]> git.proxmox.com Git - pve-firewall.git/blame - src/PVE/API2/Firewall/IPSet.pm
projects / pve-firewall.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 5.0.6
[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm
CommitLineData
009ee3ac
DM		 1package PVE::API2::Firewall::IPSetBase;
2
3use strict;
4use warnings;
4a11bba5 5use PVE::Exception qw(raise raise_param_exc);
009ee3ac
DM		 6use PVE::JSONSchema qw(get_standard_option);
7
8use PVE::Firewall;
9
10use base qw(PVE::RESTHandler);
11
75a12a9d 12my $api_properties = {
009ee3ac
DM		 13 cidr => {
14 description => "Network/IP specification in CIDR format.",
ae029a88 15 type => 'string', format => 'IPorCIDRorAlias',
009ee3ac 16 },
e74a87f5 17 name => get_standard_option('ipset-name'),
009ee3ac
DM		 18 comment => {
19 type => 'string',
20 optional => 1,
21 },
22 nomatch => {
23 type => 'boolean',
24 optional => 1,
25 },
26};
27
05496017
FG		 28sub lock_config {
29 my ($class, $param, $code) = @_;
30
31 die "implement this in subclass";
32}
33
009ee3ac
DM		 34sub load_config {
35 my ($class, $param) = @_;
36
37 die "implement this in subclass";
1210ae94
DM		 38
39 #return ($cluster_conf, $fw_conf, $ipset);
009ee3ac
DM		 40}
41
1210ae94
DM		 42sub save_config {
43 my ($class, $param, $fw_conf) = @_;
009ee3ac
DM		 44
45 die "implement this in subclass";
46}
47
9f6845cf
DM		 48sub rule_env {
49 my ($class, $param) = @_;
75a12a9d 50
9f6845cf
DM		 51 die "implement this in subclass";
52}
53
1210ae94
DM		 54sub save_ipset {
55 my ($class, $param, $fw_conf, $ipset) = @_;
56
57 if (!defined($ipset)) {
58 delete $fw_conf->{ipset}->{$param->{name}};
59 } else {
60 $fw_conf->{ipset}->{$param->{name}} = $ipset;
61 }
62
63 $class->save_config($param, $fw_conf);
64}
65
009ee3ac
DM		 66my $additional_param_hash = {};
67
68sub additional_parameters {
69 my ($class, $new_value) = @_;
70
71 if (defined($new_value)) {
72 $additional_param_hash->{$class} = $new_value;
73 }
74
75 # return a copy
76 my $copy = {};
77 my $org = $additional_param_hash->{$class} || {};
78 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
79 return $copy;
80}
81
82sub register_get_ipset {
83 my ($class) = @_;
84
85 my $properties = $class->additional_parameters();
86
87 $properties->{name} = $api_properties->{name};
88
89 $class->register_method({
90 name => 'get_ipset',
91 path => '',
92 method => 'GET',
93 description => "List IPSet content",
9f6845cf 94 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
009ee3ac
DM		 95 parameters => {
96 additionalProperties => 0,
97 properties => $properties,
98 },
99 returns => {
100 type => 'array',
101 items => {
102 type => "object",
103 properties => {
104 cidr => {
105 type => 'string',
106 },
107 comment => {
108 type => 'string',
109 optional => 1,
110 },
111 nomatch => {
112 type => 'boolean',
113 optional => 1,
d72c631c 114 },
75a12a9d 115 digest => get_standard_option('pve-config-digest', { optional => 0} ),
009ee3ac
DM		 116 },
117 },
118 links => [ { rel => 'child', href => "{cidr}" } ],
119 },
120 code => sub {
121 my ($param) = @_;
122
1210ae94 123 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
009ee3ac 124
5d38d64f 125 return PVE::Firewall::copy_list_with_digest($ipset);
009ee3ac
DM		 126 }});
127}
128
1210ae94
DM		 129sub register_delete_ipset {
130 my ($class) = @_;
131
132 my $properties = $class->additional_parameters();
133
134 $properties->{name} = get_standard_option('ipset-name');
5e3c0cf8
LN		 135 $properties->{force} = {
136 type => 'boolean',
137 optional => 1,
138 description => 'Delete all members of the IPSet, if there are any.',
139 };
1210ae94
DM		 140
141 $class->register_method({
142 name => 'delete_ipset',
143 path => '',
144 method => 'DELETE',
145 description => "Delete IPSet",
146 protected => 1,
9f6845cf 147 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
1210ae94
DM		 148 parameters => {
149 additionalProperties => 0,
150 properties => $properties,
