[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm

package PVE::API2::Firewall::IPSetBase;

use strict;
use warnings;
use PVE::Exception qw(raise raise_param_exc);
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $api_properties = { 
    cidr => {
	description => "Network/IP specification in CIDR format.",
	type => 'string', format => 'IPv4orCIDR',
    },
    name => get_standard_option('ipset-name'),
    comment => {
	type => 'string',
	optional => 1,
    },
    nomatch => {
	type => 'boolean',
	optional => 1,
    },
};

sub load_config {
    my ($class, $param) = @_;

    die "implement this in subclass";

    #return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    die "implement this in subclass";
}

my $additional_param_hash = {};

sub additional_parameters {
    my ($class, $new_value) = @_;

    if (defined($new_value)) {
	$additional_param_hash->{$class} = $new_value;
    }

    # return a copy
    my $copy = {};
    my $org = $additional_param_hash->{$class} || {};
    foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
    return $copy;
}

sub register_get_ipset {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};

    $class->register_method({
	name => 'get_ipset',
	path => '',
	method => 'GET',
	description => "List IPSet content",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {
		    cidr => {
			type => 'string',
		    },
		    comment => {
			type => 'string',
			optional => 1,
		    },
		    nomatch => {
			type => 'boolean',
			optional => 1,
		    },			
		},
	    },
	    links => [ { rel => 'child', href => "{cidr}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    return $ipset;
	}});
}

sub register_create_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    $properties->{nomatch} = $api_properties->{nomatch};
    $properties->{comment} = $api_properties->{comment};
    
    $class->register_method({
	name => 'create_ip',
	path => '',
	method => 'POST',
	description => "Add IP or Network to IPSet.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    my $cidr = $param->{cidr};
	    
	    foreach my $entry (@$ipset) {
		raise_param_exc({ cidr => "address '$cidr' already exists" }) 
		    if $entry->{cidr} eq $cidr;
	    }

	    my $data = { cidr => $cidr };
	    $data->{nomatch} = 1 if $param->{nomatch};
	    $data->{comment} = $param->{comment} if $param->{comment};

	    unshift @$ipset, $data;

	    $class->save_ipset($param, $fw_conf, $ipset);

	    return undef;
	}});
}

sub register_read_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    
    $class->register_method({
	name => 'read_ip',
	path => '{cidr}',
	method => 'GET',
	description => "Read IP or Network settings from IPSet.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "object" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    foreach my $entry (@$ipset) {
		return $entry if $entry->{cidr} eq $param->{cidr};
	    }

	    raise_param_exc({ cidr => "no such IP/Network" });
	}});
}

sub register_update_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    $properties->{nomatch} = $api_properties->{nomatch};
    $properties->{comment} = $api_properties->{comment};
    
    $class->register_method({
	name => 'update_ip',
	path => '{cidr}',
	method => 'PUT',
	description => "Update IP or Network settings",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    foreach my $entry (@$ipset) {
		if($entry->{cidr} eq $param->{cidr}) {
		    $entry->{nomatch} = $param->{nomatch};
		    $entry->{comment} = $param->{comment};
		    $class->save_ipset($param, $fw_conf, $ipset);
		    return;
		}
	    }

	    raise_param_exc({ cidr => "no such IP/Network" });
	}});
}

sub register_delete_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    
    $class->register_method({
	name => 'remove_ip',
	path => '{cidr}',
	method => 'DELETE',
	description => "Remove IP or Network from IPSet.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    my $new = [];
   
	    foreach my $entry (@$ipset) {
		push @$new, $entry if $entry->{cidr} ne $param->{cidr};
	    }

	    $class->save_ipset($param, $fw_conf, $new);
	    
	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_get_ipset();
    $class->register_create_ip();
    $class->register_read_ip();
    $class->register_update_ip();
    $class->register_delete_ip();
}

package PVE::API2::Firewall::ClusterIPset;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::IPSetBase);

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $ipset = $fw_conf->{ipset}->{$param->{name}};
    die "no such IPSet '$param->{name}'\n" if !defined($ipset);

    return ($fw_conf, $ipset);
}

sub save_ipset {
    my ($class, $param, $fw_conf, $ipset) = @_;

