]>
Commit | Line | Data |
---|---|---|
009ee3ac DM |
1 | package PVE::API2::Firewall::IPSetBase; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
4a11bba5 | 5 | use PVE::Exception qw(raise raise_param_exc); |
009ee3ac DM |
6 | use PVE::JSONSchema qw(get_standard_option); |
7 | ||
8 | use PVE::Firewall; | |
9 | ||
10 | use base qw(PVE::RESTHandler); | |
11 | ||
75a12a9d | 12 | my $api_properties = { |
009ee3ac DM |
13 | cidr => { |
14 | description => "Network/IP specification in CIDR format.", | |
ae029a88 | 15 | type => 'string', format => 'IPorCIDRorAlias', |
009ee3ac | 16 | }, |
e74a87f5 | 17 | name => get_standard_option('ipset-name'), |
009ee3ac DM |
18 | comment => { |
19 | type => 'string', | |
20 | optional => 1, | |
21 | }, | |
22 | nomatch => { | |
23 | type => 'boolean', | |
24 | optional => 1, | |
25 | }, | |
26 | }; | |
27 | ||
05496017 FG |
28 | sub lock_config { |
29 | my ($class, $param, $code) = @_; | |
30 | ||
31 | die "implement this in subclass"; | |
32 | } | |
33 | ||
009ee3ac DM |
34 | sub load_config { |
35 | my ($class, $param) = @_; | |
36 | ||
37 | die "implement this in subclass"; | |
1210ae94 DM |
38 | |
39 | #return ($cluster_conf, $fw_conf, $ipset); | |
009ee3ac DM |
40 | } |
41 | ||
1210ae94 DM |
42 | sub save_config { |
43 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac DM |
44 | |
45 | die "implement this in subclass"; | |
46 | } | |
47 | ||
9f6845cf DM |
48 | sub rule_env { |
49 | my ($class, $param) = @_; | |
75a12a9d | 50 | |
9f6845cf DM |
51 | die "implement this in subclass"; |
52 | } | |
53 | ||
1210ae94 DM |
54 | sub save_ipset { |
55 | my ($class, $param, $fw_conf, $ipset) = @_; | |
56 | ||
57 | if (!defined($ipset)) { | |
58 | delete $fw_conf->{ipset}->{$param->{name}}; | |
59 | } else { | |
60 | $fw_conf->{ipset}->{$param->{name}} = $ipset; | |
61 | } | |
62 | ||
63 | $class->save_config($param, $fw_conf); | |
64 | } | |
65 | ||
009ee3ac DM |
66 | my $additional_param_hash = {}; |
67 | ||
68 | sub additional_parameters { | |
69 | my ($class, $new_value) = @_; | |
70 | ||
71 | if (defined($new_value)) { | |
72 | $additional_param_hash->{$class} = $new_value; | |
73 | } | |
74 | ||
75 | # return a copy | |
76 | my $copy = {}; | |
77 | my $org = $additional_param_hash->{$class} || {}; | |
78 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
79 | return $copy; | |
80 | } | |
81 | ||
82 | sub register_get_ipset { | |
83 | my ($class) = @_; | |
84 | ||
85 | my $properties = $class->additional_parameters(); | |
86 | ||
87 | $properties->{name} = $api_properties->{name}; | |
88 | ||
89 | $class->register_method({ | |
90 | name => 'get_ipset', | |
91 | path => '', | |
92 | method => 'GET', | |
93 | description => "List IPSet content", | |
9f6845cf | 94 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
009ee3ac DM |
95 | parameters => { |
96 | additionalProperties => 0, | |
97 | properties => $properties, | |
98 | }, | |
99 | returns => { | |
100 | type => 'array', | |
101 | items => { | |
102 | type => "object", | |
103 | properties => { | |
104 | cidr => { | |
105 | type => 'string', | |
106 | }, | |
107 | comment => { | |
108 | type => 'string', | |
109 | optional => 1, | |
110 | }, | |
111 | nomatch => { | |
112 | type => 'boolean', | |
113 | optional => 1, | |
d72c631c | 114 | }, |
75a12a9d | 115 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
009ee3ac DM |
116 | }, |
117 | }, | |
118 | links => [ { rel => 'child', href => "{cidr}" } ], | |
