ||
8 | use PVE::Firewall; | |
81d574a7 | 9 | use PVE::API2::Firewall::Aliases; |
86791289 | 10 | use PVE::API2::Firewall::Rules; |
b4366f00 | 11 | use PVE::API2::Firewall::Groups; |
009ee3ac | 12 | use PVE::API2::Firewall::IPSet; |
b4366f00 | 13 | |
1df4ba7e DM |
14 | #fixme: locking? |
15 | ||
b4366f00 DM |
16 | use Data::Dumper; # fixme: remove |
17 | ||
18 | use base qw(PVE::RESTHandler); | |
19 | ||
20 | __PACKAGE__->register_method ({ | |
947d6ea2 | 21 | subclass => "PVE::API2::Firewall::Groups", |
b4366f00 DM |
22 | path => 'groups', |
23 | }); | |
24 | ||
86791289 | 25 | __PACKAGE__->register_method ({ |
947d6ea2 | 26 | subclass => "PVE::API2::Firewall::ClusterRules", |
86791289 DM |
27 | path => 'rules', |
28 | }); | |
29 | ||
c85c87f9 | 30 | __PACKAGE__->register_method ({ |
947d6ea2 | 31 | subclass => "PVE::API2::Firewall::ClusterIPSetList", |
c85c87f9 DM |
32 | path => 'ipset', |
33 | }); | |
34 | ||
81d574a7 | 35 | __PACKAGE__->register_method ({ |
947d6ea2 | 36 | subclass => "PVE::API2::Firewall::ClusterAliases", |
81d574a7 DM |
37 | path => 'aliases', |
38 | }); | |
39 | ||
40 | ||
b4366f00 DM |
41 | __PACKAGE__->register_method({ |
42 | name => 'index', | |
43 | path => '', | |
44 | method => 'GET', | |
45 | permissions => { user => 'all' }, | |
46 | description => "Directory index.", | |
47 | parameters => { | |
48 | additionalProperties => 0, | |
49 | }, | |
50 | returns => { | |
51 | type => 'array', | |
52 | items => { | |
53 | type => "object", | |
54 | properties => {}, | |
55 | }, | |
56 | links => [ { rel => 'child', href => "{name}" } ], | |
57 | }, | |
58 | code => sub { | |
59 | my ($param) = @_; | |
60 | ||
61 | my $result = [ | |
81d574a7 | 62 | { name => 'aliases' }, |
b4366f00 DM |
63 | { name => 'rules' }, |
64 | { name => 'options' }, | |
65 | { name => 'groups' }, | |
9d6f90e6 | 66 | { name => 'ipset' }, |
ebd54ae9 | 67 | { name => 'macros' }, |
947d6ea2 | 68 | { name => 'refs' }, |
b4366f00 DM |
69 | ]; |
70 | ||
71 | return $result; | |
72 | }}); | |
1df4ba7e | 73 | |
271f287b DM |
74 | my $option_properties = { |
75 | enable => { | |
76 | type => 'boolean', | |
77 | optional => 1, | |
78 | }, | |
79 | policy_in => { | |
80 | description => "Input policy.", | |
81 | type => 'string', | |
82 | optional => 1, | |
83 | enum => ['ACCEPT', 'REJECT', 'DROP'], | |
84 | }, | |
947d6ea2 | 85 | policy_out => { |
271f287b DM |
86 | description => "Output policy.", |
87 | type => 'string', | |
88 | optional => 1, | |
89 | enum => ['ACCEPT', 'REJECT', 'DROP'], | |
90 | }, | |
91 | }; | |
92 | ||
93 | my $add_option_properties = sub { | |
94 | my ($properties) = @_; | |
95 | ||
96 | foreach my $k (keys %$option_properties) { | |
97 | $properties->{$k} = $option_properties->{$k}; | |
98 | } | |
947d6ea2 | 99 | |
271f287b DM |
100 | return $properties; |
101 | }; | |
102 | ||
103 | ||
1df4ba7e DM |
104 | __PACKAGE__->register_method({ |
105 | name => 'get_options', | |
106 | path => 'options', | |
107 | method => 'GET', | |
108 | description => "Get Firewall options.", | |
0ec56841 DM |
109 | permissions => { |
110 | check => ['perm', '/', [ 'Sys.Audit' ]], | |
111 | }, | |
1df4ba7e DM |
112 | parameters => { |
113 | additionalProperties => 0, | |
114 | }, | |
115 | returns => { | |
116 | type => "object", | |
117 | #additionalProperties => 1, | |
271f287b | 118 | properties => $option_properties, |
1df4ba7e DM |
119 | }, |
120 | code => sub { | |
121 | my ($param) = @_; | |
122 | ||
123 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
124 | ||
5d38d64f | 125 | return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options}); |
1df4ba7e DM |
126 | }}); |
127 | ||
1df4ba7e DM |
128 | |
129 | __PACKAGE__->register_method({ | |
130 | name => 'set_options', | |
131 | path => 'options', | |
132 | method => 'PUT', | |
133 | description => "Set Firewall options.", | |
68c90e21 | 134 | protected => 1, |
0ec56841 DM |
135 | permissions => { |
136 | check => ['perm', '/', [ 'Sys.Modify' ]], | |
137 | }, | |
1df4ba7e DM |
138 | parameters => { |
139 | additionalProperties => 0, | |
140 | properties => &$add_option_properties({ | |
141 | delete => { | |
142 | type => 'string', format => 'pve-configid-list', | |
143 | description => "A list of settings you want to delete.", | |
144 | optional => 1, | |
145 | }, | |
5d38d64f | 146 | digest => get_standard_option('pve-config-digest'), |
1df4ba7e DM |
147 | }), |
148 | }, | |
