]>
Commit | Line | Data |
---|---|---|
009ee3ac DM |
1 | package PVE::API2::Firewall::IPSetBase; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
4a11bba5 | 5 | use PVE::Exception qw(raise raise_param_exc); |
009ee3ac DM |
6 | use PVE::JSONSchema qw(get_standard_option); |
7 | ||
8 | use PVE::Firewall; | |
9 | ||
10 | use base qw(PVE::RESTHandler); | |
11 | ||
75a12a9d | 12 | my $api_properties = { |
009ee3ac DM |
13 | cidr => { |
14 | description => "Network/IP specification in CIDR format.", | |
ae029a88 | 15 | type => 'string', format => 'IPorCIDRorAlias', |
009ee3ac | 16 | }, |
e74a87f5 | 17 | name => get_standard_option('ipset-name'), |
009ee3ac DM |
18 | comment => { |
19 | type => 'string', | |
20 | optional => 1, | |
21 | }, | |
22 | nomatch => { | |
23 | type => 'boolean', | |
24 | optional => 1, | |
25 | }, | |
26 | }; | |
27 | ||
05496017 FG |
28 | sub lock_config { |
29 | my ($class, $param, $code) = @_; | |
30 | ||
31 | die "implement this in subclass"; | |
32 | } | |
33 | ||
009ee3ac DM |
34 | sub load_config { |
35 | my ($class, $param) = @_; | |
36 | ||
37 | die "implement this in subclass"; | |
1210ae94 DM |
38 | |
39 | #return ($cluster_conf, $fw_conf, $ipset); | |
009ee3ac DM |
40 | } |
41 | ||
1210ae94 DM |
42 | sub save_config { |
43 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac DM |
44 | |
45 | die "implement this in subclass"; | |
46 | } | |
47 | ||
9f6845cf DM |
48 | sub rule_env { |
49 | my ($class, $param) = @_; | |
75a12a9d | 50 | |
9f6845cf DM |
51 | die "implement this in subclass"; |
52 | } | |
53 | ||
1210ae94 DM |
54 | sub save_ipset { |
55 | my ($class, $param, $fw_conf, $ipset) = @_; | |
56 | ||
57 | if (!defined($ipset)) { | |
58 | delete $fw_conf->{ipset}->{$param->{name}}; | |
59 | } else { | |
60 | $fw_conf->{ipset}->{$param->{name}} = $ipset; | |
61 | } | |
62 | ||
63 | $class->save_config($param, $fw_conf); | |
64 | } | |
65 | ||
009ee3ac DM |
66 | my $additional_param_hash = {}; |
67 | ||
68 | sub additional_parameters { | |
69 | my ($class, $new_value) = @_; | |
70 | ||
71 | if (defined($new_value)) { | |
72 | $additional_param_hash->{$class} = $new_value; | |
73 | } | |
74 | ||
75 | # return a copy | |
76 | my $copy = {}; | |
77 | my $org = $additional_param_hash->{$class} || {}; | |
78 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
79 | return $copy; | |
80 | } | |
81 | ||
82 | sub register_get_ipset { | |
83 | my ($class) = @_; | |
84 | ||
85 | my $properties = $class->additional_parameters(); | |
86 | ||
87 | $properties->{name} = $api_properties->{name}; | |
88 | ||
89 | $class->register_method({ | |
90 | name => 'get_ipset', | |
91 | path => '', | |
92 | method => 'GET', | |
93 | description => "List IPSet content", | |
9f6845cf | 94 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
009ee3ac DM |
95 | parameters => { |
96 | additionalProperties => 0, | |
97 | properties => $properties, | |
98 | }, | |
99 | returns => { | |
100 | type => 'array', | |
101 | items => { | |
102 | type => "object", | |
103 | properties => { | |
104 | cidr => { | |
105 | type => 'string', | |
106 | }, | |
107 | comment => { | |
108 | type => 'string', | |
109 | optional => 1, | |
110 | }, | |
111 | nomatch => { | |
112 | type => 'boolean', | |
113 | optional => 1, | |
d72c631c | 114 | }, |
75a12a9d | 115 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
009ee3ac DM |
116 | }, |
117 | }, | |
118 | links => [ { rel => 'child', href => "{cidr}" } ], | |