119 | }, | |
120 | code => sub { | |
121 | my ($param) = @_; | |
122 | ||
1210ae94 | 123 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
009ee3ac | 124 | |
5d38d64f | 125 | return PVE::Firewall::copy_list_with_digest($ipset); |
009ee3ac DM |
126 | }}); |
127 | } | |
128 | ||
1210ae94 DM |
129 | sub register_delete_ipset { |
130 | my ($class) = @_; | |
131 | ||
132 | my $properties = $class->additional_parameters(); | |
133 | ||
134 | $properties->{name} = get_standard_option('ipset-name'); | |
5e3c0cf8 LN |
135 | $properties->{force} = { |
136 | type => 'boolean', | |
137 | optional => 1, | |
138 | description => 'Delete all members of the IPSet, if there are any.', | |
139 | }; | |
1210ae94 DM |
140 | |
141 | $class->register_method({ | |
142 | name => 'delete_ipset', | |
143 | path => '', | |
144 | method => 'DELETE', | |
145 | description => "Delete IPSet", | |
146 | protected => 1, | |
9f6845cf | 147 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
1210ae94 DM |
148 | parameters => { |
149 | additionalProperties => 0, | |
150 | properties => $properties, | |
151 | }, | |
152 | returns => { type => 'null' }, | |
153 | code => sub { | |
154 | my ($param) = @_; | |
75a12a9d | 155 | |
a38849e6 FG |
156 | $class->lock_config($param, sub { |
157 | my ($param) = @_; | |
158 | ||
159 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
1210ae94 | 160 | |
a38849e6 | 161 | die "IPSet '$param->{name}' is not empty\n" |
5e3c0cf8 | 162 | if scalar(@$ipset) && !$param->{force}; |
1210ae94 | 163 | |
a38849e6 FG |
164 | $class->save_ipset($param, $fw_conf, undef); |
165 | ||
166 | }); | |
1210ae94 DM |
167 | |
168 | return undef; | |
169 | }}); | |
170 | } | |
171 | ||
a33c74f6 | 172 | sub register_create_ip { |
009ee3ac DM |
173 | my ($class) = @_; |
174 | ||
175 | my $properties = $class->additional_parameters(); | |
176 | ||
177 | $properties->{name} = $api_properties->{name}; | |
178 | $properties->{cidr} = $api_properties->{cidr}; | |
179 | $properties->{nomatch} = $api_properties->{nomatch}; | |
180 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c | 181 | |
009ee3ac | 182 | $class->register_method({ |
a33c74f6 | 183 | name => 'create_ip', |
009ee3ac DM |
184 | path => '', |
185 | method => 'POST', | |
186 | description => "Add IP or Network to IPSet.", | |
187 | protected => 1, | |
9f6845cf | 188 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
189 | parameters => { |
190 | additionalProperties => 0, | |
191 | properties => $properties, | |
192 | }, | |
193 | returns => { type => "null" }, | |
194 | code => sub { | |
195 | my ($param) = @_; | |
196 | ||
a38849e6 FG |
197 | $class->lock_config($param, sub { |
198 | my ($param) = @_; | |
009ee3ac | 199 | |
a38849e6 | 200 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
75a12a9d | 201 | |
eeed0d90 | 202 | my $cidr = $param->{cidr}; |
5bf304b5 | 203 | if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) { |
eeed0d90 LN |
204 | my $scope = $1 // ""; |
205 | my $alias = $2; | |
891545e8 | 206 | # make sure alias exists (if $cidr is an alias) |
eeed0d90 | 207 | PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope); |
891545e8 | 208 | } else { |
eeed0d90 | 209 | $cidr = PVE::Firewall::clean_cidr($cidr); |
891545e8 FG |
210 | # normalize like config parser, otherwise duplicates might slip through |
211 | $cidr = PVE::Firewall::parse_ip_or_cidr($cidr); | |
212 | } | |
a38849e6 FG |
213 | |
214 | foreach my $entry (@$ipset) { | |