151 },
152 returns => { type => 'null' },
153 code => sub {
154 my ($param) = @_;
75a12a9d 155
a38849e6
FG		 156 $class->lock_config($param, sub {
157 my ($param) = @_;
158
159 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
1210ae94 160
a38849e6 161 die "IPSet '$param->{name}' is not empty\n"
5e3c0cf8 162 if scalar(@$ipset) && !$param->{force};
1210ae94 163
a38849e6
FG		 164 $class->save_ipset($param, $fw_conf, undef);
165
166 });
1210ae94
DM		 167
168 return undef;
169 }});
170}
171
a33c74f6 172sub register_create_ip {
009ee3ac
DM		 173 my ($class) = @_;
174
175 my $properties = $class->additional_parameters();
176
177 $properties->{name} = $api_properties->{name};
178 $properties->{cidr} = $api_properties->{cidr};
179 $properties->{nomatch} = $api_properties->{nomatch};
180 $properties->{comment} = $api_properties->{comment};
d72c631c 181
009ee3ac 182 $class->register_method({
a33c74f6 183 name => 'create_ip',
009ee3ac
DM		 184 path => '',
185 method => 'POST',
186 description => "Add IP or Network to IPSet.",
187 protected => 1,
9f6845cf 188 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
009ee3ac
DM		 189 parameters => {
190 additionalProperties => 0,
191 properties => $properties,
192 },
193 returns => { type => "null" },
194 code => sub {
195 my ($param) = @_;
196
a38849e6
FG		 197 $class->lock_config($param, sub {
198 my ($param) = @_;
009ee3ac 199
a38849e6 200 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
75a12a9d 201
eeed0d90 202 my $cidr = $param->{cidr};
5bf304b5 203 if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
eeed0d90
LN		 204 my $scope = $1 // "";
205 my $alias = $2;
891545e8 206 # make sure alias exists (if $cidr is an alias)
eeed0d90 207 PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
891545e8 208 } else {
eeed0d90 209 $cidr = PVE::Firewall::clean_cidr($cidr);
891545e8
FG		 210 # normalize like config parser, otherwise duplicates might slip through
211 $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
212 }
a38849e6
FG		 213
214 foreach my $entry (@$ipset) {
215 raise_param_exc({ cidr => "address '$cidr' already exists" })
216 if $entry->{cidr} eq $cidr;
217 }
218
219 raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
220 if $cidr =~ m!/0+$!;
4a11bba5 221
1b36f6ec 222
a38849e6 223 my $data = { cidr => $cidr };
7c619bbb 224
a38849e6
FG		 225 $data->{nomatch} = 1 if $param->{nomatch};
226 $data->{comment} = $param->{comment} if $param->{comment};
7c619bbb 227
a38849e6 228 unshift @$ipset, $data;
009ee3ac 229
a38849e6 230 $class->save_ipset($param, $fw_conf, $ipset);
009ee3ac 231
a38849e6 232 });
009ee3ac
DM		 233
234 return undef;
235 }});
236}
237
a33c74f6
DM		 238sub register_read_ip {
239 my ($class) = @_;
240
241 my $properties = $class->additional_parameters();
242
243 $properties->{name} = $api_properties->{name};
244 $properties->{cidr} = $api_properties->{cidr};
75a12a9d 245
a33c74f6
DM		 246 $class->register_method({
247 name => 'read_ip',
248 path => '{cidr}',
249 method => 'GET',
250 description => "Read IP or Network settings from IPSet.",
9f6845cf 251 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
a33c74f6
DM		 252 protected => 1,
253 parameters => {
254 additionalProperties => 0,
255 properties => $properties,
256 },
257 returns => { type => "object" },
258 code => sub {
259 my ($param) = @_;
260
1210ae94 261 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
a33c74f6 262
5d38d64f
DM		 263 my $list = PVE::Firewall::copy_list_with_digest($ipset);
264
265 foreach my $entry (@$list) {
d72c631c 266 if ($entry->{cidr} eq $param->{cidr}) {
d72c631c
DM		 267 return $entry;
268 }
a33c74f6
DM		 269 }
270
271 raise_param_exc({ cidr => "no such IP/Network" });
272 }});
273}
274
275sub register_update_ip {
276 my ($class) = @_;
277
278 my $properties = $class->additional_parameters();
279
280 $properties->{name} = $api_properties->{name};
