[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm

package PVE::API2::Firewall::IPSetBase;

use strict;
use warnings;
use PVE::Exception qw(raise raise_param_exc);
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $api_properties = { 
    cidr => {
	description => "Network/IP specification in CIDR format.",
	type => 'string', format => 'IPv4orCIDR',
    },
    name => get_standard_option('ipset-name'),
    comment => {
	type => 'string',
	optional => 1,
    },
    nomatch => {
	type => 'boolean',
	optional => 1,
    },
};

sub load_config {
    my ($class, $param) = @_;

    die "implement this in subclass";

    #return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    die "implement this in subclass";
}

my $additional_param_hash = {};

sub additional_parameters {
    my ($class, $new_value) = @_;

    if (defined($new_value)) {
	$additional_param_hash->{$class} = $new_value;
    }

    # return a copy
    my $copy = {};
    my $org = $additional_param_hash->{$class} || {};
    foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
    return $copy;
}

sub register_get_ipset {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};

    $class->register_method({
	name => 'get_ipset',
	path => '',
	method => 'GET',
	description => "List IPSet content",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {
		    cidr => {
			type => 'string',
		    },
		    comment => {
			type => 'string',
			optional => 1,
		    },
		    nomatch => {
			type => 'boolean',
			optional => 1,
		    },
		    digest => get_standard_option('pve-config-digest', { optional => 0} ),	
		},
	    },
	    links => [ { rel => 'child', href => "{cidr}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    return PVE::Firewall::copy_list_with_digest($ipset);
	}});
}

sub register_create_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    $properties->{nomatch} = $api_properties->{nomatch};
    $properties->{comment} = $api_properties->{comment};

    $class->register_method({
	name => 'create_ip',
	path => '',
	method => 'POST',
	description => "Add IP or Network to IPSet.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    my $cidr = $param->{cidr};
	    
	    foreach my $entry (@$ipset) {
		raise_param_exc({ cidr => "address '$cidr' already exists" }) 
		    if $entry->{cidr} eq $cidr;
	    }

	    my $data = { cidr => $cidr };
	    $data->{nomatch} = 1 if $param->{nomatch};
	    $data->{comment} = $param->{comment} if $param->{comment};

	    unshift @$ipset, $data;

	    $class->save_ipset($param, $fw_conf, $ipset);

	    return undef;
	}});
}

sub register_read_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    
    $class->register_method({
	name => 'read_ip',
	path => '{cidr}',
	method => 'GET',
	description => "Read IP or Network settings from IPSet.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "object" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    my $list = PVE::Firewall::copy_list_with_digest($ipset);

	    foreach my $entry (@$list) {
		if ($entry->{cidr} eq $param->{cidr}) {
		    return $entry;
		}
	    }

	    raise_param_exc({ cidr => "no such IP/Network" });
	}});
}

sub register_update_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    $properties->{nomatch} = $api_properties->{nomatch};
    $properties->{comment} = $api_properties->{comment};
    $properties->{digest} = get_standard_option('pve-config-digest');

    $class->register_method({
	name => 'update_ip',
	path => '{cidr}',
	method => 'PUT',
	description => "Update IP or Network settings",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});
	    warn "TEST:$digest:$param->{digest}:\n";

	    foreach my $entry (@$ipset) {
		if($entry->{cidr} eq $param->{cidr}) {
		    $entry->{nomatch} = $param->{nomatch};
		    $entry->{comment} = $param->{comment};
		    $class->save_ipset($param, $fw_conf, $ipset);
		    return;
		}
	    }

	    raise_param_exc({ cidr => "no such IP/Network" });
	}});
}

sub register_delete_ip {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{name} = $api_properties->{name};
    $properties->{cidr} = $api_properties->{cidr};
    $properties->{digest} = get_standard_option('pve-config-digest');

    $class->register_method({
	name => 'remove_ip',
	path => '{cidr}',
	method => 'DELETE',
	description => "Remove IP or Network from IPSet.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $ipset) = $class->load_config($param);

	    my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    my $new = [];
   
	    foreach my $entry (@$ipset) {
		push @$new, $entry if $entry->{cidr} ne $param->{cidr};
	    }

	    $class->save_ipset($param, $fw_conf, $new);
	    
	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_get_ipset();
    $class->register_create_ip();
    $class->register_read_ip();
    $class->register_update_ip();
    $class->register_delete_ip();
}

package PVE::API2::Firewall::ClusterIPset;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::IPSetBase);

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $ipset = $fw_conf->{ipset}->{$param->{name}};
    die "no such IPSet '$param->{name}'\n" if !defined($ipset);

    return ($fw_conf, $ipset);
}

sub save_ipset {
    my ($class, $param, $fw_conf, $ipset) = @_;