119 | }, | |
120 | code => sub { | |
121 | my ($param) = @_; | |
122 | ||
1210ae94 | 123 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
009ee3ac | 124 | |
5d38d64f | 125 | return PVE::Firewall::copy_list_with_digest($ipset); |
009ee3ac DM |
126 | }}); |
127 | } | |
128 | ||
1210ae94 DM |
129 | sub register_delete_ipset { |
130 | my ($class) = @_; | |
131 | ||
132 | my $properties = $class->additional_parameters(); | |
133 | ||
134 | $properties->{name} = get_standard_option('ipset-name'); | |
5e3c0cf8 LN |
135 | $properties->{force} = { |
136 | type => 'boolean', | |
137 | optional => 1, | |
138 | description => 'Delete all members of the IPSet, if there are any.', | |
139 | }; | |
1210ae94 DM |
140 | |
141 | $class->register_method({ | |
142 | name => 'delete_ipset', | |
143 | path => '', | |
144 | method => 'DELETE', | |
145 | description => "Delete IPSet", | |
146 | protected => 1, | |
9f6845cf | 147 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
1210ae94 DM |
148 | parameters => { |
149 | additionalProperties => 0, | |
150 | properties => $properties, | |
151 | }, | |
152 | returns => { type => 'null' }, | |
153 | code => sub { | |
154 | my ($param) = @_; | |
75a12a9d | 155 | |
a38849e6 FG |
156 | $class->lock_config($param, sub { |
157 | my ($param) = @_; | |
158 | ||
159 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
1210ae94 | 160 | |
a38849e6 | 161 | die "IPSet '$param->{name}' is not empty\n" |
5e3c0cf8 | 162 | if scalar(@$ipset) && !$param->{force}; |
1210ae94 | 163 | |
a38849e6 FG |
164 | $class->save_ipset($param, $fw_conf, undef); |
165 | ||
166 | }); | |
1210ae94 DM |
167 | |
168 | return undef; | |
169 | }}); | |
170 | } | |
171 | ||
a33c74f6 | 172 | sub register_create_ip { |
009ee3ac DM |
173 | my ($class) = @_; |
174 | ||
175 | my $properties = $class->additional_parameters(); | |
176 | ||
177 | $properties->{name} = $api_properties->{name}; | |
178 | $properties->{cidr} = $api_properties->{cidr}; | |
179 | $properties->{nomatch} = $api_properties->{nomatch}; | |
180 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c | 181 | |
009ee3ac | 182 | $class->register_method({ |
a33c74f6 | 183 | name => 'create_ip', |
009ee3ac DM |
184 | path => '', |
185 | method => 'POST', | |
186 | description => "Add IP or Network to IPSet.", | |
187 | protected => 1, | |
9f6845cf | 188 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
189 | parameters => { |
190 | additionalProperties => 0, | |
191 | properties => $properties, | |
192 | }, | |
193 | returns => { type => "null" }, | |
194 | code => sub { | |
195 | my ($param) = @_; | |
196 | ||
a38849e6 FG |
197 | $class->lock_config($param, sub { |
198 | my ($param) = @_; | |
009ee3ac | 199 | |
a38849e6 | 200 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
75a12a9d | 201 | |
1218eee9 | 202 | my $cidr = PVE::Firewall::clean_cidr($param->{cidr}); |
891545e8 FG |
203 | if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) { |
204 | # make sure alias exists (if $cidr is an alias) | |
205 | PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr); | |
206 | } else { | |
207 | # normalize like config parser, otherwise duplicates might slip through | |
208 | $cidr = PVE::Firewall::parse_ip_or_cidr($cidr); | |
209 | } | |
a38849e6 FG |
210 | |
211 | foreach my $entry (@$ipset) { | |
212 | raise_param_exc({ cidr => "address '$cidr' already exists" }) | |