281 $properties->{cidr} = $api_properties->{cidr};
282 $properties->{nomatch} = $api_properties->{nomatch};
283 $properties->{comment} = $api_properties->{comment};
d72c631c
DM		 284 $properties->{digest} = get_standard_option('pve-config-digest');
285
a33c74f6
DM		 286 $class->register_method({
287 name => 'update_ip',
288 path => '{cidr}',
289 method => 'PUT',
290 description => "Update IP or Network settings",
291 protected => 1,
9f6845cf 292 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
a33c74f6
DM		 293 parameters => {
294 additionalProperties => 0,
295 properties => $properties,
296 },
297 returns => { type => "null" },
298 code => sub {
299 my ($param) = @_;
300
a38849e6
FG		 301 my $found = $class->lock_config($param, sub {
302 my ($param) = @_;
303
304 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
a33c74f6 305
a38849e6
FG		 306 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
307 PVE::Tools::assert_if_modified($digest, $param->{digest});
d72c631c 308
a38849e6
FG		 309 foreach my $entry (@$ipset) {
310 if($entry->{cidr} eq $param->{cidr}) {
311 $entry->{nomatch} = $param->{nomatch};
312 $entry->{comment} = $param->{comment};
313 $class->save_ipset($param, $fw_conf, $ipset);
314 return 1;
315 }
a33c74f6 316 }
a38849e6
FG		 317
318 return 0;
319 });
320
321 return if $found;
a33c74f6
DM		 322
323 raise_param_exc({ cidr => "no such IP/Network" });
324 }});
325}
326
327sub register_delete_ip {
009ee3ac
DM		 328 my ($class) = @_;
329
330 my $properties = $class->additional_parameters();
331
332 $properties->{name} = $api_properties->{name};
333 $properties->{cidr} = $api_properties->{cidr};
d72c631c
DM		 334 $properties->{digest} = get_standard_option('pve-config-digest');
335
009ee3ac
DM		 336 $class->register_method({
337 name => 'remove_ip',
338 path => '{cidr}',
339 method => 'DELETE',
340 description => "Remove IP or Network from IPSet.",
341 protected => 1,
9f6845cf 342 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
009ee3ac
DM		 343 parameters => {
344 additionalProperties => 0,
345 properties => $properties,
346 },
347 returns => { type => "null" },
348 code => sub {
349 my ($param) = @_;
350
a38849e6
FG		 351 $class->lock_config($param, sub {
352 my ($param) = @_;
009ee3ac 353
a38849e6 354 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
d72c631c 355
a38849e6
FG		 356 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
357 PVE::Tools::assert_if_modified($digest, $param->{digest});
75a12a9d 358
a38849e6 359 my $new = [];
009ee3ac 360
a38849e6
FG		 361 foreach my $entry (@$ipset) {
362 push @$new, $entry if $entry->{cidr} ne $param->{cidr};
363 }
364
365 $class->save_ipset($param, $fw_conf, $new);
366 });
75a12a9d 367
009ee3ac
DM		 368 return undef;
369 }});
370}
371
372sub register_handlers {
373 my ($class) = @_;
374
1210ae94 375 $class->register_delete_ipset();
009ee3ac 376 $class->register_get_ipset();
a33c74f6
DM		 377 $class->register_create_ip();
378 $class->register_read_ip();
379 $class->register_update_ip();
380 $class->register_delete_ip();
009ee3ac
DM		 381}
382
383package PVE::API2::Firewall::ClusterIPset;
384
385use strict;
386use warnings;
387
388use base qw(PVE::API2::Firewall::IPSetBase);
389
9f6845cf
DM		 390sub rule_env {
391 my ($class, $param) = @_;
75a12a9d 392
9f6845cf
DM		 393 return 'cluster';
394}
395
05496017
FG		 396sub lock_config {
397 my ($class, $param, $code) = @_;
398
399 PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
400}
401
009ee3ac
DM		 402sub load_config {
403 my ($class, $param) = @_;
404
405 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
406 my $ipset = $fw_conf->{ipset}->{$param->{name}};
407 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
408
1210ae94 409 return (undef, $fw_conf, $ipset);
009ee3ac
DM		 410}
411
1210ae94
DM		 412sub save_config {
413 my ($class, $param, $fw_conf) = @_;
009ee3ac 414
009ee3ac
DM		 415 PVE::Firewall::save_clusterfw_conf($fw_conf);