    $fw_conf->{ipset}->{$param->{name}} = $ipset;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::BaseIPSetList;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise_param_exc);
use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $get_ipset_list = sub {
    my ($fw_conf) = @_;

    my $res = [];
    foreach my $name (keys %{$fw_conf->{ipset}}) {
	my $data = { 
	    name => $name,
	};
	if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
	    $data->{comment} = $comment;
	}
	push @$res, $data;
    }

    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);

    return wantarray ? ($list, $digest) : $list;
};

sub register_index {
    my ($class) = @_;

    $class->register_method({
	name => 'ipset_index',
	path => '',
	method => 'GET',
	description => "List IPSets",
	parameters => {
	    additionalProperties => 0,
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => { 
		    name => get_standard_option('ipset-name'),
		    digest => get_standard_option('pve-config-digest', { optional => 0} ),
		    comment => { 
			type => 'string',
			optional => 1,
		    }
		},
	    },
	    links => [ { rel => 'child', href => "{name}" } ],
	},
	code => sub {
	    my ($param) = @_;
	    
	    my $fw_conf = $class->load_config();

	    return &$get_ipset_list($fw_conf); 
	}});
}

sub register_create {
    my ($class) = @_;

    $class->register_method({
	name => 'create_ipset',
	path => '',
	method => 'POST',
	description => "Create new IPSet",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => { 
		name => get_standard_option('ipset-name'),
		comment => {
		    type => 'string',
		    optional => 1,
		},
		rename => get_standard_option('ipset-name', {
		    description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
		    optional => 1,
		}),
		digest => get_standard_option('pve-config-digest'),
	    }
	},
	returns => { type => 'null' },
	code => sub {
	    my ($param) = @_;
	    
	    my $fw_conf = $class->load_config();

	    if ($param->{rename}) {
		my (undef, $digest) = &$get_ipset_list($fw_conf);
		PVE::Tools::assert_if_modified($digest, $param->{digest});

		raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" }) 
		    if !$fw_conf->{ipset}->{$param->{rename}};

		my $data = delete $fw_conf->{ipset}->{$param->{rename}};
		$fw_conf->{ipset}->{$param->{name}} = $data;
		if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
		    $fw_conf->{ipset_comments}->{$param->{name}} = $comment;
		}
		$fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
	    } else { 
		foreach my $name (keys %{$fw_conf->{ipset}}) {
		    raise_param_exc({ name => "IPSet '$name' already exists" }) 
			if $name eq $param->{name};
		}

		$fw_conf->{ipset}->{$param->{name}} = [];
		$fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
	    }

	    $class->save_config($fw_conf);

	    return undef;
	}});
}

sub register_delete {
    my ($class) = @_;

    $class->register_method({
	name => 'delete_ipset',
	path => '{name}',
	method => 'DELETE',
	description => "Delete IPSet",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => { 
		name => get_standard_option('ipset-name'),
		digest => get_standard_option('pve-config-digest'),
	    },
	},
	returns => { type => 'null' },
	code => sub {
	    my ($param) = @_;
	    
	    my $fw_conf = $class->load_config();

	    return undef if !$fw_conf->{ipset}->{$param->{name}};

	    my (undef, $digest) = &$get_ipset_list($fw_conf);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    die "IPSet '$param->{name}' is not empty\n" 
		if scalar(@{$fw_conf->{ipset}->{$param->{name}}});

	    delete $fw_conf->{ipset}->{$param->{name}};

	    $class->save_config($fw_conf);

	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_index();
    $class->register_create();
    $class->register_delete();
}

package PVE::API2::Firewall::ClusterIPSetList;

use strict;
use warnings;
use PVE::Firewall;

use base qw(PVE::API2::Firewall::BaseIPSetList);

sub load_config {
    my ($class) = @_;
 
    return PVE::Firewall::load_clusterfw_conf();
}

sub save_config {
    my ($class, $fw_conf) = @_;

    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterIPset",  
    path => '{name}',
    # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' 
    fragmentDelimiter => '', 
});