215 | raise_param_exc({ cidr => "address '$cidr' already exists" }) | |
216 | if $entry->{cidr} eq $cidr; | |
217 | } | |
218 | ||
219 | raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" }) | |
220 | if $cidr =~ m!/0+$!; | |
4a11bba5 | 221 | |
1b36f6ec | 222 | |
a38849e6 | 223 | my $data = { cidr => $cidr }; |
7c619bbb | 224 | |
a38849e6 FG |
225 | $data->{nomatch} = 1 if $param->{nomatch}; |
226 | $data->{comment} = $param->{comment} if $param->{comment}; | |
7c619bbb | 227 | |
a38849e6 | 228 | unshift @$ipset, $data; |
009ee3ac | 229 | |
a38849e6 | 230 | $class->save_ipset($param, $fw_conf, $ipset); |
009ee3ac | 231 | |
a38849e6 | 232 | }); |
009ee3ac DM |
233 | |
234 | return undef; | |
235 | }}); | |
236 | } | |
237 | ||
a33c74f6 DM |
238 | sub register_read_ip { |
239 | my ($class) = @_; | |
240 | ||
241 | my $properties = $class->additional_parameters(); | |
242 | ||
243 | $properties->{name} = $api_properties->{name}; | |
244 | $properties->{cidr} = $api_properties->{cidr}; | |
75a12a9d | 245 | |
a33c74f6 DM |
246 | $class->register_method({ |
247 | name => 'read_ip', | |
248 | path => '{cidr}', | |
249 | method => 'GET', | |
250 | description => "Read IP or Network settings from IPSet.", | |
9f6845cf | 251 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
a33c74f6 DM |
252 | protected => 1, |
253 | parameters => { | |
254 | additionalProperties => 0, | |
255 | properties => $properties, | |
256 | }, | |
257 | returns => { type => "object" }, | |
258 | code => sub { | |
259 | my ($param) = @_; | |
260 | ||
1210ae94 | 261 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
a33c74f6 | 262 | |
5d38d64f DM |
263 | my $list = PVE::Firewall::copy_list_with_digest($ipset); |
264 | ||
265 | foreach my $entry (@$list) { | |
d72c631c | 266 | if ($entry->{cidr} eq $param->{cidr}) { |
d72c631c DM |
267 | return $entry; |
268 | } | |
a33c74f6 DM |
269 | } |
270 | ||
271 | raise_param_exc({ cidr => "no such IP/Network" }); | |
272 | }}); | |
273 | } | |
274 | ||
275 | sub register_update_ip { | |
276 | my ($class) = @_; | |
277 | ||
278 | my $properties = $class->additional_parameters(); | |
279 | ||
280 | $properties->{name} = $api_properties->{name}; | |
281 | $properties->{cidr} = $api_properties->{cidr}; | |
282 | $properties->{nomatch} = $api_properties->{nomatch}; | |
283 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c DM |
284 | $properties->{digest} = get_standard_option('pve-config-digest'); |
285 | ||
a33c74f6 DM |
286 | $class->register_method({ |
287 | name => 'update_ip', | |
288 | path => '{cidr}', | |
289 | method => 'PUT', | |
290 | description => "Update IP or Network settings", | |
291 | protected => 1, | |
9f6845cf | 292 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
a33c74f6 DM |
293 | parameters => { |
294 | additionalProperties => 0, | |
295 | properties => $properties, | |
296 | }, | |
297 | returns => { type => "null" }, | |
298 | code => sub { | |
299 | my ($param) = @_; | |
300 | ||
a38849e6 FG |
301 | my $found = $class->lock_config($param, sub { |
302 | my ($param) = @_; | |
303 | ||
304 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
a33c74f6 | 305 | |
a38849e6 FG |
306 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
307 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
d72c631c | 308 | |
a38849e6 FG |
309 | foreach my $entry (@$ipset) { |
310 | if($entry->{cidr} eq $param->{cidr}) { | |
311 | $entry->{nomatch} = $param->{nomatch}; | |
