]> git.proxmox.com Git - pve-firewall.git/blame - src/PVE/API2/Firewall/IPSet.pm
projects / pve-firewall.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
allow non zero ip address host bits to be entered
[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm
CommitLineData
009ee3ac
DM		 1package PVE::API2::Firewall::IPSetBase;
2
3use strict;
4use warnings;
4a11bba5 5use PVE::Exception qw(raise raise_param_exc);
009ee3ac
DM		 6use PVE::JSONSchema qw(get_standard_option);
7
8use PVE::Firewall;
9
10use base qw(PVE::RESTHandler);
11
75a12a9d 12my $api_properties = {
009ee3ac
DM		 13 cidr => {
14 description => "Network/IP specification in CIDR format.",
ae029a88 15 type => 'string', format => 'IPorCIDRorAlias',
009ee3ac 16 },
e74a87f5 17 name => get_standard_option('ipset-name'),
009ee3ac
DM		 18 comment => {
19 type => 'string',
20 optional => 1,
21 },
22 nomatch => {
23 type => 'boolean',
24 optional => 1,
25 },
26};
27
05496017
FG		 28sub lock_config {
29 my ($class, $param, $code) = @_;
30
31 die "implement this in subclass";
32}
33
009ee3ac
DM		 34sub load_config {
35 my ($class, $param) = @_;
36
37 die "implement this in subclass";
1210ae94
DM		 38
39 #return ($cluster_conf, $fw_conf, $ipset);
009ee3ac
DM		 40}
41
1210ae94
DM		 42sub save_config {
43 my ($class, $param, $fw_conf) = @_;
009ee3ac
DM		 44
45 die "implement this in subclass";
46}
47
9f6845cf
DM		 48sub rule_env {
49 my ($class, $param) = @_;
75a12a9d 50
9f6845cf
DM		 51 die "implement this in subclass";
52}
53
1210ae94
DM		 54sub save_ipset {
55 my ($class, $param, $fw_conf, $ipset) = @_;
56
57 if (!defined($ipset)) {
58 delete $fw_conf->{ipset}->{$param->{name}};
59 } else {
60 $fw_conf->{ipset}->{$param->{name}} = $ipset;
61 }
62
63 $class->save_config($param, $fw_conf);
64}
65
009ee3ac
DM		 66my $additional_param_hash = {};
67
68sub additional_parameters {
69 my ($class, $new_value) = @_;
70
71 if (defined($new_value)) {
72 $additional_param_hash->{$class} = $new_value;
73 }
74
75 # return a copy
76 my $copy = {};
77 my $org = $additional_param_hash->{$class} || {};
78 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
79 return $copy;
80}
81
82sub register_get_ipset {
83 my ($class) = @_;
84
85 my $properties = $class->additional_parameters();
86
87 $properties->{name} = $api_properties->{name};
88
89 $class->register_method({
90 name => 'get_ipset',
91 path => '',
92 method => 'GET',
93 description => "List IPSet content",
9f6845cf 94 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
009ee3ac
DM		 95 parameters => {
96 additionalProperties => 0,
97 properties => $properties,
98 },
99 returns => {
100 type => 'array',
101 items => {
102 type => "object",
103 properties => {
104 cidr => {
105 type => 'string',
106 },
107 comment => {
108 type => 'string',
109 optional => 1,
110 },
111 nomatch => {
112 type => 'boolean',
113 optional => 1,
d72c631c 114 },
75a12a9d 115 digest => get_standard_option('pve-config-digest', { optional => 0} ),
009ee3ac
DM		 116 },
117 },
118 links => [ { rel => 'child', href => "{cidr}" } ],
119 },
120 code => sub {
121 my ($param) = @_;
122
1210ae94 123 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
009ee3ac 124
5d38d64f 125 return PVE::Firewall::copy_list_with_digest($ipset);
009ee3ac
DM		 126 }});
127}
128
1210ae94
DM		 129sub register_delete_ipset {
130 my ($class) = @_;
131
132 my $properties = $class->additional_parameters();
133
134 $properties->{name} = get_standard_option('ipset-name');
5e3c0cf8
LN		 135 $properties->{force} = {
136 type => 'boolean',
137 optional => 1,
138 description => 'Delete all members of the IPSet, if there are any.',
139 };
1210ae94
DM		 140
141 $class->register_method({
142 name => 'delete_ipset',
143 path => '',
144 method => 'DELETE',
145 description => "Delete IPSet",
146 protected => 1,
9f6845cf 147 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
1210ae94
DM		 148 parameters => {