213 | if $entry->{cidr} eq $cidr; | |
214 | } | |
215 | ||
216 | raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" }) | |
217 | if $cidr =~ m!/0+$!; | |
4a11bba5 | 218 | |
1b36f6ec | 219 | |
a38849e6 | 220 | my $data = { cidr => $cidr }; |
7c619bbb | 221 | |
a38849e6 FG |
222 | $data->{nomatch} = 1 if $param->{nomatch}; |
223 | $data->{comment} = $param->{comment} if $param->{comment}; | |
7c619bbb | 224 | |
a38849e6 | 225 | unshift @$ipset, $data; |
009ee3ac | 226 | |
a38849e6 | 227 | $class->save_ipset($param, $fw_conf, $ipset); |
009ee3ac | 228 | |
a38849e6 | 229 | }); |
009ee3ac DM |
230 | |
231 | return undef; | |
232 | }}); | |
233 | } | |
234 | ||
a33c74f6 DM |
235 | sub register_read_ip { |
236 | my ($class) = @_; | |
237 | ||
238 | my $properties = $class->additional_parameters(); | |
239 | ||
240 | $properties->{name} = $api_properties->{name}; | |
241 | $properties->{cidr} = $api_properties->{cidr}; | |
75a12a9d | 242 | |
a33c74f6 DM |
243 | $class->register_method({ |
244 | name => 'read_ip', | |
245 | path => '{cidr}', | |
246 | method => 'GET', | |
247 | description => "Read IP or Network settings from IPSet.", | |
9f6845cf | 248 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
a33c74f6 DM |
249 | protected => 1, |
250 | parameters => { | |
251 | additionalProperties => 0, | |
252 | properties => $properties, | |
253 | }, | |
254 | returns => { type => "object" }, | |
255 | code => sub { | |
256 | my ($param) = @_; | |
257 | ||
1210ae94 | 258 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
a33c74f6 | 259 | |
5d38d64f DM |
260 | my $list = PVE::Firewall::copy_list_with_digest($ipset); |
261 | ||
262 | foreach my $entry (@$list) { | |
d72c631c | 263 | if ($entry->{cidr} eq $param->{cidr}) { |
d72c631c DM |
264 | return $entry; |
265 | } | |
a33c74f6 DM |
266 | } |
267 | ||
268 | raise_param_exc({ cidr => "no such IP/Network" }); | |
269 | }}); | |
270 | } | |
271 | ||
272 | sub register_update_ip { | |
273 | my ($class) = @_; | |
274 | ||
275 | my $properties = $class->additional_parameters(); | |
276 | ||
277 | $properties->{name} = $api_properties->{name}; | |
278 | $properties->{cidr} = $api_properties->{cidr}; | |
279 | $properties->{nomatch} = $api_properties->{nomatch}; | |
280 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c DM |
281 | $properties->{digest} = get_standard_option('pve-config-digest'); |
282 | ||
a33c74f6 DM |
283 | $class->register_method({ |
284 | name => 'update_ip', | |
285 | path => '{cidr}', | |
286 | method => 'PUT', | |
287 | description => "Update IP or Network settings", | |
288 | protected => 1, | |
9f6845cf | 289 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
a33c74f6 DM |
290 | parameters => { |
291 | additionalProperties => 0, | |
292 | properties => $properties, | |
293 | }, | |
294 | returns => { type => "null" }, | |
295 | code => sub { | |
296 | my ($param) = @_; | |
297 | ||
a38849e6 FG |
298 | my $found = $class->lock_config($param, sub { |
299 | my ($param) = @_; | |
300 | ||
301 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
a33c74f6 | 302 | |
a38849e6 FG |
303 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
304 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
d72c631c | 305 | |
a38849e6 FG |
306 | foreach my $entry (@$ipset) { |
307 | if($entry->{cidr} eq $param->{cidr}) { | |
308 | $entry->{nomatch} = $param->{nomatch}; | |
309 | $entry->{comment} = $param->{comment}; | |