    $fw_conf->{ipset}->{$param->{name}} = $ipset;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::BaseIPSetList;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise_param_exc);
use PVE::Firewall;

use base qw(PVE::RESTHandler);

sub register_index {
    my ($class) = @_;

    $class->register_method({
	name => 'ipset_index',
	path => '',
	method => 'GET',
	description => "List IPSets",
	parameters => {
	    additionalProperties => 0,
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => { 
		    name => get_standard_option('ipset-name'),
		},
	    },
	    links => [ { rel => 'child', href => "{name}" } ],
	},
	code => sub {
	    my ($param) = @_;
	    
	    my $fw_conf = $class->load_config();

	    my $res = [];
	    foreach my $name (keys %{$fw_conf->{ipset}}) {
		push @$res, { name => $name, count => scalar(@{$fw_conf->{ipset}->{$name}}) };
	    }

	    return $res;
	}});
}

sub register_create {
    my ($class) = @_;

    $class->register_method({
	name => 'create_ipset',
	path => '',
	method => 'POST',
	description => "Create new IPSet",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => { 
		name => get_standard_option('ipset-name'),
		rename => get_standard_option('ipset-name', {
		    description => "Rename an existing IPSet.",
		    optional => 1,
		}),
	    }
	},
	returns => { type => 'null' },
	code => sub {
	    my ($param) = @_;
	    
	    my $fw_conf = $class->load_config();

	    foreach my $name (keys %{$fw_conf->{ipset}}) {
		raise_param_exc({ name => "IPSet '$name' already exists" }) 
		    if $name eq $param->{name};
	    }

	    if ($param->{rename}) {
		raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" }) 
		    if !$fw_conf->{ipset}->{$param->{rename}};
		my $data = delete $fw_conf->{ipset}->{$param->{rename}};
		$fw_conf->{ipset}->{$param->{name}} = $data;
	    } else {
		$fw_conf->{ipset}->{$param->{name}} = [];
	    }

	    $class->save_config($fw_conf);

	    return undef;
	}});
}

sub register_delete {
    my ($class) = @_;

    $class->register_method({
	name => 'delete_ipset',
	path => '{name}',
	method => 'DELETE',
	description => "Delete IPSet",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => { 
		name => get_standard_option('ipset-name'),
	    }
	},
	returns => { type => 'null' },
	code => sub {
	    my ($param) = @_;
	    
	    my $fw_conf = $class->load_config();

	    return undef if !$fw_conf->{ipset}->{$param->{name}};

	    die "IPSet '$param->{name}' is not empty\n" 
		if scalar(@{$fw_conf->{ipset}->{$param->{name}}});

	    delete $fw_conf->{ipset}->{$param->{name}};

	    $class->save_config($fw_conf);

	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_index();
    $class->register_create();
    $class->register_delete();
}

package PVE::API2::Firewall::ClusterIPSetList;

use strict;
use warnings;
use PVE::Firewall;

use base qw(PVE::API2::Firewall::BaseIPSetList);

sub load_config {
    my ($class) = @_;
 
    return PVE::Firewall::load_clusterfw_conf();
}

sub save_config {
    my ($class, $fw_conf) = @_;

    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterIPset",  
    path => '{name}',
    # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' 
    fragmentDelimiter => '', 
});