416}
417
418__PACKAGE__->register_handlers();
419
1210ae94
DM		 420package PVE::API2::Firewall::VMIPset;
421
422use strict;
423use warnings;
424use PVE::JSONSchema qw(get_standard_option);
425
426use base qw(PVE::API2::Firewall::IPSetBase);
427
9f6845cf
DM		 428sub rule_env {
429 my ($class, $param) = @_;
75a12a9d 430
9f6845cf
DM		 431 return 'vm';
432}
433
75a12a9d 434__PACKAGE__->additional_parameters({
1210ae94 435 node => get_standard_option('pve-node'),
75a12a9d 436 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 437});
438
05496017
FG		 439sub lock_config {
440 my ($class, $param, $code) = @_;
441
442 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
443}
444
1210ae94
DM		 445sub load_config {
446 my ($class, $param) = @_;
447
448 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
449 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
450 my $ipset = $fw_conf->{ipset}->{$param->{name}};
451 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
452
453 return ($cluster_conf, $fw_conf, $ipset);
454}
455
456sub save_config {
457 my ($class, $param, $fw_conf) = @_;
458
459 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
460}
461
462__PACKAGE__->register_handlers();
463
464package PVE::API2::Firewall::CTIPset;
465
466use strict;
467use warnings;
468use PVE::JSONSchema qw(get_standard_option);
469
470use base qw(PVE::API2::Firewall::IPSetBase);
471
9f6845cf
DM		 472sub rule_env {
473 my ($class, $param) = @_;
75a12a9d 474
9f6845cf
DM		 475 return 'ct';
476}
477
75a12a9d 478__PACKAGE__->additional_parameters({
1210ae94 479 node => get_standard_option('pve-node'),
75a12a9d 480 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 481});
482
05496017
FG		 483sub lock_config {
484 my ($class, $param, $code) = @_;
485
486 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
487}
488
1210ae94
DM		 489sub load_config {
490 my ($class, $param) = @_;
491
492 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
493 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
494 my $ipset = $fw_conf->{ipset}->{$param->{name}};
495 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
496
497 return ($cluster_conf, $fw_conf, $ipset);
498}
499
500sub save_config {
501 my ($class, $param, $fw_conf) = @_;
502
503 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
504}
505
506__PACKAGE__->register_handlers();
507
c85c87f9
DM		 508package PVE::API2::Firewall::BaseIPSetList;
509
510use strict;
511use warnings;
e74a87f5 512use PVE::JSONSchema qw(get_standard_option);
c85c87f9 513use PVE::Exception qw(raise_param_exc);
e74a87f5 514use PVE::Firewall;
c85c87f9
DM		 515
516use base qw(PVE::RESTHandler);
517
05496017
FG		 518sub lock_config {
519 my ($class, $param, $code) = @_;
520
521 die "implement this in subclass";
522}
523
1210ae94
DM		 524sub load_config {
525 my ($class, $param) = @_;
75a12a9d 526
1210ae94
DM		 527 die "implement this in subclass";
528
529 #return ($cluster_conf, $fw_conf);
530}
531
532sub save_config {
533 my ($class, $param, $fw_conf) = @_;
534
535 die "implement this in subclass";
536}
537
9f6845cf
DM		 538sub rule_env {
539 my ($class, $param) = @_;
75a12a9d 540
9f6845cf
DM		 541 die "implement this in subclass";
542}
543
1210ae94
DM		 544my $additional_param_hash_list = {};
545
546sub additional_parameters {
547 my ($class, $new_value) = @_;
548
549 if (defined($new_value)) {
550 $additional_param_hash_list->{$class} = $new_value;
551 }
552
553 # return a copy
554 my $copy = {};
555 my $org = $additional_param_hash_list->{$class} || {};
556 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
557 return $copy;
558}
559
5d38d64f
DM		 560my $get_ipset_list = sub {
561 my ($fw_conf) = @_;
562
563 my $res = [];
53bbbf31 564 foreach my $name (sort keys %{$fw_conf->{ipset}}) {
75a12a9d 565 my $data = {
5d38d64f
DM		 566 name => $name,
567 };
568 if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
569 $data->{comment} = $comment;