312 | $entry->{comment} = $param->{comment}; | |
313 | $class->save_ipset($param, $fw_conf, $ipset); | |
314 | return 1; | |
315 | } | |
a33c74f6 | 316 | } |
a38849e6 FG |
317 | |
318 | return 0; | |
319 | }); | |
320 | ||
321 | return if $found; | |
a33c74f6 DM |
322 | |
323 | raise_param_exc({ cidr => "no such IP/Network" }); | |
324 | }}); | |
325 | } | |
326 | ||
327 | sub register_delete_ip { | |
009ee3ac DM |
328 | my ($class) = @_; |
329 | ||
330 | my $properties = $class->additional_parameters(); | |
331 | ||
332 | $properties->{name} = $api_properties->{name}; | |
333 | $properties->{cidr} = $api_properties->{cidr}; | |
d72c631c DM |
334 | $properties->{digest} = get_standard_option('pve-config-digest'); |
335 | ||
009ee3ac DM |
336 | $class->register_method({ |
337 | name => 'remove_ip', | |
338 | path => '{cidr}', | |
339 | method => 'DELETE', | |
340 | description => "Remove IP or Network from IPSet.", | |
341 | protected => 1, | |
9f6845cf | 342 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
343 | parameters => { |
344 | additionalProperties => 0, | |
345 | properties => $properties, | |
346 | }, | |
347 | returns => { type => "null" }, | |
348 | code => sub { | |
349 | my ($param) = @_; | |
350 | ||
a38849e6 FG |
351 | $class->lock_config($param, sub { |
352 | my ($param) = @_; | |
009ee3ac | 353 | |
a38849e6 | 354 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
d72c631c | 355 | |
a38849e6 FG |
356 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
357 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
75a12a9d | 358 | |
a38849e6 | 359 | my $new = []; |
009ee3ac | 360 | |
a38849e6 FG |
361 | foreach my $entry (@$ipset) { |
362 | push @$new, $entry if $entry->{cidr} ne $param->{cidr}; | |
363 | } | |
364 | ||
365 | $class->save_ipset($param, $fw_conf, $new); | |
366 | }); | |
75a12a9d | 367 | |
009ee3ac DM |
368 | return undef; |
369 | }}); | |
370 | } | |
371 | ||
372 | sub register_handlers { | |
373 | my ($class) = @_; | |
374 | ||
1210ae94 | 375 | $class->register_delete_ipset(); |
009ee3ac | 376 | $class->register_get_ipset(); |
a33c74f6 DM |
377 | $class->register_create_ip(); |
378 | $class->register_read_ip(); | |
379 | $class->register_update_ip(); | |
380 | $class->register_delete_ip(); | |
009ee3ac DM |
381 | } |
382 | ||
383 | package PVE::API2::Firewall::ClusterIPset; | |
384 | ||
385 | use strict; | |
386 | use warnings; | |
387 | ||
388 | use base qw(PVE::API2::Firewall::IPSetBase); | |
389 | ||
9f6845cf DM |
390 | sub rule_env { |
391 | my ($class, $param) = @_; | |
75a12a9d | 392 | |
9f6845cf DM |
393 | return 'cluster'; |
394 | } | |
395 | ||
05496017 FG |
396 | sub lock_config { |
397 | my ($class, $param, $code) = @_; | |
398 | ||
399 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
400 | } | |
401 | ||
009ee3ac DM |
402 | sub load_config { |
403 | my ($class, $param) = @_; | |
404 | ||
405 | my $fw_conf = PVE::Firewall::load_clusterfw_conf(); | |
406 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
407 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
408 | ||
1210ae94 | 409 | return (undef, $fw_conf, $ipset); |
009ee3ac DM |
410 | } |
411 | ||
1210ae94 DM |
412 | sub save_config { |
413 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac | 414 | |
009ee3ac DM |
415 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
416 | } | |
417 | ||
418 | __PACKAGE__->register_handlers(); | |
419 | ||
1210ae94 DM |