149 additionalProperties => 0,
150 properties => $properties,
151 },
152 returns => { type => 'null' },
153 code => sub {
154 my ($param) = @_;
75a12a9d 155
a38849e6
FG		 156 $class->lock_config($param, sub {
157 my ($param) = @_;
158
159 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
1210ae94 160
a38849e6 161 die "IPSet '$param->{name}' is not empty\n"
5e3c0cf8 162 if scalar(@$ipset) && !$param->{force};
1210ae94 163
a38849e6
FG		 164 $class->save_ipset($param, $fw_conf, undef);
165
166 });
1210ae94
DM		 167
168 return undef;
169 }});
170}
171
a33c74f6 172sub register_create_ip {
009ee3ac
DM		 173 my ($class) = @_;
174
175 my $properties = $class->additional_parameters();
176
177 $properties->{name} = $api_properties->{name};
178 $properties->{cidr} = $api_properties->{cidr};
179 $properties->{nomatch} = $api_properties->{nomatch};
180 $properties->{comment} = $api_properties->{comment};
d72c631c 181
009ee3ac 182 $class->register_method({
a33c74f6 183 name => 'create_ip',
009ee3ac
DM		 184 path => '',
185 method => 'POST',
186 description => "Add IP or Network to IPSet.",
187 protected => 1,
9f6845cf 188 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
009ee3ac
DM		 189 parameters => {
190 additionalProperties => 0,
191 properties => $properties,
192 },
193 returns => { type => "null" },
194 code => sub {
195 my ($param) = @_;
196
a38849e6
FG		 197 $class->lock_config($param, sub {
198 my ($param) = @_;
009ee3ac 199
a38849e6 200 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
75a12a9d 201
1218eee9 202 my $cidr = PVE::Firewall::clean_cidr($param->{cidr});
891545e8
FG		 203 if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) {
204 # make sure alias exists (if $cidr is an alias)
205 PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
206 } else {
207 # normalize like config parser, otherwise duplicates might slip through
208 $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
209 }
a38849e6
FG		 210
211 foreach my $entry (@$ipset) {
212 raise_param_exc({ cidr => "address '$cidr' already exists" })
213 if $entry->{cidr} eq $cidr;
214 }
215
216 raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
217 if $cidr =~ m!/0+$!;
4a11bba5 218
1b36f6ec 219
a38849e6 220 my $data = { cidr => $cidr };
7c619bbb 221
a38849e6
FG		 222 $data->{nomatch} = 1 if $param->{nomatch};
223 $data->{comment} = $param->{comment} if $param->{comment};
7c619bbb 224
a38849e6 225 unshift @$ipset, $data;
009ee3ac 226
a38849e6 227 $class->save_ipset($param, $fw_conf, $ipset);
009ee3ac 228
a38849e6 229 });
009ee3ac
DM		 230
231 return undef;
232 }});
233}
234
a33c74f6
DM		 235sub register_read_ip {
236 my ($class) = @_;
237
238 my $properties = $class->additional_parameters();
239
240 $properties->{name} = $api_properties->{name};
241 $properties->{cidr} = $api_properties->{cidr};
75a12a9d 242
a33c74f6
DM		 243 $class->register_method({
244 name => 'read_ip',
245 path => '{cidr}',
246 method => 'GET',
247 description => "Read IP or Network settings from IPSet.",
9f6845cf 248 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
a33c74f6
DM		 249 protected => 1,
250 parameters => {
251 additionalProperties => 0,
252 properties => $properties,
253 },
254 returns => { type => "object" },
255 code => sub {
256 my ($param) = @_;
257
1210ae94 258 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
a33c74f6 259
5d38d64f
DM		 260 my $list = PVE::Firewall::copy_list_with_digest($ipset);
261
262 foreach my $entry (@$list) {
d72c631c 263 if ($entry->{cidr} eq $param->{cidr}) {
d72c631c
DM		 264 return $entry;
265 }
a33c74f6
DM		 266 }
267
268 raise_param_exc({ cidr => "no such IP/Network" });
269 }});
270}
271
272sub register_update_ip {
273 my ($class) = @_;
274
275 my $properties = $class->additional_parameters();
276
277 $properties->{name} = $api_properties->{name};
278 $properties->{cidr} = $api_properties->{cidr};