570 }
571 push @$res, $data;
572 }
573
574 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
575
576 return wantarray ? ($list, $digest) : $list;
577};
578
c85c87f9
DM		 579sub register_index {
580 my ($class) = @_;
581
1210ae94
DM		 582 my $properties = $class->additional_parameters();
583
c85c87f9
DM		 584 $class->register_method({
585 name => 'ipset_index',
586 path => '',
587 method => 'GET',
588 description => "List IPSets",
9f6845cf 589 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
c85c87f9
DM		 590 parameters => {
591 additionalProperties => 0,
1210ae94 592 properties => $properties,
c85c87f9
DM		 593 },
594 returns => {
595 type => 'array',
596 items => {
597 type => "object",
75a12a9d 598 properties => {
e74a87f5 599 name => get_standard_option('ipset-name'),
d72c631c 600 digest => get_standard_option('pve-config-digest', { optional => 0} ),
75a12a9d 601 comment => {
d72c631c
DM		 602 type => 'string',
603 optional => 1,
604 }
c85c87f9
DM		 605 },
606 },
607 links => [ { rel => 'child', href => "{name}" } ],
608 },
609 code => sub {
610 my ($param) = @_;
75a12a9d 611
1210ae94 612 my ($cluster_conf, $fw_conf) = $class->load_config($param);
c85c87f9 613
75a12a9d 614 return &$get_ipset_list($fw_conf);
c85c87f9
DM		 615 }});
616}
617
618sub register_create {
619 my ($class) = @_;
620
1210ae94
DM		 621 my $properties = $class->additional_parameters();
622
623 $properties->{name} = get_standard_option('ipset-name');
624
625 $properties->{comment} = { type => 'string', optional => 1 };
626
627 $properties->{digest} = get_standard_option('pve-config-digest');
628
629 $properties->{rename} = get_standard_option('ipset-name', {
630 description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
631 optional => 1 });
632
c85c87f9
DM		 633 $class->register_method({
634 name => 'create_ipset',
635 path => '',
636 method => 'POST',
637 description => "Create new IPSet",
638 protected => 1,
9f6845cf 639 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
c85c87f9
DM		 640 parameters => {
641 additionalProperties => 0,
1210ae94 642 properties => $properties,
c85c87f9
DM		 643 },
644 returns => { type => 'null' },
645 code => sub {
646 my ($param) = @_;
75a12a9d 647
a38849e6
FG		 648 $class->lock_config($param, sub {
649 my ($param) = @_;
c85c87f9 650
a38849e6 651 my ($cluster_conf, $fw_conf) = $class->load_config($param);
5d38d64f 652
a38849e6
FG		 653 if ($param->{rename}) {
654 my (undef, $digest) = &$get_ipset_list($fw_conf);
655 PVE::Tools::assert_if_modified($digest, $param->{digest});
5d38d64f 656
a38849e6
FG		 657 raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" })
658 if !$fw_conf->{ipset}->{$param->{rename}};
5da1a229 659
a38849e6
FG		 660 # prevent overwriting existing ipset
661 raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
662 if $fw_conf->{ipset}->{$param->{name}} &&
663 $param->{name} ne $param->{rename};
5d38d64f 664
a38849e6
FG		 665 my $data = delete $fw_conf->{ipset}->{$param->{rename}};
666 $fw_conf->{ipset}->{$param->{name}} = $data;
667 if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
668 $fw_conf->{ipset_comments}->{$param->{name}} = $comment;
669 }
670 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
671 } else {
672 foreach my $name (keys %{$fw_conf->{ipset}}) {
673 raise_param_exc({ name => "IPSet '$name' already exists" })
674 if $name eq $param->{name};
675 }
676
677 $fw_conf->{ipset}->{$param->{name}} = [];
678 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
679 }
bc374ca7 680
a38849e6
FG		 681 $class->save_config($param, $fw_conf);
682 });
c85c87f9
DM		 683
684 return undef;
685 }});
686}
687
1210ae94 688sub register_handlers {
c85c87f9
DM		 689 my ($class) = @_;
690
1210ae94
DM		 691 $class->register_index();
692 $class->register_create();
693}
c85c87f9 694
1210ae94 695package PVE::API2::Firewall::ClusterIPSetList;
c85c87f9 696
1210ae94
DM		 697use strict;
698use warnings;