420 | package PVE::API2::Firewall::VMIPset; |
421 | ||
422 | use strict; | |
423 | use warnings; | |
424 | use PVE::JSONSchema qw(get_standard_option); | |
425 | ||
426 | use base qw(PVE::API2::Firewall::IPSetBase); | |
427 | ||
9f6845cf DM |
428 | sub rule_env { |
429 | my ($class, $param) = @_; | |
75a12a9d | 430 | |
9f6845cf DM |
431 | return 'vm'; |
432 | } | |
433 | ||
75a12a9d | 434 | __PACKAGE__->additional_parameters({ |
1210ae94 | 435 | node => get_standard_option('pve-node'), |
75a12a9d | 436 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
437 | }); |
438 | ||
05496017 FG |
439 | sub lock_config { |
440 | my ($class, $param, $code) = @_; | |
441 | ||
442 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
443 | } | |
444 | ||
1210ae94 DM |
445 | sub load_config { |
446 | my ($class, $param) = @_; | |
447 | ||
448 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
449 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
450 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
451 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
452 | ||
453 | return ($cluster_conf, $fw_conf, $ipset); | |
454 | } | |
455 | ||
456 | sub save_config { | |
457 | my ($class, $param, $fw_conf) = @_; | |
458 | ||
459 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
460 | } | |
461 | ||
462 | __PACKAGE__->register_handlers(); | |
463 | ||
464 | package PVE::API2::Firewall::CTIPset; | |
465 | ||
466 | use strict; | |
467 | use warnings; | |
468 | use PVE::JSONSchema qw(get_standard_option); | |
469 | ||
470 | use base qw(PVE::API2::Firewall::IPSetBase); | |
471 | ||
9f6845cf DM |
472 | sub rule_env { |
473 | my ($class, $param) = @_; | |
75a12a9d | 474 | |
9f6845cf DM |
475 | return 'ct'; |
476 | } | |
477 | ||
75a12a9d | 478 | __PACKAGE__->additional_parameters({ |
1210ae94 | 479 | node => get_standard_option('pve-node'), |
75a12a9d | 480 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
481 | }); |
482 | ||
05496017 FG |
483 | sub lock_config { |
484 | my ($class, $param, $code) = @_; | |
485 | ||
486 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
487 | } | |
488 | ||
1210ae94 DM |
489 | sub load_config { |
490 | my ($class, $param) = @_; | |
491 | ||
492 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
493 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
494 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
495 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
496 | ||
497 | return ($cluster_conf, $fw_conf, $ipset); | |
498 | } | |
499 | ||
500 | sub save_config { | |
501 | my ($class, $param, $fw_conf) = @_; | |
502 | ||
503 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
504 | } | |
505 | ||
506 | __PACKAGE__->register_handlers(); | |
507 | ||
c85c87f9 DM |
508 | package PVE::API2::Firewall::BaseIPSetList; |
509 | ||
510 | use strict; | |
511 | use warnings; | |
e74a87f5 | 512 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 | 513 | use PVE::Exception qw(raise_param_exc); |
e74a87f5 | 514 | use PVE::Firewall; |
c85c87f9 DM |
515 | |
516 | use base qw(PVE::RESTHandler); | |
517 | ||
05496017 FG |
518 | sub lock_config { |
519 | my ($class, $param, $code) = @_; | |
520 | ||
521 | die "implement this in subclass"; | |
522 | } | |
523 | ||
1210ae94 DM |
524 | sub load_config { |
525 | my ($class, $param) = @_; | |
75a12a9d | 526 | |
1210ae94 DM |
527 | die "implement this in subclass"; |
528 | ||
529 | #return ($cluster_conf, $fw_conf); | |