1;
Commit	Line	Data
009ee3ac DM	1	package PVE::API2::Firewall::IPSetBase;
	2
	3	use strict;
	4	use warnings;
4a11bba5	5	use PVE::Exception qw(raise raise_param_exc);
009ee3ac DM	6	use PVE::JSONSchema qw(get_standard_option);
	7
	8	use PVE::Firewall;
	9
	10	use base qw(PVE::RESTHandler);
	11
	12	my $api_properties = {
	13	cidr => {
	14	description => "Network/IP specification in CIDR format.",
	15	type => 'string', format => 'IPv4orCIDR',
	16	},
e74a87f5	17	name => get_standard_option('ipset-name'),
009ee3ac DM	18	comment => {
	19	type => 'string',
	20	optional => 1,
	21	},
	22	nomatch => {
	23	type => 'boolean',
	24	optional => 1,
	25	},
	26	};
	27
	28	sub load_config {
	29	my ($class, $param) = @_;
	30
	31	die "implement this in subclass";
	32
	33	#return ($fw_conf, $rules);
	34	}
	35
	36	sub save_rules {
	37	my ($class, $param, $fw_conf, $rules) = @_;
	38
	39	die "implement this in subclass";
	40	}
	41
	42	my $additional_param_hash = {};
	43
	44	sub additional_parameters {
	45	my ($class, $new_value) = @_;
	46
	47	if (defined($new_value)) {
	48	$additional_param_hash->{$class} = $new_value;
	49	}
	50
	51	# return a copy
	52	my $copy = {};
	53	my $org = $additional_param_hash->{$class} \|\| {};
	54	foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
	55	return $copy;
	56	}
	57
	58	sub register_get_ipset {
	59	my ($class) = @_;
	60
	61	my $properties = $class->additional_parameters();
	62
	63	$properties->{name} = $api_properties->{name};
	64
	65	$class->register_method({
	66	name => 'get_ipset',
	67	path => '',
	68	method => 'GET',
	69	description => "List IPSet content",
	70	parameters => {
	71	additionalProperties => 0,
	72	properties => $properties,
	73	},
	74	returns => {
	75	type => 'array',
	76	items => {
	77	type => "object",
	78	properties => {
	79	cidr => {
	80	type => 'string',
	81	},
82	comment => {
83	type => 'string',
84	optional => 1,
85	},
86	nomatch => {
87	type => 'boolean',
88	optional => 1,
d72c631c DM	89	},
d72c631c DM	90	digest => get_standard_option('pve-config-digest', { optional => 0} ),
009ee3ac DM	91	},
	92	},
	93	links => [ { rel => 'child', href => "{cidr}" } ],
	94	},
	95	code => sub {
	96	my ($param) = @_;
	97
	98	my ($fw_conf, $ipset) = $class->load_config($param);
	99
5d38d64f	100	return PVE::Firewall::copy_list_with_digest($ipset);
009ee3ac DM	101	}});
	102	}
	103
a33c74f6	104	sub register_create_ip {
009ee3ac DM	105	my ($class) = @_;
	106
	107	my $properties = $class->additional_parameters();
	108
	109	$properties->{name} = $api_properties->{name};
	110	$properties->{cidr} = $api_properties->{cidr};
	111	$properties->{nomatch} = $api_properties->{nomatch};
	112	$properties->{comment} = $api_properties->{comment};
d72c631c	113
009ee3ac	114	$class->register_method({
a33c74f6	115	name => 'create_ip',
009ee3ac DM	116	path => '',
	117	method => 'POST',
	118	description => "Add IP or Network to IPSet.",
	119	protected => 1,
	120	parameters => {
	121	additionalProperties => 0,
	122	properties => $properties,
	123	},
	124	returns => { type => "null" },
	125	code => sub {
	126	my ($param) = @_;
	127
	128	my ($fw_conf, $ipset) = $class->load_config($param);
	129
4a11bba5 DM	130	my $cidr = $param->{cidr};
	131
	132	foreach my $entry (@$ipset) {
	133	raise_param_exc({ cidr => "address '$cidr' already exists" })
	134	if $entry->{cidr} eq $cidr;
	135	}
	136
	137	my $data = { cidr => $cidr };
009ee3ac DM	138	$data->{nomatch} = 1 if $param->{nomatch};
	139	$data->{comment} = $param->{comment} if $param->{comment};
	140
009ee3ac DM	141	unshift @$ipset, $data;
	142
	143	$class->save_ipset($param, $fw_conf, $ipset);
	144
	145	return undef;
	146	}});
	147	}
	148
a33c74f6 DM	149	sub register_read_ip {
	150	my ($class) = @_;
	151
	152	my $properties = $class->additional_parameters();
	153
	154	$properties->{name} = $api_properties->{name};
	155	$properties->{cidr} = $api_properties->{cidr};
	156
	157	$class->register_method({
	158	name => 'read_ip',
	159	path => '{cidr}',
	160	method => 'GET',
	161	description => "Read IP or Network settings from IPSet.",
	162	protected => 1,
	163	parameters => {