310 | $class->save_ipset($param, $fw_conf, $ipset); | |
311 | return 1; | |
312 | } | |
a33c74f6 | 313 | } |
a38849e6 FG |
314 | |
315 | return 0; | |
316 | }); | |
317 | ||
318 | return if $found; | |
a33c74f6 DM |
319 | |
320 | raise_param_exc({ cidr => "no such IP/Network" }); | |
321 | }}); | |
322 | } | |
323 | ||
324 | sub register_delete_ip { | |
009ee3ac DM |
325 | my ($class) = @_; |
326 | ||
327 | my $properties = $class->additional_parameters(); | |
328 | ||
329 | $properties->{name} = $api_properties->{name}; | |
330 | $properties->{cidr} = $api_properties->{cidr}; | |
d72c631c DM |
331 | $properties->{digest} = get_standard_option('pve-config-digest'); |
332 | ||
009ee3ac DM |
333 | $class->register_method({ |
334 | name => 'remove_ip', | |
335 | path => '{cidr}', | |
336 | method => 'DELETE', | |
337 | description => "Remove IP or Network from IPSet.", | |
338 | protected => 1, | |
9f6845cf | 339 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
340 | parameters => { |
341 | additionalProperties => 0, | |
342 | properties => $properties, | |
343 | }, | |
344 | returns => { type => "null" }, | |
345 | code => sub { | |
346 | my ($param) = @_; | |
347 | ||
a38849e6 FG |
348 | $class->lock_config($param, sub { |
349 | my ($param) = @_; | |
009ee3ac | 350 | |
a38849e6 | 351 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
d72c631c | 352 | |
a38849e6 FG |
353 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
354 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
75a12a9d | 355 | |
a38849e6 | 356 | my $new = []; |
009ee3ac | 357 | |
a38849e6 FG |
358 | foreach my $entry (@$ipset) { |
359 | push @$new, $entry if $entry->{cidr} ne $param->{cidr}; | |
360 | } | |
361 | ||
362 | $class->save_ipset($param, $fw_conf, $new); | |
363 | }); | |
75a12a9d | 364 | |
009ee3ac DM |
365 | return undef; |
366 | }}); | |
367 | } | |
368 | ||
369 | sub register_handlers { | |
370 | my ($class) = @_; | |
371 | ||
1210ae94 | 372 | $class->register_delete_ipset(); |
009ee3ac | 373 | $class->register_get_ipset(); |
a33c74f6 DM |
374 | $class->register_create_ip(); |
375 | $class->register_read_ip(); | |
376 | $class->register_update_ip(); | |
377 | $class->register_delete_ip(); | |
009ee3ac DM |
378 | } |
379 | ||
380 | package PVE::API2::Firewall::ClusterIPset; | |
381 | ||
382 | use strict; | |
383 | use warnings; | |
384 | ||
385 | use base qw(PVE::API2::Firewall::IPSetBase); | |
386 | ||
9f6845cf DM |
387 | sub rule_env { |
388 | my ($class, $param) = @_; | |
75a12a9d | 389 | |
9f6845cf DM |
390 | return 'cluster'; |
391 | } | |
392 | ||
05496017 FG |
393 | sub lock_config { |
394 | my ($class, $param, $code) = @_; | |
395 | ||
396 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
397 | } | |
398 | ||
009ee3ac DM |
399 | sub load_config { |
400 | my ($class, $param) = @_; | |
401 | ||
402 | my $fw_conf = PVE::Firewall::load_clusterfw_conf(); | |
403 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
404 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
405 | ||
1210ae94 | 406 | return (undef, $fw_conf, $ipset); |
009ee3ac DM |
407 | } |
408 | ||
1210ae94 DM |
409 | sub save_config { |
410 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac | 411 | |
009ee3ac DM |
412 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
413 | } | |
414 | ||
415 | __PACKAGE__->register_handlers(); | |
416 | ||
1210ae94 DM |
417 | package PVE::API2::Firewall::VMIPset; |
418 | ||