149 | returns => { type => "null" }, | |
150 | code => sub { | |
151 | my ($param) = @_; | |
152 | ||
153 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
154 | ||
5d38d64f DM |
155 | my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options}); |
156 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
157 | ||
1df4ba7e DM |
158 | if ($param->{delete}) { |
159 | foreach my $opt (PVE::Tools::split_list($param->{delete})) { | |
947d6ea2 | 160 | raise_param_exc({ delete => "no such option '$opt'" }) |
1df4ba7e DM |
161 | if !$option_properties->{$opt}; |
162 | delete $cluster_conf->{options}->{$opt}; | |
163 | } | |
164 | } | |
165 | ||
166 | if (defined($param->{enable})) { | |
271f287b DM |
167 | $param->{enable} = $param->{enable} ? 1 : 0; |
168 | } | |
169 | ||
170 | foreach my $k (keys %$option_properties) { | |
171 | next if !defined($param->{$k}); | |
947d6ea2 | 172 | $cluster_conf->{options}->{$k} = $param->{$k}; |
1df4ba7e DM |
173 | } |
174 | ||
1df4ba7e DM |
175 | PVE::Firewall::save_clusterfw_conf($cluster_conf); |
176 | ||
177 | return undef; | |
178 | }}); | |
ebd54ae9 DM |
179 | |
180 | __PACKAGE__->register_method({ | |
181 | name => 'get_macros', | |
182 | path => 'macros', | |
183 | method => 'GET', | |
184 | description => "List available macros", | |
0ec56841 | 185 | permissions => { user => 'all' }, |
ebd54ae9 DM |
186 | parameters => { |
187 | additionalProperties => 0, | |
188 | }, | |
189 | returns => { | |
190 | type => 'array', | |
191 | items => { | |
192 | type => "object", | |
193 | properties => { | |
194 | macro => { | |
195 | description => "Macro name.", | |
196 | type => 'string', | |
197 | }, | |
198 | descr => { | |
199 | description => "More verbose description (if available).", | |
200 | type => 'string', | |
201 | } | |
202 | }, | |
203 | }, | |
204 | }, | |
205 | code => sub { | |
206 | my ($param) = @_; | |
207 | ||
208 | my $res = []; | |
209 | ||
210 | my ($macros, $descr) = PVE::Firewall::get_macros(); | |
211 | ||
212 | foreach my $macro (keys %$macros) { | |
213 | push @$res, { macro => $macro, descr => $descr->{$macro} || $macro }; | |
214 | } | |
215 | ||
216 | return $res; | |
217 | }}); | |
218 | ||
947d6ea2 DM |
219 | __PACKAGE__->register_method({ |
220 | name => 'refs', | |
221 | path => 'refs', | |
222 | method => 'GET', | |
223 | description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.", | |
0ec56841 DM |
224 | permissions => { |
225 | check => ['perm', '/', [ 'Sys.Audit' ]], | |
226 | }, | |
947d6ea2 DM |
227 | parameters => { |
228 | additionalProperties => 0, | |
f2c0865c DM |
229 | properties => { |
230 | type => { | |
231 | description => "Only list references of specified type.", | |
232 | type => 'string', | |
233 | enum => ['alias', 'ipset'], | |
234 | optional => 1, | |
235 | }, | |
236 | }, | |
947d6ea2 DM |
237 | }, |
238 | returns => { | |
239 | type => 'array', | |
240 | items => { | |
241 | type => "object", | |
242 | properties => { | |
243 | type => { | |
244 | type => 'string', | |
245 | enum => ['alias', 'ipset'], | |
246 | }, | |
247 | name => { | |
248 | type => 'string', | |
249 | }, | |
250 | ref => { | |
251 | type => 'string', | |
252 | }, | |
253 | comment => { | |
254 | type => 'string', | |
255 | optional => 1, | |
256 | }, | |
257 | }, | |
258 | }, | |
259 | }, | |
260 | code => sub { | |
261 | my ($param) = @_; | |
262 | ||
263 | my $conf = PVE::Firewall::load_clusterfw_conf(); | |
264 | ||
265 | my $res = []; | |
266 | ||
f2c0865c DM |
267 | if (!$param->{type} || $param->{type} eq 'ipset') { |
268 | foreach my $name (keys %{$conf->{ipset}}) { | |
269 | my $data = { | |
270 | type => 'ipset', | |
271 | name => $name, | |
272 | ref => "+$name", | |
273 | }; | |
274 | if (my $comment = $conf->{ipset_comments}->{$name}) { | |
275 | $data->{comment} = $comment; | |
276 | } | |
277 | push @$res, $data; | |
947d6ea2 | 278 | } |
947d6ea2 DM |
279 | } |
280 | ||
f2c0865c DM |
281 | if (!$param->{type} || $param->{type} eq 'alias') { |
282 | foreach my $name (keys %{$conf->{aliases}}) { | |
283 | my $e = $conf->{aliases}->{$name}; | |
284 | my $data = { | |
285 | type => 'alias', | |
286 | name => $name, | |
287 | ref => $name, | |
288 | }; | |
289 | $data->{comment} = $e->{comment} if $e->{comment}; | |
290 | push @$res, $data; | |
291 | } | |
947d6ea2 DM |
292 | } |
293 | ||
294 | return $res; | |
295 | }}); | |
296 | ||
ebd54ae9 | 297 | 1; |