530 | } | |
531 | ||
532 | sub save_config { | |
533 | my ($class, $param, $fw_conf) = @_; | |
534 | ||
535 | die "implement this in subclass"; | |
536 | } | |
537 | ||
9f6845cf DM |
538 | sub rule_env { |
539 | my ($class, $param) = @_; | |
75a12a9d | 540 | |
9f6845cf DM |
541 | die "implement this in subclass"; |
542 | } | |
543 | ||
1210ae94 DM |
544 | my $additional_param_hash_list = {}; |
545 | ||
546 | sub additional_parameters { | |
547 | my ($class, $new_value) = @_; | |
548 | ||
549 | if (defined($new_value)) { | |
550 | $additional_param_hash_list->{$class} = $new_value; | |
551 | } | |
552 | ||
553 | # return a copy | |
554 | my $copy = {}; | |
555 | my $org = $additional_param_hash_list->{$class} || {}; | |
556 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
557 | return $copy; | |
558 | } | |
559 | ||
5d38d64f DM |
560 | my $get_ipset_list = sub { |
561 | my ($fw_conf) = @_; | |
562 | ||
563 | my $res = []; | |
53bbbf31 | 564 | foreach my $name (sort keys %{$fw_conf->{ipset}}) { |
75a12a9d | 565 | my $data = { |
5d38d64f DM |
566 | name => $name, |
567 | }; | |
568 | if (my $comment = $fw_conf->{ipset_comments}->{$name}) { | |
569 | $data->{comment} = $comment; | |
570 | } | |
571 | push @$res, $data; | |
572 | } | |
573 | ||
574 | my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res); | |
575 | ||
576 | return wantarray ? ($list, $digest) : $list; | |
577 | }; | |
578 | ||
c85c87f9 DM |
579 | sub register_index { |
580 | my ($class) = @_; | |
581 | ||
1210ae94 DM |
582 | my $properties = $class->additional_parameters(); |
583 | ||
c85c87f9 DM |
584 | $class->register_method({ |
585 | name => 'ipset_index', | |
586 | path => '', | |
587 | method => 'GET', | |
588 | description => "List IPSets", | |
9f6845cf | 589 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
c85c87f9 DM |
590 | parameters => { |
591 | additionalProperties => 0, | |
1210ae94 | 592 | properties => $properties, |
c85c87f9 DM |
593 | }, |
594 | returns => { | |
595 | type => 'array', | |
596 | items => { | |
597 | type => "object", | |
75a12a9d | 598 | properties => { |
e74a87f5 | 599 | name => get_standard_option('ipset-name'), |
d72c631c | 600 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
75a12a9d | 601 | comment => { |
d72c631c DM |
602 | type => 'string', |
603 | optional => 1, | |
604 | } | |
c85c87f9 DM |
605 | }, |
606 | }, | |
607 | links => [ { rel => 'child', href => "{name}" } ], | |
608 | }, | |
609 | code => sub { | |
610 | my ($param) = @_; | |
75a12a9d | 611 | |
1210ae94 | 612 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
c85c87f9 | 613 | |
75a12a9d | 614 | return &$get_ipset_list($fw_conf); |
c85c87f9 DM |
615 | }}); |
616 | } | |
617 | ||
618 | sub register_create { | |
619 | my ($class) = @_; | |
620 | ||
1210ae94 DM |
621 | my $properties = $class->additional_parameters(); |
622 | ||
623 | $properties->{name} = get_standard_option('ipset-name'); | |
624 | ||
625 | $properties->{comment} = { type => 'string', optional => 1 }; | |
626 | ||
627 | $properties->{digest} = get_standard_option('pve-config-digest'); | |
628 | ||
629 | $properties->{rename} = get_standard_option('ipset-name', { | |
630 | description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.", | |
631 | optional => 1 }); | |
632 | ||
c85c87f9 DM |
633 | $class->register_method({ |
634 | name => 'create_ipset', | |
635 | path => '', | |
636 | method => 'POST', | |
637 | description => "Create new IPSet", | |