279 $properties->{nomatch} = $api_properties->{nomatch};
280 $properties->{comment} = $api_properties->{comment};
d72c631c
DM		 281 $properties->{digest} = get_standard_option('pve-config-digest');
282
a33c74f6
DM		 283 $class->register_method({
284 name => 'update_ip',
285 path => '{cidr}',
286 method => 'PUT',
287 description => "Update IP or Network settings",
288 protected => 1,
9f6845cf 289 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
a33c74f6
DM		 290 parameters => {
291 additionalProperties => 0,
292 properties => $properties,
293 },
294 returns => { type => "null" },
295 code => sub {
296 my ($param) = @_;
297
a38849e6
FG		 298 my $found = $class->lock_config($param, sub {
299 my ($param) = @_;
300
301 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
a33c74f6 302
a38849e6
FG		 303 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
304 PVE::Tools::assert_if_modified($digest, $param->{digest});
d72c631c 305
a38849e6
FG		 306 foreach my $entry (@$ipset) {
307 if($entry->{cidr} eq $param->{cidr}) {
308 $entry->{nomatch} = $param->{nomatch};
309 $entry->{comment} = $param->{comment};
310 $class->save_ipset($param, $fw_conf, $ipset);
311 return 1;
312 }
a33c74f6 313 }
a38849e6
FG		 314
315 return 0;
316 });
317
318 return if $found;
a33c74f6
DM		 319
320 raise_param_exc({ cidr => "no such IP/Network" });
321 }});
322}
323
324sub register_delete_ip {
009ee3ac
DM		 325 my ($class) = @_;
326
327 my $properties = $class->additional_parameters();
328
329 $properties->{name} = $api_properties->{name};
330 $properties->{cidr} = $api_properties->{cidr};
d72c631c
DM		 331 $properties->{digest} = get_standard_option('pve-config-digest');
332
009ee3ac
DM		 333 $class->register_method({
334 name => 'remove_ip',
335 path => '{cidr}',
336 method => 'DELETE',
337 description => "Remove IP or Network from IPSet.",
338 protected => 1,
9f6845cf 339 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
009ee3ac
DM		 340 parameters => {
341 additionalProperties => 0,
342 properties => $properties,
343 },
344 returns => { type => "null" },
345 code => sub {
346 my ($param) = @_;
347
a38849e6
FG		 348 $class->lock_config($param, sub {
349 my ($param) = @_;
009ee3ac 350
a38849e6 351 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
d72c631c 352
a38849e6
FG		 353 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
354 PVE::Tools::assert_if_modified($digest, $param->{digest});
75a12a9d 355
a38849e6 356 my $new = [];
009ee3ac 357
a38849e6
FG		 358 foreach my $entry (@$ipset) {
359 push @$new, $entry if $entry->{cidr} ne $param->{cidr};
360 }
361
362 $class->save_ipset($param, $fw_conf, $new);
363 });
75a12a9d 364
009ee3ac
DM		 365 return undef;
366 }});
367}
368
369sub register_handlers {
370 my ($class) = @_;
371
1210ae94 372 $class->register_delete_ipset();
009ee3ac 373 $class->register_get_ipset();
a33c74f6
DM		 374 $class->register_create_ip();
375 $class->register_read_ip();
376 $class->register_update_ip();
377 $class->register_delete_ip();
009ee3ac
DM		 378}
379
380package PVE::API2::Firewall::ClusterIPset;
381
382use strict;
383use warnings;
384
385use base qw(PVE::API2::Firewall::IPSetBase);
386
9f6845cf
DM		 387sub rule_env {
388 my ($class, $param) = @_;
75a12a9d 389
9f6845cf
DM		 390 return 'cluster';
391}
392
05496017
FG		 393sub lock_config {
394 my ($class, $param, $code) = @_;
395
396 PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
397}
398
009ee3ac
DM		 399sub load_config {
400 my ($class, $param) = @_;
401
402 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
403 my $ipset = $fw_conf->{ipset}->{$param->{name}};
404 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
405
1210ae94 406 return (undef, $fw_conf, $ipset);
009ee3ac
DM		 407}
408
1210ae94
DM		 409sub save_config {
410 my ($class, $param, $fw_conf) = @_;
009ee3ac 411
009ee3ac
DM		 412 PVE::Firewall::save_clusterfw_conf($fw_conf);
413}
414
415__PACKAGE__->register_handlers();