1;
Commit	Line	Data
009ee3ac DM	1	package PVE::API2::Firewall::IPSetBase;
	2
	3	use strict;
	4	use warnings;
4a11bba5	5	use PVE::Exception qw(raise raise_param_exc);
009ee3ac DM	6	use PVE::JSONSchema qw(get_standard_option);
	7
	8	use PVE::Firewall;
	9
	10	use base qw(PVE::RESTHandler);
	11
	12	my $api_properties = {
	13	cidr => {
	14	description => "Network/IP specification in CIDR format.",
	15	type => 'string', format => 'IPv4orCIDR',
	16	},
e74a87f5	17	name => get_standard_option('ipset-name'),
009ee3ac DM	18	comment => {
	19	type => 'string',
	20	optional => 1,
	21	},
	22	nomatch => {
	23	type => 'boolean',
	24	optional => 1,
	25	},
	26	};
	27
	28	sub load_config {
	29	my ($class, $param) = @_;
	30
	31	die "implement this in subclass";
	32
	33	#return ($fw_conf, $rules);
	34	}
	35
	36	sub save_rules {
	37	my ($class, $param, $fw_conf, $rules) = @_;
	38
	39	die "implement this in subclass";
	40	}
	41
	42	my $additional_param_hash = {};
	43
	44	sub additional_parameters {
	45	my ($class, $new_value) = @_;
	46
	47	if (defined($new_value)) {
	48	$additional_param_hash->{$class} = $new_value;
	49	}
	50
	51	# return a copy
	52	my $copy = {};
	53	my $org = $additional_param_hash->{$class} \|\| {};
	54	foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
	55	return $copy;
	56	}
	57
	58	sub register_get_ipset {
	59	my ($class) = @_;
	60
	61	my $properties = $class->additional_parameters();
	62
	63	$properties->{name} = $api_properties->{name};
	64
	65	$class->register_method({
	66	name => 'get_ipset',
	67	path => '',
	68	method => 'GET',
	69	description => "List IPSet content",
	70	parameters => {
	71	additionalProperties => 0,
	72	properties => $properties,
	73	},
	74	returns => {
	75	type => 'array',
	76	items => {
	77	type => "object",
	78	properties => {
	79	cidr => {
	80	type => 'string',
	81	},
82	comment => {
83	type => 'string',
84	optional => 1,
85	},
86	nomatch => {
87	type => 'boolean',
88	optional => 1,
89	},
90	},
91	},
92	links => [ { rel => 'child', href => "{cidr}" } ],
93	},
94	code => sub {
95	my ($param) = @_;
96
97	my ($fw_conf, $ipset) = $class->load_config($param);
98
99	return $ipset;
100	}});
101	}
102
a33c74f6	103	sub register_create_ip {
009ee3ac DM	104	my ($class) = @_;
	105
	106	my $properties = $class->additional_parameters();
	107
	108	$properties->{name} = $api_properties->{name};
	109	$properties->{cidr} = $api_properties->{cidr};
	110	$properties->{nomatch} = $api_properties->{nomatch};
	111	$properties->{comment} = $api_properties->{comment};
	112
	113	$class->register_method({
a33c74f6	114	name => 'create_ip',
009ee3ac DM	115	path => '',
	116	method => 'POST',
	117	description => "Add IP or Network to IPSet.",
	118	protected => 1,
	119	parameters => {
	120	additionalProperties => 0,
	121	properties => $properties,
	122	},
	123	returns => { type => "null" },
	124	code => sub {
	125	my ($param) = @_;
	126
	127	my ($fw_conf, $ipset) = $class->load_config($param);
	128
4a11bba5 DM	129	my $cidr = $param->{cidr};
	130
	131	foreach my $entry (@$ipset) {
	132	raise_param_exc({ cidr => "address '$cidr' already exists" })
	133	if $entry->{cidr} eq $cidr;
	134	}
	135
	136	my $data = { cidr => $cidr };
009ee3ac DM	137	$data->{nomatch} = 1 if $param->{nomatch};
	138	$data->{comment} = $param->{comment} if $param->{comment};
	139
009ee3ac DM	140	unshift @$ipset, $data;
	141
	142	$class->save_ipset($param, $fw_conf, $ipset);
	143
	144	return undef;
	145	}});
	146	}
	147
a33c74f6 DM	148	sub register_read_ip {
	149	my ($class) = @_;
	150
	151	my $properties = $class->additional_parameters();
	152
	153	$properties->{name} = $api_properties->{name};
	154	$properties->{cidr} = $api_properties->{cidr};
	155
	156	$class->register_method({
	157	name => 'read_ip',
	158	path => '{cidr}',