699use PVE::Firewall;
5d38d64f 700
1210ae94
DM		 701use base qw(PVE::API2::Firewall::BaseIPSetList);
702
9f6845cf
DM		 703sub rule_env {
704 my ($class, $param) = @_;
75a12a9d 705
9f6845cf
DM		 706 return 'cluster';
707}
708
05496017
FG		 709sub lock_config {
710 my ($class, $param, $code) = @_;
711
712 PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
713}
714
1210ae94
DM		 715sub load_config {
716 my ($class, $param) = @_;
75a12a9d 717
1210ae94
DM		 718 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
719 return (undef, $cluster_conf);
720}
c85c87f9 721
1210ae94
DM		 722sub save_config {
723 my ($class, $param, $fw_conf) = @_;
c85c87f9 724
1210ae94
DM		 725 PVE::Firewall::save_clusterfw_conf($fw_conf);
726}
c85c87f9 727
1210ae94
DM		 728__PACKAGE__->register_handlers();
729
730__PACKAGE__->register_method ({
75a12a9d 731 subclass => "PVE::API2::Firewall::ClusterIPset",
1210ae94 732 path => '{name}',
75a12a9d
TL		 733 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
734 fragmentDelimiter => '',
1210ae94
DM		 735});
736
737package PVE::API2::Firewall::VMIPSetList;
738
739use strict;
740use warnings;
741use PVE::JSONSchema qw(get_standard_option);
742use PVE::Firewall;
743
744use base qw(PVE::API2::Firewall::BaseIPSetList);
745
75a12a9d 746__PACKAGE__->additional_parameters({
1210ae94 747 node => get_standard_option('pve-node'),
75a12a9d 748 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 749});
750
9f6845cf
DM		 751sub rule_env {
752 my ($class, $param) = @_;
75a12a9d 753
9f6845cf
DM		 754 return 'vm';
755}
756
05496017
FG		 757sub lock_config {
758 my ($class, $param, $code) = @_;
759
760 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
761}
762
1210ae94
DM		 763sub load_config {
764 my ($class, $param) = @_;
75a12a9d 765
1210ae94
DM		 766 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
767 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
768 return ($cluster_conf, $fw_conf);
c85c87f9
DM		 769}
770
1210ae94
DM		 771sub save_config {
772 my ($class, $param, $fw_conf) = @_;
c85c87f9 773
1210ae94 774 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
c85c87f9
DM		 775}
776
1210ae94
DM		 777__PACKAGE__->register_handlers();
778
779__PACKAGE__->register_method ({
75a12a9d 780 subclass => "PVE::API2::Firewall::VMIPset",
1210ae94 781 path => '{name}',
75a12a9d
TL		 782 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
783 fragmentDelimiter => '',
1210ae94
DM		 784});
785
786package PVE::API2::Firewall::CTIPSetList;
c85c87f9
DM		 787
788use strict;
789use warnings;
1210ae94 790use PVE::JSONSchema qw(get_standard_option);
c85c87f9
DM		 791use PVE::Firewall;
792
793use base qw(PVE::API2::Firewall::BaseIPSetList);
794
75a12a9d 795__PACKAGE__->additional_parameters({
1210ae94 796 node => get_standard_option('pve-node'),
75a12a9d 797 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 798});
799
9f6845cf
DM		 800sub rule_env {
801 my ($class, $param) = @_;
75a12a9d 802
9f6845cf
DM		 803 return 'ct';
804}
805
05496017
FG		 806sub lock_config {
807 my ($class, $param, $code) = @_;
808
809 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
810}
811
c85c87f9 812sub load_config {
1210ae94 813 my ($class, $param) = @_;
75a12a9d 814
1210ae94
DM		 815 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
816 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
817 return ($cluster_conf, $fw_conf);
c85c87f9
DM		 818}
819
820sub save_config {
1210ae94 821 my ($class, $param, $fw_conf) = @_;
c85c87f9 822
1210ae94 823 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
c85c87f9
DM		 824}
825
826__PACKAGE__->register_handlers();
827
828__PACKAGE__->register_method ({
75a12a9d 829 subclass => "PVE::API2::Firewall::CTIPset",
c85c87f9 830 path => '{name}',
75a12a9d
TL		 831 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
832 fragmentDelimiter => '',
c85c87f9
DM		 833});
834
009ee3ac 8351;
Firewall test scripts