416
1210ae94
DM		 417package PVE::API2::Firewall::VMIPset;
418
419use strict;
420use warnings;
421use PVE::JSONSchema qw(get_standard_option);
422
423use base qw(PVE::API2::Firewall::IPSetBase);
424
9f6845cf
DM		 425sub rule_env {
426 my ($class, $param) = @_;
75a12a9d 427
9f6845cf
DM		 428 return 'vm';
429}
430
75a12a9d 431__PACKAGE__->additional_parameters({
1210ae94 432 node => get_standard_option('pve-node'),
75a12a9d 433 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 434});
435
05496017
FG		 436sub lock_config {
437 my ($class, $param, $code) = @_;
438
439 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
440}
441
1210ae94
DM		 442sub load_config {
443 my ($class, $param) = @_;
444
445 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
446 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
447 my $ipset = $fw_conf->{ipset}->{$param->{name}};
448 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
449
450 return ($cluster_conf, $fw_conf, $ipset);
451}
452
453sub save_config {
454 my ($class, $param, $fw_conf) = @_;
455
456 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
457}
458
459__PACKAGE__->register_handlers();
460
461package PVE::API2::Firewall::CTIPset;
462
463use strict;
464use warnings;
465use PVE::JSONSchema qw(get_standard_option);
466
467use base qw(PVE::API2::Firewall::IPSetBase);
468
9f6845cf
DM		 469sub rule_env {
470 my ($class, $param) = @_;
75a12a9d 471
9f6845cf
DM		 472 return 'ct';
473}
474
75a12a9d 475__PACKAGE__->additional_parameters({
1210ae94 476 node => get_standard_option('pve-node'),
75a12a9d 477 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 478});
479
05496017
FG		 480sub lock_config {
481 my ($class, $param, $code) = @_;
482
483 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
484}
485
1210ae94
DM		 486sub load_config {
487 my ($class, $param) = @_;
488
489 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
490 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
491 my $ipset = $fw_conf->{ipset}->{$param->{name}};
492 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
493
494 return ($cluster_conf, $fw_conf, $ipset);
495}
496
497sub save_config {
498 my ($class, $param, $fw_conf) = @_;
499
500 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
501}
502
503__PACKAGE__->register_handlers();
504
c85c87f9
DM		 505package PVE::API2::Firewall::BaseIPSetList;
506
507use strict;
508use warnings;
e74a87f5 509use PVE::JSONSchema qw(get_standard_option);
c85c87f9 510use PVE::Exception qw(raise_param_exc);
e74a87f5 511use PVE::Firewall;
c85c87f9
DM		 512
513use base qw(PVE::RESTHandler);
514
05496017
FG		 515sub lock_config {
516 my ($class, $param, $code) = @_;
517
518 die "implement this in subclass";
519}
520
1210ae94
DM		 521sub load_config {
522 my ($class, $param) = @_;
75a12a9d 523
1210ae94
DM		 524 die "implement this in subclass";
525
526 #return ($cluster_conf, $fw_conf);
527}
528
529sub save_config {
530 my ($class, $param, $fw_conf) = @_;
531
532 die "implement this in subclass";
533}
534
9f6845cf
DM		 535sub rule_env {
536 my ($class, $param) = @_;
75a12a9d 537
9f6845cf
DM		 538 die "implement this in subclass";
539}
540
1210ae94
DM		 541my $additional_param_hash_list = {};
542
543sub additional_parameters {
544 my ($class, $new_value) = @_;
545
546 if (defined($new_value)) {
547 $additional_param_hash_list->{$class} = $new_value;
548 }
549
550 # return a copy
551 my $copy = {};
552 my $org = $additional_param_hash_list->{$class} || {};
553 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
554 return $copy;
555}
556
5d38d64f
DM		 557my $get_ipset_list = sub {
558 my ($fw_conf) = @_;
559
560 my $res = [];
53bbbf31 561 foreach my $name (sort keys %{$fw_conf->{ipset}}) {
75a12a9d 562 my $data = {
5d38d64f
DM		 563 name => $name,
564 };
565 if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
566 $data->{comment} = $comment;
567 }
568 push @$res, $data;