638 | protected => 1, | |
9f6845cf | 639 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
c85c87f9 DM |
640 | parameters => { |
641 | additionalProperties => 0, | |
1210ae94 | 642 | properties => $properties, |
c85c87f9 DM |
643 | }, |
644 | returns => { type => 'null' }, | |
645 | code => sub { | |
646 | my ($param) = @_; | |
75a12a9d | 647 | |
a38849e6 FG |
648 | $class->lock_config($param, sub { |
649 | my ($param) = @_; | |
c85c87f9 | 650 | |
a38849e6 | 651 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
5d38d64f | 652 | |
a38849e6 FG |
653 | if ($param->{rename}) { |
654 | my (undef, $digest) = &$get_ipset_list($fw_conf); | |
655 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
5d38d64f | 656 | |
a38849e6 FG |
657 | raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" }) |
658 | if !$fw_conf->{ipset}->{$param->{rename}}; | |
5da1a229 | 659 | |
a38849e6 FG |
660 | # prevent overwriting existing ipset |
661 | raise_param_exc({ name => "IPSet '$param->{name}' does already exist"}) | |
662 | if $fw_conf->{ipset}->{$param->{name}} && | |
663 | $param->{name} ne $param->{rename}; | |
5d38d64f | 664 | |
a38849e6 FG |
665 | my $data = delete $fw_conf->{ipset}->{$param->{rename}}; |
666 | $fw_conf->{ipset}->{$param->{name}} = $data; | |
667 | if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) { | |
668 | $fw_conf->{ipset_comments}->{$param->{name}} = $comment; | |
669 | } | |
670 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
671 | } else { | |
672 | foreach my $name (keys %{$fw_conf->{ipset}}) { | |
673 | raise_param_exc({ name => "IPSet '$name' already exists" }) | |
674 | if $name eq $param->{name}; | |
675 | } | |
676 | ||
677 | $fw_conf->{ipset}->{$param->{name}} = []; | |
678 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
679 | } | |
bc374ca7 | 680 | |
a38849e6 FG |
681 | $class->save_config($param, $fw_conf); |
682 | }); | |
c85c87f9 DM |
683 | |
684 | return undef; | |
685 | }}); | |
686 | } | |
687 | ||
1210ae94 | 688 | sub register_handlers { |
c85c87f9 DM |
689 | my ($class) = @_; |
690 | ||
1210ae94 DM |
691 | $class->register_index(); |
692 | $class->register_create(); | |
693 | } | |
c85c87f9 | 694 | |
1210ae94 | 695 | package PVE::API2::Firewall::ClusterIPSetList; |
c85c87f9 | 696 | |
1210ae94 DM |
697 | use strict; |
698 | use warnings; | |
699 | use PVE::Firewall; | |
5d38d64f | 700 | |
1210ae94 DM |
701 | use base qw(PVE::API2::Firewall::BaseIPSetList); |
702 | ||
9f6845cf DM |
703 | sub rule_env { |
704 | my ($class, $param) = @_; | |
75a12a9d | 705 | |
9f6845cf DM |
706 | return 'cluster'; |
707 | } | |
708 | ||
05496017 FG |
709 | sub lock_config { |
710 | my ($class, $param, $code) = @_; | |
711 | ||
712 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
713 | } | |
714 | ||
1210ae94 DM |
715 | sub load_config { |
716 | my ($class, $param) = @_; | |
75a12a9d | 717 | |
1210ae94 DM |
718 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
719 | return (undef, $cluster_conf); | |
720 | } | |
c85c87f9 | 721 | |
1210ae94 DM |
722 | sub save_config { |
723 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 724 | |
1210ae94 DM |
725 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
726 | } | |
c85c87f9 | 727 | |
1210ae94 DM |
728 | __PACKAGE__->register_handlers(); |
729 | ||
730 | __PACKAGE__->register_method ({ | |
75a12a9d | 731 | subclass => "PVE::API2::Firewall::ClusterIPset", |
1210ae94 | 732 | path => '{name}', |