419 | use strict; | |
420 | use warnings; | |
421 | use PVE::JSONSchema qw(get_standard_option); | |
422 | ||
423 | use base qw(PVE::API2::Firewall::IPSetBase); | |
424 | ||
9f6845cf DM |
425 | sub rule_env { |
426 | my ($class, $param) = @_; | |
75a12a9d | 427 | |
9f6845cf DM |
428 | return 'vm'; |
429 | } | |
430 | ||
75a12a9d | 431 | __PACKAGE__->additional_parameters({ |
1210ae94 | 432 | node => get_standard_option('pve-node'), |
75a12a9d | 433 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
434 | }); |
435 | ||
05496017 FG |
436 | sub lock_config { |
437 | my ($class, $param, $code) = @_; | |
438 | ||
439 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
440 | } | |
441 | ||
1210ae94 DM |
442 | sub load_config { |
443 | my ($class, $param) = @_; | |
444 | ||
445 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
446 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
447 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
448 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
449 | ||
450 | return ($cluster_conf, $fw_conf, $ipset); | |
451 | } | |
452 | ||
453 | sub save_config { | |
454 | my ($class, $param, $fw_conf) = @_; | |
455 | ||
456 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
457 | } | |
458 | ||
459 | __PACKAGE__->register_handlers(); | |
460 | ||
461 | package PVE::API2::Firewall::CTIPset; | |
462 | ||
463 | use strict; | |
464 | use warnings; | |
465 | use PVE::JSONSchema qw(get_standard_option); | |
466 | ||
467 | use base qw(PVE::API2::Firewall::IPSetBase); | |
468 | ||
9f6845cf DM |
469 | sub rule_env { |
470 | my ($class, $param) = @_; | |
75a12a9d | 471 | |
9f6845cf DM |
472 | return 'ct'; |
473 | } | |
474 | ||
75a12a9d | 475 | __PACKAGE__->additional_parameters({ |
1210ae94 | 476 | node => get_standard_option('pve-node'), |
75a12a9d | 477 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
478 | }); |
479 | ||
05496017 FG |
480 | sub lock_config { |
481 | my ($class, $param, $code) = @_; | |
482 | ||
483 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
484 | } | |
485 | ||
1210ae94 DM |
486 | sub load_config { |
487 | my ($class, $param) = @_; | |
488 | ||
489 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
490 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
491 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
492 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
493 | ||
494 | return ($cluster_conf, $fw_conf, $ipset); | |
495 | } | |
496 | ||
497 | sub save_config { | |
498 | my ($class, $param, $fw_conf) = @_; | |
499 | ||
500 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
501 | } | |
502 | ||
503 | __PACKAGE__->register_handlers(); | |
504 | ||
c85c87f9 DM |
505 | package PVE::API2::Firewall::BaseIPSetList; |
506 | ||
507 | use strict; | |
508 | use warnings; | |
e74a87f5 | 509 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 | 510 | use PVE::Exception qw(raise_param_exc); |
e74a87f5 | 511 | use PVE::Firewall; |
c85c87f9 DM |
512 | |
513 | use base qw(PVE::RESTHandler); | |
514 | ||
05496017 FG |
515 | sub lock_config { |
516 | my ($class, $param, $code) = @_; | |
517 | ||
518 | die "implement this in subclass"; | |
519 | } | |
520 | ||
1210ae94 DM |
521 | sub load_config { |
522 | my ($class, $param) = @_; | |
75a12a9d | 523 | |
1210ae94 DM |
524 | die "implement this in subclass"; |
525 | ||
526 | #return ($cluster_conf, $fw_conf); | |
527 | } | |
528 | ||
529 | sub save_config { | |