569 }
570
571 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
572
573 return wantarray ? ($list, $digest) : $list;
574};
575
c85c87f9
DM		 576sub register_index {
577 my ($class) = @_;
578
1210ae94
DM		 579 my $properties = $class->additional_parameters();
580
c85c87f9
DM		 581 $class->register_method({
582 name => 'ipset_index',
583 path => '',
584 method => 'GET',
585 description => "List IPSets",
9f6845cf 586 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
c85c87f9
DM		 587 parameters => {
588 additionalProperties => 0,
1210ae94 589 properties => $properties,
c85c87f9
DM		 590 },
591 returns => {
592 type => 'array',
593 items => {
594 type => "object",
75a12a9d 595 properties => {
e74a87f5 596 name => get_standard_option('ipset-name'),
d72c631c 597 digest => get_standard_option('pve-config-digest', { optional => 0} ),
75a12a9d 598 comment => {
d72c631c
DM		 599 type => 'string',
600 optional => 1,
601 }
c85c87f9
DM		 602 },
603 },
604 links => [ { rel => 'child', href => "{name}" } ],
605 },
606 code => sub {
607 my ($param) = @_;
75a12a9d 608
1210ae94 609 my ($cluster_conf, $fw_conf) = $class->load_config($param);
c85c87f9 610
75a12a9d 611 return &$get_ipset_list($fw_conf);
c85c87f9
DM		 612 }});
613}
614
615sub register_create {
616 my ($class) = @_;
617
1210ae94
DM		 618 my $properties = $class->additional_parameters();
619
620 $properties->{name} = get_standard_option('ipset-name');
621
622 $properties->{comment} = { type => 'string', optional => 1 };
623
624 $properties->{digest} = get_standard_option('pve-config-digest');
625
626 $properties->{rename} = get_standard_option('ipset-name', {
627 description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
628 optional => 1 });
629
c85c87f9
DM		 630 $class->register_method({
631 name => 'create_ipset',
632 path => '',
633 method => 'POST',
634 description => "Create new IPSet",
635 protected => 1,
9f6845cf 636 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
c85c87f9
DM		 637 parameters => {
638 additionalProperties => 0,
1210ae94 639 properties => $properties,
c85c87f9
DM		 640 },
641 returns => { type => 'null' },
642 code => sub {
643 my ($param) = @_;
75a12a9d 644
a38849e6
FG		 645 $class->lock_config($param, sub {
646 my ($param) = @_;
c85c87f9 647
a38849e6 648 my ($cluster_conf, $fw_conf) = $class->load_config($param);
5d38d64f 649
a38849e6
FG		 650 if ($param->{rename}) {
651 my (undef, $digest) = &$get_ipset_list($fw_conf);
652 PVE::Tools::assert_if_modified($digest, $param->{digest});
5d38d64f 653
a38849e6
FG		 654 raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" })
655 if !$fw_conf->{ipset}->{$param->{rename}};
5da1a229 656
a38849e6
FG		 657 # prevent overwriting existing ipset
658 raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
659 if $fw_conf->{ipset}->{$param->{name}} &&
660 $param->{name} ne $param->{rename};
5d38d64f 661
a38849e6
FG		 662 my $data = delete $fw_conf->{ipset}->{$param->{rename}};
663 $fw_conf->{ipset}->{$param->{name}} = $data;
664 if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
665 $fw_conf->{ipset_comments}->{$param->{name}} = $comment;
666 }
667 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
668 } else {
669 foreach my $name (keys %{$fw_conf->{ipset}}) {
670 raise_param_exc({ name => "IPSet '$name' already exists" })
671 if $name eq $param->{name};
672 }
673
674 $fw_conf->{ipset}->{$param->{name}} = [];
675 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
676 }
bc374ca7 677
a38849e6
FG		 678 $class->save_config($param, $fw_conf);
679 });
c85c87f9
DM		 680
681 return undef;
682 }});
683}
684
1210ae94 685sub register_handlers {
c85c87f9
DM		 686 my ($class) = @_;
687
1210ae94
DM		 688 $class->register_index();
689 $class->register_create();
690}
c85c87f9 691
1210ae94 692package PVE::API2::Firewall::ClusterIPSetList;
c85c87f9 693
1210ae94
DM		 694use strict;
695use warnings;