75a12a9d TL |
733 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
734 | fragmentDelimiter => '', | |
1210ae94 DM |
735 | }); |
736 | ||
737 | package PVE::API2::Firewall::VMIPSetList; | |
738 | ||
739 | use strict; | |
740 | use warnings; | |
741 | use PVE::JSONSchema qw(get_standard_option); | |
742 | use PVE::Firewall; | |
743 | ||
744 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
745 | ||
75a12a9d | 746 | __PACKAGE__->additional_parameters({ |
1210ae94 | 747 | node => get_standard_option('pve-node'), |
75a12a9d | 748 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
749 | }); |
750 | ||
9f6845cf DM |
751 | sub rule_env { |
752 | my ($class, $param) = @_; | |
75a12a9d | 753 | |
9f6845cf DM |
754 | return 'vm'; |
755 | } | |
756 | ||
05496017 FG |
757 | sub lock_config { |
758 | my ($class, $param, $code) = @_; | |
759 | ||
760 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
761 | } | |
762 | ||
1210ae94 DM |
763 | sub load_config { |
764 | my ($class, $param) = @_; | |
75a12a9d | 765 | |
1210ae94 DM |
766 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
767 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
768 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
769 | } |
770 | ||
1210ae94 DM |
771 | sub save_config { |
772 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 773 | |
1210ae94 | 774 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
775 | } |
776 | ||
1210ae94 DM |
777 | __PACKAGE__->register_handlers(); |
778 | ||
779 | __PACKAGE__->register_method ({ | |
75a12a9d | 780 | subclass => "PVE::API2::Firewall::VMIPset", |
1210ae94 | 781 | path => '{name}', |
75a12a9d TL |
782 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
783 | fragmentDelimiter => '', | |
1210ae94 DM |
784 | }); |
785 | ||
786 | package PVE::API2::Firewall::CTIPSetList; | |
c85c87f9 DM |
787 | |
788 | use strict; | |
789 | use warnings; | |
1210ae94 | 790 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 DM |
791 | use PVE::Firewall; |
792 | ||
793 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
794 | ||
75a12a9d | 795 | __PACKAGE__->additional_parameters({ |
1210ae94 | 796 | node => get_standard_option('pve-node'), |
75a12a9d | 797 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
798 | }); |
799 | ||
9f6845cf DM |
800 | sub rule_env { |
801 | my ($class, $param) = @_; | |
75a12a9d | 802 | |
9f6845cf DM |
803 | return 'ct'; |
804 | } | |
805 | ||
05496017 FG |
806 | sub lock_config { |
807 | my ($class, $param, $code) = @_; | |
808 | ||
809 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
810 | } | |
811 | ||
c85c87f9 | 812 | sub load_config { |
1210ae94 | 813 | my ($class, $param) = @_; |
75a12a9d | 814 | |
1210ae94 DM |
815 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
816 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
817 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
818 | } |
819 | ||
820 | sub save_config { | |
1210ae94 | 821 | my ($class, $param, $fw_conf) = @_; |
c85c87f9 | 822 | |
1210ae94 | 823 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
824 | } |
825 | ||
826 | __PACKAGE__->register_handlers(); | |
827 | ||
828 | __PACKAGE__->register_method ({ | |
75a12a9d | 829 | subclass => "PVE::API2::Firewall::CTIPset", |
c85c87f9 | 830 | path => '{name}', |
75a12a9d TL |
831 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
832 | fragmentDelimiter => '', | |
c85c87f9 DM |
833 | }); |
834 | ||
009ee3ac | 835 | 1; |