530 | my ($class, $param, $fw_conf) = @_; | |
531 | ||
532 | die "implement this in subclass"; | |
533 | } | |
534 | ||
9f6845cf DM |
535 | sub rule_env { |
536 | my ($class, $param) = @_; | |
75a12a9d | 537 | |
9f6845cf DM |
538 | die "implement this in subclass"; |
539 | } | |
540 | ||
1210ae94 DM |
541 | my $additional_param_hash_list = {}; |
542 | ||
543 | sub additional_parameters { | |
544 | my ($class, $new_value) = @_; | |
545 | ||
546 | if (defined($new_value)) { | |
547 | $additional_param_hash_list->{$class} = $new_value; | |
548 | } | |
549 | ||
550 | # return a copy | |
551 | my $copy = {}; | |
552 | my $org = $additional_param_hash_list->{$class} || {}; | |
553 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
554 | return $copy; | |
555 | } | |
556 | ||
5d38d64f DM |
557 | my $get_ipset_list = sub { |
558 | my ($fw_conf) = @_; | |
559 | ||
560 | my $res = []; | |
53bbbf31 | 561 | foreach my $name (sort keys %{$fw_conf->{ipset}}) { |
75a12a9d | 562 | my $data = { |
5d38d64f DM |
563 | name => $name, |
564 | }; | |
565 | if (my $comment = $fw_conf->{ipset_comments}->{$name}) { | |
566 | $data->{comment} = $comment; | |
567 | } | |
568 | push @$res, $data; | |
569 | } | |
570 | ||
571 | my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res); | |
572 | ||
573 | return wantarray ? ($list, $digest) : $list; | |
574 | }; | |
575 | ||
c85c87f9 DM |
576 | sub register_index { |
577 | my ($class) = @_; | |
578 | ||
1210ae94 DM |
579 | my $properties = $class->additional_parameters(); |
580 | ||
c85c87f9 DM |
581 | $class->register_method({ |
582 | name => 'ipset_index', | |
583 | path => '', | |
584 | method => 'GET', | |
585 | description => "List IPSets", | |
9f6845cf | 586 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
c85c87f9 DM |
587 | parameters => { |
588 | additionalProperties => 0, | |
1210ae94 | 589 | properties => $properties, |
c85c87f9 DM |
590 | }, |
591 | returns => { | |
592 | type => 'array', | |
593 | items => { | |
594 | type => "object", | |
75a12a9d | 595 | properties => { |
e74a87f5 | 596 | name => get_standard_option('ipset-name'), |
d72c631c | 597 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
75a12a9d | 598 | comment => { |
d72c631c DM |
599 | type => 'string', |
600 | optional => 1, | |
601 | } | |
c85c87f9 DM |
602 | }, |
603 | }, | |
604 | links => [ { rel => 'child', href => "{name}" } ], | |
605 | }, | |
606 | code => sub { | |
607 | my ($param) = @_; | |
75a12a9d | 608 | |
1210ae94 | 609 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
c85c87f9 | 610 | |
75a12a9d | 611 | return &$get_ipset_list($fw_conf); |
c85c87f9 DM |
612 | }}); |
613 | } | |
614 | ||
615 | sub register_create { | |
616 | my ($class) = @_; | |
617 | ||
1210ae94 DM |
618 | my $properties = $class->additional_parameters(); |
619 | ||
620 | $properties->{name} = get_standard_option('ipset-name'); | |
621 | ||
622 | $properties->{comment} = { type => 'string', optional => 1 }; | |
623 | ||
624 | $properties->{digest} = get_standard_option('pve-config-digest'); | |
625 | ||
626 | $properties->{rename} = get_standard_option('ipset-name', { | |
627 | description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.", | |
628 | optional => 1 }); | |
629 | ||
c85c87f9 DM |
630 | $class->register_method({ |
631 | name => 'create_ipset', | |
632 | path => '', | |
633 | method => 'POST', | |
634 | description => "Create new IPSet", | |
635 | protected => 1, | |