	159	method => 'GET',
	160	description => "Read IP or Network settings from IPSet.",
	161	protected => 1,
	162	parameters => {
	163	additionalProperties => 0,
	164	properties => $properties,
	165	},
	166	returns => { type => "object" },
	167	code => sub {
	168	my ($param) = @_;
	169
	170	my ($fw_conf, $ipset) = $class->load_config($param);
	171
	172	foreach my $entry (@$ipset) {
	173	return $entry if $entry->{cidr} eq $param->{cidr};
	174	}
	175
	176	raise_param_exc({ cidr => "no such IP/Network" });
	177	}});
	178	}
	179
	180	sub register_update_ip {
	181	my ($class) = @_;
	182
	183	my $properties = $class->additional_parameters();
	184
	185	$properties->{name} = $api_properties->{name};
	186	$properties->{cidr} = $api_properties->{cidr};
	187	$properties->{nomatch} = $api_properties->{nomatch};
	188	$properties->{comment} = $api_properties->{comment};
	189
	190	$class->register_method({
	191	name => 'update_ip',
	192	path => '{cidr}',
	193	method => 'PUT',
	194	description => "Update IP or Network settings",
	195	protected => 1,
	196	parameters => {
	197	additionalProperties => 0,
	198	properties => $properties,
	199	},
	200	returns => { type => "null" },
	201	code => sub {
	202	my ($param) = @_;
	203
	204	my ($fw_conf, $ipset) = $class->load_config($param);
	205
	206	foreach my $entry (@$ipset) {
	207	if($entry->{cidr} eq $param->{cidr}) {
	208	$entry->{nomatch} = $param->{nomatch};
	209	$entry->{comment} = $param->{comment};
	210	$class->save_ipset($param, $fw_conf, $ipset);
	211	return;
212	}
213	}
214
215	raise_param_exc({ cidr => "no such IP/Network" });
216	}});
217	}
218
219	sub register_delete_ip {
009ee3ac DM	220	my ($class) = @_;
	221
	222	my $properties = $class->additional_parameters();
	223
	224	$properties->{name} = $api_properties->{name};
	225	$properties->{cidr} = $api_properties->{cidr};
	226
	227	$class->register_method({
	228	name => 'remove_ip',
	229	path => '{cidr}',
	230	method => 'DELETE',
	231	description => "Remove IP or Network from IPSet.",
	232	protected => 1,
	233	parameters => {
	234	additionalProperties => 0,
	235	properties => $properties,
	236	},
	237	returns => { type => "null" },
	238	code => sub {
	239	my ($param) = @_;
	240
	241	my ($fw_conf, $ipset) = $class->load_config($param);
	242
4a11bba5 DM	243	my $new = [];
	244
	245	foreach my $entry (@$ipset) {
	246	push @$new, $entry if $entry->{cidr} ne $param->{cidr};
	247	}
009ee3ac	248
4a11bba5 DM	249	$class->save_ipset($param, $fw_conf, $new);
4a11bba5 DM	250
009ee3ac DM	251	return undef;
	252	}});
	253	}
	254
	255	sub register_handlers {
	256	my ($class) = @_;
	257
	258	$class->register_get_ipset();
a33c74f6 DM	259	$class->register_create_ip();
	260	$class->register_read_ip();
	261	$class->register_update_ip();
	262	$class->register_delete_ip();
009ee3ac DM	263	}
	264
	265	package PVE::API2::Firewall::ClusterIPset;
	266
	267	use strict;
	268	use warnings;
	269
	270	use base qw(PVE::API2::Firewall::IPSetBase);
	271
	272	sub load_config {
	273	my ($class, $param) = @_;
	274
	275	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	276	my $ipset = $fw_conf->{ipset}->{$param->{name}};
	277	die "no such IPSet '$param->{name}'\n" if !defined($ipset);
	278
	279	return ($fw_conf, $ipset);
	280	}
	281
	282	sub save_ipset {
	283	my ($class, $param, $fw_conf, $ipset) = @_;
	284
	285	$fw_conf->{ipset}->{$param->{name}} = $ipset;
	286	PVE::Firewall::save_clusterfw_conf($fw_conf);
	287	}
	288
	289	__PACKAGE__->register_handlers();
	290
c85c87f9 DM	291	package PVE::API2::Firewall::BaseIPSetList;
	292
	293	use strict;
	294	use warnings;
e74a87f5	295	use PVE::JSONSchema qw(get_standard_option);
c85c87f9	296	use PVE::Exception qw(raise_param_exc);
e74a87f5	297	use PVE::Firewall;
c85c87f9 DM	298
	299	use base qw(PVE::RESTHandler);
