]>
Commit | Line | Data |
---|---|---|
8b27beb9 DM |
1 | package PVE::API2::Firewall::Host; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::JSONSchema qw(get_standard_option); | |
a959126d | 6 | use PVE::RPCEnvironment; |
8b27beb9 DM |
7 | |
8 | use PVE::Firewall; | |
63c91681 | 9 | use PVE::API2::Firewall::Rules; |
8b27beb9 DM |
10 | |
11 | use Data::Dumper; # fixme: remove | |
12 | ||
13 | use base qw(PVE::RESTHandler); | |
14 | ||
63c91681 DM |
15 | __PACKAGE__->register_method ({ |
16 | subclass => "PVE::API2::Firewall::HostRules", | |
17 | path => 'rules', | |
18 | }); | |
19 | ||
8b27beb9 DM |
20 | __PACKAGE__->register_method({ |
21 | name => 'index', | |
22 | path => '', | |
23 | method => 'GET', | |
24 | permissions => { user => 'all' }, | |
25 | description => "Directory index.", | |
26 | parameters => { | |
27 | additionalProperties => 0, | |
28 | properties => { | |
29 | node => get_standard_option('pve-node'), | |
30 | }, | |
31 | }, | |
32 | returns => { | |
33 | type => 'array', | |
34 | items => { | |
35 | type => "object", | |
36 | properties => {}, | |
37 | }, | |
38 | links => [ { rel => 'child', href => "{name}" } ], | |
39 | }, | |
40 | code => sub { | |
41 | my ($param) = @_; | |
42 | ||
43 | my $result = [ | |
44 | { name => 'rules' }, | |
45 | { name => 'options' }, | |
a959126d | 46 | { name => 'log' }, |
8b27beb9 DM |
47 | ]; |
48 | ||
49 | return $result; | |
50 | }}); | |
51 | ||
6302c41f DM |
52 | my $option_properties = { |
53 | enable => { | |
54 | description => "Enable host firewall rules.", | |
55 | type => 'boolean', | |
56 | optional => 1, | |
57 | }, | |
58 | log_level_in => get_standard_option('pve-fw-loglevel', { | |
59 | description => "Log level for incoming traffic." }), | |
60 | log_level_out => get_standard_option('pve-fw-loglevel', { | |
61 | description => "Log level for outgoing traffic." }), | |
62 | tcp_flags_log_level => get_standard_option('pve-fw-loglevel', { | |
63 | description => "Log level for illegal tcp flags filter." }), | |
64 | smurf_log_level => get_standard_option('pve-fw-loglevel', { | |
65 | description => "Log level for SMURFS filter." }), | |
66 | nosmurfs => { | |
67 | description => "Enable SMURFS filter.", | |
68 | type => 'boolean', | |
69 | optional => 1, | |
70 | }, | |
71 | tcpflags => { | |
72 | description => "Filter illegal combinations of TCP flags.", | |
73 | type => 'boolean', | |
74 | optional => 1, | |
75 | }, | |
6302c41f DM |
76 | nf_conntrack_max => { |
77 | description => "Maximum number of tracked connections.", | |
78 | type => 'integer', | |
79 | optional => 1, | |
80 | minimum => 32768, | |
81 | }, | |
82 | nf_conntrack_tcp_timeout_established => { | |
83 | description => "Conntrack established timeout.", | |
84 | type => 'integer', | |
85 | optional => 1, | |
86 | minimum => 7875, | |
1940ee1b WB |
87 | }, |
88 | ndp => { | |
89 | description => "Enable NDP.", | |
90 | type => 'boolean', | |
91 | optional => 1, | |
92 | }, | |
6302c41f DM |
93 | }; |
94 | ||
95 | my $add_option_properties = sub { | |
96 | my ($properties) = @_; | |
97 | ||
98 | foreach my $k (keys %$option_properties) { | |
99 | $properties->{$k} = $option_properties->{$k}; | |
100 | } | |
101 | ||
102 | return $properties; | |
103 | }; | |
104 | ||
105 | ||
8b27beb9 DM |
106 | __PACKAGE__->register_method({ |
107 | name => 'get_options', | |
108 | path => 'options', | |
109 | method => 'GET', | |
110 | description => "Get host firewall options.", | |
111 | proxyto => 'node', | |
60c103df DM |
112 | permissions => { |
113 | check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]], | |
114 | }, | |
8b27beb9 DM |
115 | parameters => { |
116 | additionalProperties => 0, | |
117 | properties => { | |
118 | node => get_standard_option('pve-node'), | |
119 | }, | |