9f6845cf | 636 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
c85c87f9 DM |
637 | parameters => { |
638 | additionalProperties => 0, | |
1210ae94 | 639 | properties => $properties, |
c85c87f9 DM |
640 | }, |
641 | returns => { type => 'null' }, | |
642 | code => sub { | |
643 | my ($param) = @_; | |
75a12a9d | 644 | |
a38849e6 FG |
645 | $class->lock_config($param, sub { |
646 | my ($param) = @_; | |
c85c87f9 | 647 | |
a38849e6 | 648 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
5d38d64f | 649 | |
a38849e6 FG |
650 | if ($param->{rename}) { |
651 | my (undef, $digest) = &$get_ipset_list($fw_conf); | |
652 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
5d38d64f | 653 | |
a38849e6 FG |
654 | raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" }) |
655 | if !$fw_conf->{ipset}->{$param->{rename}}; | |
5da1a229 | 656 | |
a38849e6 FG |
657 | # prevent overwriting existing ipset |
658 | raise_param_exc({ name => "IPSet '$param->{name}' does already exist"}) | |
659 | if $fw_conf->{ipset}->{$param->{name}} && | |
660 | $param->{name} ne $param->{rename}; | |
5d38d64f | 661 | |
a38849e6 FG |
662 | my $data = delete $fw_conf->{ipset}->{$param->{rename}}; |
663 | $fw_conf->{ipset}->{$param->{name}} = $data; | |
664 | if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) { | |
665 | $fw_conf->{ipset_comments}->{$param->{name}} = $comment; | |
666 | } | |
667 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
668 | } else { | |
669 | foreach my $name (keys %{$fw_conf->{ipset}}) { | |
670 | raise_param_exc({ name => "IPSet '$name' already exists" }) | |
671 | if $name eq $param->{name}; | |
672 | } | |
673 | ||
674 | $fw_conf->{ipset}->{$param->{name}} = []; | |
675 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
676 | } | |
bc374ca7 | 677 | |
a38849e6 FG |
678 | $class->save_config($param, $fw_conf); |
679 | }); | |
c85c87f9 DM |
680 | |
681 | return undef; | |
682 | }}); | |
683 | } | |
684 | ||
1210ae94 | 685 | sub register_handlers { |
c85c87f9 DM |
686 | my ($class) = @_; |
687 | ||
1210ae94 DM |
688 | $class->register_index(); |
689 | $class->register_create(); | |
690 | } | |
c85c87f9 | 691 | |
1210ae94 | 692 | package PVE::API2::Firewall::ClusterIPSetList; |
c85c87f9 | 693 | |
1210ae94 DM |
694 | use strict; |
695 | use warnings; | |
696 | use PVE::Firewall; | |
5d38d64f | 697 | |
1210ae94 DM |
698 | use base qw(PVE::API2::Firewall::BaseIPSetList); |
699 | ||
9f6845cf DM |
700 | sub rule_env { |
701 | my ($class, $param) = @_; | |
75a12a9d | 702 | |
9f6845cf DM |
703 | return 'cluster'; |
704 | } | |
705 | ||
05496017 FG |
706 | sub lock_config { |
707 | my ($class, $param, $code) = @_; | |
708 | ||
709 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
710 | } | |
711 | ||
1210ae94 DM |
712 | sub load_config { |
713 | my ($class, $param) = @_; | |
75a12a9d | 714 | |
1210ae94 DM |
715 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
716 | return (undef, $cluster_conf); | |
717 | } | |
c85c87f9 | 718 | |
1210ae94 DM |
719 | sub save_config { |
720 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 721 | |
1210ae94 DM |
722 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
723 | } | |
c85c87f9 | 724 | |
1210ae94 DM |
725 | __PACKAGE__->register_handlers(); |
726 | ||
727 | __PACKAGE__->register_method ({ | |
75a12a9d | 728 | subclass => "PVE::API2::Firewall::ClusterIPset", |
1210ae94 | 729 | path => '{name}', |
75a12a9d TL |