	300
	301	sub register_index {
	302	my ($class) = @_;
	303
	304	$class->register_method({
	305	name => 'ipset_index',
	306	path => '',
	307	method => 'GET',
	308	description => "List IPSets",
	309	parameters => {
	310	additionalProperties => 0,
	311	},
	312	returns => {
	313	type => 'array',
	314	items => {
	315	type => "object",
	316	properties => {
e74a87f5	317	name => get_standard_option('ipset-name'),
c85c87f9 DM	318	},
	319	},
	320	links => [ { rel => 'child', href => "{name}" } ],
	321	},
	322	code => sub {
	323	my ($param) = @_;
	324
	325	my $fw_conf = $class->load_config();
	326
	327	my $res = [];
	328	foreach my $name (keys %{$fw_conf->{ipset}}) {
	329	push @$res, { name => $name, count => scalar(@{$fw_conf->{ipset}->{$name}}) };
	330	}
	331
	332	return $res;
	333	}});
	334	}
	335
	336	sub register_create {
	337	my ($class) = @_;
	338
	339	$class->register_method({
	340	name => 'create_ipset',
	341	path => '',
	342	method => 'POST',
	343	description => "Create new IPSet",
	344	protected => 1,
	345	parameters => {
	346	additionalProperties => 0,
	347	properties => {
e74a87f5 DM	348	name => get_standard_option('ipset-name'),
e74a87f5 DM	349	rename => get_standard_option('ipset-name', {
bc374ca7	350	description => "Rename an existing IPSet.",
bc374ca7	351	optional => 1,
e74a87f5	352	}),
c85c87f9 DM	353	}
	354	},
	355	returns => { type => 'null' },
	356	code => sub {
	357	my ($param) = @_;
	358
	359	my $fw_conf = $class->load_config();
	360
	361	foreach my $name (keys %{$fw_conf->{ipset}}) {
	362	raise_param_exc({ name => "IPSet '$name' already exists" })
	363	if $name eq $param->{name};
	364	}
	365
bc374ca7 DM	366	if ($param->{rename}) {
	367	raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" })
	368	if !$fw_conf->{ipset}->{$param->{rename}};
	369	my $data = delete $fw_conf->{ipset}->{$param->{rename}};
	370	$fw_conf->{ipset}->{$param->{name}} = $data;
	371	} else {
	372	$fw_conf->{ipset}->{$param->{name}} = [];
	373	}
	374
c85c87f9 DM	375	$class->save_config($fw_conf);
	376
	377	return undef;
	378	}});
	379	}
	380
	381	sub register_delete {
	382	my ($class) = @_;
	383
	384	$class->register_method({
	385	name => 'delete_ipset',
	386	path => '{name}',
	387	method => 'DELETE',
	388	description => "Delete IPSet",
	389	protected => 1,
	390	parameters => {
	391	additionalProperties => 0,
	392	properties => {
e74a87f5	393	name => get_standard_option('ipset-name'),
c85c87f9 DM	394	}
	395	},
	396	returns => { type => 'null' },
	397	code => sub {
	398	my ($param) = @_;
	399
	400	my $fw_conf = $class->load_config();
	401
	402	return undef if !$fw_conf->{ipset}->{$param->{name}};
	403
76aad6c5	404	die "IPSet '$param->{name}' is not empty\n"
c85c87f9 DM	405	if scalar(@{$fw_conf->{ipset}->{$param->{name}}});
	406
	407	delete $fw_conf->{ipset}->{$param->{name}};
	408
	409	$class->save_config($fw_conf);
	410
	411	return undef;
	412	}});
	413	}
	414
	415	sub register_handlers {
	416	my ($class) = @_;
	417
	418	$class->register_index();
	419	$class->register_create();
	420	$class->register_delete();
	421	}
	422
	423	package PVE::API2::Firewall::ClusterIPSetList;
	424
	425	use strict;
	426	use warnings;
	427	use PVE::Firewall;
	428
	429	use base qw(PVE::API2::Firewall::BaseIPSetList);
	430
	431	sub load_config {
	432	my ($class) = @_;
	433
	434	return PVE::Firewall::load_clusterfw_conf();
	435	}
	436
	437	sub save_config {
	438	my ($class, $fw_conf) = @_;
	439
	440	PVE::Firewall::save_clusterfw_conf($fw_conf);
	441	}
	442
	443	__PACKAGE__->register_handlers();
	444
	445	__PACKAGE__->register_method ({
	446	subclass => "PVE::API2::Firewall::ClusterIPset",
	447	path => '{name}',
	448	# set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
	449	fragmentDelimiter => '',
	450	});
	451
009ee3ac	452	1;