120 | }, | |
121 | returns => { | |
122 | type => "object", | |
6302c41f DM |
123 | #additionalProperties => 1, |
124 | properties => $option_properties, | |
8b27beb9 DM |
125 | }, |
126 | code => sub { | |
127 | my ($param) = @_; | |
128 | ||
129 | my $hostfw_conf = PVE::Firewall::load_hostfw_conf(); | |
130 | ||
5d38d64f | 131 | return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); |
8b27beb9 DM |
132 | }}); |
133 | ||
6302c41f DM |
134 | __PACKAGE__->register_method({ |
135 | name => 'set_options', | |
136 | path => 'options', | |
137 | method => 'PUT', | |
138 | description => "Set Firewall options.", | |
139 | protected => 1, | |
140 | proxyto => 'node', | |
60c103df DM |
141 | permissions => { |
142 | check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]], | |
143 | }, | |
6302c41f DM |
144 | parameters => { |
145 | additionalProperties => 0, | |
146 | properties => &$add_option_properties({ | |
147 | node => get_standard_option('pve-node'), | |
148 | delete => { | |
149 | type => 'string', format => 'pve-configid-list', | |
150 | description => "A list of settings you want to delete.", | |
151 | optional => 1, | |
152 | }, | |
153 | digest => get_standard_option('pve-config-digest'), | |
154 | }), | |
155 | }, | |
156 | returns => { type => "null" }, | |
157 | code => sub { | |
158 | my ($param) = @_; | |
159 | ||
160 | my $hostfw_conf = PVE::Firewall::load_hostfw_conf(); | |
161 | ||
162 | my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); | |
163 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
164 | ||
165 | if ($param->{delete}) { | |
166 | foreach my $opt (PVE::Tools::split_list($param->{delete})) { | |
167 | raise_param_exc({ delete => "no such option '$opt'" }) | |
168 | if !$option_properties->{$opt}; | |
169 | delete $hostfw_conf->{options}->{$opt}; | |
170 | } | |
171 | } | |
172 | ||
173 | if (defined($param->{enable})) { | |
174 | $param->{enable} = $param->{enable} ? 1 : 0; | |
175 | } | |
176 | ||
177 | foreach my $k (keys %$option_properties) { | |
178 | next if !defined($param->{$k}); | |
179 | $hostfw_conf->{options}->{$k} = $param->{$k}; | |
180 | } | |
181 | ||
182 | PVE::Firewall::save_hostfw_conf($hostfw_conf); | |
183 | ||
184 | return undef; | |
185 | }}); | |
186 | ||
a959126d DM |
187 | __PACKAGE__->register_method({ |
188 | name => 'log', | |
189 | path => 'log', | |
190 | method => 'GET', | |
191 | description => "Read firewall log", | |
192 | proxyto => 'node', | |
193 | permissions => { | |
194 | check => ['perm', '/nodes/{node}', [ 'Sys.Syslog' ]], | |
195 | }, | |
196 | protected => 1, | |
197 | parameters => { | |
198 | additionalProperties => 0, | |
199 | properties => { | |
200 | node => get_standard_option('pve-node'), | |
201 | start => { | |
202 | type => 'integer', | |
203 | minimum => 0, | |
204 | optional => 1, | |
205 | }, | |
206 | limit => { | |
207 | type => 'integer', | |
208 | minimum => 0, | |
209 | optional => 1, | |
210 | }, | |
211 | }, | |
212 | }, | |
213 | returns => { | |
214 | type => 'array', | |
215 | items => { | |
216 | type => "object", | |
217 | properties => { | |
218 | n => { | |
219 | description=> "Line number", | |
220 | type=> 'integer', | |
221 | }, | |
222 | t => { | |
223 | description=> "Line text", | |
224 | type => 'string', | |
225 | } | |
226 | } | |
227 | } | |
228 | }, | |
229 | code => sub { | |
230 | my ($param) = @_; | |
231 | ||
232 | my $rpcenv = PVE::RPCEnvironment::get(); | |
233 | my $user = $rpcenv->get_user(); | |
234 | my $node = $param->{node}; | |
235 | ||
236 | my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", $param->{start}, $param->{limit}); | |
237 | ||
238 | $rpcenv->set_result_attrib('total', $count); | |
239 | ||
240 | return $lines; | |
241 | }}); | |
242 | ||
8b27beb9 | 243 | 1; |