730 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
731 | fragmentDelimiter => '', | |
1210ae94 DM |
732 | }); |
733 | ||
734 | package PVE::API2::Firewall::VMIPSetList; | |
735 | ||
736 | use strict; | |
737 | use warnings; | |
738 | use PVE::JSONSchema qw(get_standard_option); | |
739 | use PVE::Firewall; | |
740 | ||
741 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
742 | ||
75a12a9d | 743 | __PACKAGE__->additional_parameters({ |
1210ae94 | 744 | node => get_standard_option('pve-node'), |
75a12a9d | 745 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
746 | }); |
747 | ||
9f6845cf DM |
748 | sub rule_env { |
749 | my ($class, $param) = @_; | |
75a12a9d | 750 | |
9f6845cf DM |
751 | return 'vm'; |
752 | } | |
753 | ||
05496017 FG |
754 | sub lock_config { |
755 | my ($class, $param, $code) = @_; | |
756 | ||
757 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
758 | } | |
759 | ||
1210ae94 DM |
760 | sub load_config { |
761 | my ($class, $param) = @_; | |
75a12a9d | 762 | |
1210ae94 DM |
763 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
764 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
765 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
766 | } |
767 | ||
1210ae94 DM |
768 | sub save_config { |
769 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 770 | |
1210ae94 | 771 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
772 | } |
773 | ||
1210ae94 DM |
774 | __PACKAGE__->register_handlers(); |
775 | ||
776 | __PACKAGE__->register_method ({ | |
75a12a9d | 777 | subclass => "PVE::API2::Firewall::VMIPset", |
1210ae94 | 778 | path => '{name}', |
75a12a9d TL |
779 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
780 | fragmentDelimiter => '', | |
1210ae94 DM |
781 | }); |
782 | ||
783 | package PVE::API2::Firewall::CTIPSetList; | |
c85c87f9 DM |
784 | |
785 | use strict; | |
786 | use warnings; | |
1210ae94 | 787 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 DM |
788 | use PVE::Firewall; |
789 | ||
790 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
791 | ||
75a12a9d | 792 | __PACKAGE__->additional_parameters({ |
1210ae94 | 793 | node => get_standard_option('pve-node'), |
75a12a9d | 794 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
795 | }); |
796 | ||
9f6845cf DM |
797 | sub rule_env { |
798 | my ($class, $param) = @_; | |
75a12a9d | 799 | |
9f6845cf DM |
800 | return 'ct'; |
801 | } | |
802 | ||
05496017 FG |
803 | sub lock_config { |
804 | my ($class, $param, $code) = @_; | |
805 | ||
806 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
807 | } | |
808 | ||
c85c87f9 | 809 | sub load_config { |
1210ae94 | 810 | my ($class, $param) = @_; |
75a12a9d | 811 | |
1210ae94 DM |
812 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
813 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
814 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
815 | } |
816 | ||
817 | sub save_config { | |
1210ae94 | 818 | my ($class, $param, $fw_conf) = @_; |
c85c87f9 | 819 | |
1210ae94 | 820 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
821 | } |
822 | ||
823 | __PACKAGE__->register_handlers(); | |
824 | ||
825 | __PACKAGE__->register_method ({ | |
75a12a9d | 826 | subclass => "PVE::API2::Firewall::CTIPset", |
c85c87f9 | 827 | path => '{name}', |
75a12a9d TL |
828 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
829 | fragmentDelimiter => '', | |
c85c87f9 DM |
830 | }); |
831 | ||
009ee3ac | 832 | 1; |