696use PVE::Firewall;
5d38d64f 697
1210ae94
DM		 698use base qw(PVE::API2::Firewall::BaseIPSetList);
699
9f6845cf
DM		 700sub rule_env {
701 my ($class, $param) = @_;
75a12a9d 702
9f6845cf
DM		 703 return 'cluster';
704}
705
05496017
FG		 706sub lock_config {
707 my ($class, $param, $code) = @_;
708
709 PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
710}
711
1210ae94
DM		 712sub load_config {
713 my ($class, $param) = @_;
75a12a9d 714
1210ae94
DM		 715 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
716 return (undef, $cluster_conf);
717}
c85c87f9 718
1210ae94
DM		 719sub save_config {
720 my ($class, $param, $fw_conf) = @_;
c85c87f9 721
1210ae94
DM		 722 PVE::Firewall::save_clusterfw_conf($fw_conf);
723}
c85c87f9 724
1210ae94
DM		 725__PACKAGE__->register_handlers();
726
727__PACKAGE__->register_method ({
75a12a9d 728 subclass => "PVE::API2::Firewall::ClusterIPset",
1210ae94 729 path => '{name}',
75a12a9d
TL		 730 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
731 fragmentDelimiter => '',
1210ae94
DM		 732});
733
734package PVE::API2::Firewall::VMIPSetList;
735
736use strict;
737use warnings;
738use PVE::JSONSchema qw(get_standard_option);
739use PVE::Firewall;
740
741use base qw(PVE::API2::Firewall::BaseIPSetList);
742
75a12a9d 743__PACKAGE__->additional_parameters({
1210ae94 744 node => get_standard_option('pve-node'),
75a12a9d 745 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 746});
747
9f6845cf
DM		 748sub rule_env {
749 my ($class, $param) = @_;
75a12a9d 750
9f6845cf
DM		 751 return 'vm';
752}
753
05496017
FG		 754sub lock_config {
755 my ($class, $param, $code) = @_;
756
757 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
758}
759
1210ae94
DM		 760sub load_config {
761 my ($class, $param) = @_;
75a12a9d 762
1210ae94
DM		 763 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
764 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
765 return ($cluster_conf, $fw_conf);
c85c87f9
DM		 766}
767
1210ae94
DM		 768sub save_config {
769 my ($class, $param, $fw_conf) = @_;
c85c87f9 770
1210ae94 771 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
c85c87f9
DM		 772}
773
1210ae94
DM		 774__PACKAGE__->register_handlers();
775
776__PACKAGE__->register_method ({
75a12a9d 777 subclass => "PVE::API2::Firewall::VMIPset",
1210ae94 778 path => '{name}',
75a12a9d
TL		 779 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
780 fragmentDelimiter => '',
1210ae94
DM		 781});
782
783package PVE::API2::Firewall::CTIPSetList;
c85c87f9
DM		 784
785use strict;
786use warnings;
1210ae94 787use PVE::JSONSchema qw(get_standard_option);
c85c87f9
DM		 788use PVE::Firewall;
789
790use base qw(PVE::API2::Firewall::BaseIPSetList);
791
75a12a9d 792__PACKAGE__->additional_parameters({
1210ae94 793 node => get_standard_option('pve-node'),
75a12a9d 794 vmid => get_standard_option('pve-vmid'),
1210ae94
DM		 795});
796
9f6845cf
DM		 797sub rule_env {
798 my ($class, $param) = @_;
75a12a9d 799
9f6845cf
DM		 800 return 'ct';
801}
802
05496017
FG		 803sub lock_config {
804 my ($class, $param, $code) = @_;
805
806 PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
807}
808
c85c87f9 809sub load_config {
1210ae94 810 my ($class, $param) = @_;
75a12a9d 811
1210ae94
DM		 812 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
813 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
814 return ($cluster_conf, $fw_conf);
c85c87f9
DM		 815}
816
817sub save_config {
1210ae94 818 my ($class, $param, $fw_conf) = @_;
c85c87f9 819
1210ae94 820 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
c85c87f9
DM		 821}
822
823__PACKAGE__->register_handlers();
824
825__PACKAGE__->register_method ({
75a12a9d 826 subclass => "PVE::API2::Firewall::CTIPset",
c85c87f9 827 path => '{name}',
75a12a9d
TL		 828 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
829 fragmentDelimiter => '',
c85c87f9
DM		 830});
831
009ee3ac 8321;
Firewall test scripts