	164	additionalProperties => 0,
	165	properties => $properties,
	166	},
	167	returns => { type => "object" },
	168	code => sub {
	169	my ($param) = @_;
	170
	171	my ($fw_conf, $ipset) = $class->load_config($param);
	172
5d38d64f DM	173	my $list = PVE::Firewall::copy_list_with_digest($ipset);
	174
	175	foreach my $entry (@$list) {
d72c631c	176	if ($entry->{cidr} eq $param->{cidr}) {
d72c631c DM	177	return $entry;
d72c631c DM	178	}
a33c74f6 DM	179	}
	180
	181	raise_param_exc({ cidr => "no such IP/Network" });
	182	}});
	183	}
	184
	185	sub register_update_ip {
	186	my ($class) = @_;
	187
	188	my $properties = $class->additional_parameters();
	189
	190	$properties->{name} = $api_properties->{name};
	191	$properties->{cidr} = $api_properties->{cidr};
	192	$properties->{nomatch} = $api_properties->{nomatch};
	193	$properties->{comment} = $api_properties->{comment};
d72c631c DM	194	$properties->{digest} = get_standard_option('pve-config-digest');
d72c631c DM	195
a33c74f6 DM	196	$class->register_method({
	197	name => 'update_ip',
	198	path => '{cidr}',
	199	method => 'PUT',
	200	description => "Update IP or Network settings",
	201	protected => 1,
	202	parameters => {
	203	additionalProperties => 0,
	204	properties => $properties,
	205	},
	206	returns => { type => "null" },
	207	code => sub {
	208	my ($param) = @_;
	209
	210	my ($fw_conf, $ipset) = $class->load_config($param);
	211
5d38d64f DM	212	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
	213	PVE::Tools::assert_if_modified($digest, $param->{digest});
	214	warn "TEST:$digest:$param->{digest}:\n";
d72c631c	215
a33c74f6 DM	216	foreach my $entry (@$ipset) {
	217	if($entry->{cidr} eq $param->{cidr}) {
	218	$entry->{nomatch} = $param->{nomatch};
	219	$entry->{comment} = $param->{comment};
	220	$class->save_ipset($param, $fw_conf, $ipset);
	221	return;
	222	}
	223	}
	224
	225	raise_param_exc({ cidr => "no such IP/Network" });
	226	}});
	227	}
	228
	229	sub register_delete_ip {
009ee3ac DM	230	my ($class) = @_;
	231
	232	my $properties = $class->additional_parameters();
	233
	234	$properties->{name} = $api_properties->{name};
	235	$properties->{cidr} = $api_properties->{cidr};
d72c631c DM	236	$properties->{digest} = get_standard_option('pve-config-digest');
d72c631c DM	237
009ee3ac DM	238	$class->register_method({
	239	name => 'remove_ip',
	240	path => '{cidr}',
	241	method => 'DELETE',
	242	description => "Remove IP or Network from IPSet.",
	243	protected => 1,
	244	parameters => {
	245	additionalProperties => 0,
	246	properties => $properties,
	247	},
	248	returns => { type => "null" },
	249	code => sub {
	250	my ($param) = @_;
	251
	252	my ($fw_conf, $ipset) = $class->load_config($param);
	253
5d38d64f DM	254	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
5d38d64f DM	255	PVE::Tools::assert_if_modified($digest, $param->{digest});
d72c631c	256
4a11bba5 DM	257	my $new = [];
	258
	259	foreach my $entry (@$ipset) {
	260	push @$new, $entry if $entry->{cidr} ne $param->{cidr};
	261	}
009ee3ac	262
4a11bba5 DM	263	$class->save_ipset($param, $fw_conf, $new);
4a11bba5 DM	264
009ee3ac DM	265	return undef;
	266	}});
	267	}
	268
	269	sub register_handlers {
	270	my ($class) = @_;
	271
	272	$class->register_get_ipset();
a33c74f6 DM	273	$class->register_create_ip();
	274	$class->register_read_ip();
	275	$class->register_update_ip();
	276	$class->register_delete_ip();
009ee3ac DM	277	}
	278
	279	package PVE::API2::Firewall::ClusterIPset;
	280
	281	use strict;
	282	use warnings;
	283
	284	use base qw(PVE::API2::Firewall::IPSetBase);
	285
	286	sub load_config {
	287	my ($class, $param) = @_;
	288
	289	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	290	my $ipset = $fw_conf->{ipset}->{$param->{name}};
	291	die "no such IPSet '$param->{name}'\n" if !defined($ipset);
	292
	293	return ($fw_conf, $ipset);
	294	}
	295
	296	sub save_ipset {
	297	my ($class, $param, $fw_conf, $ipset) = @_;
	298
	299	$fw_conf->{ipset}->{$param->{name}} = $ipset;
	300	PVE::Firewall::save_clusterfw_conf($fw_conf);
	301	}
	302
	303	__PACKAGE__->register_handlers();
	304
c85c87f9 DM	305	package PVE::API2::Firewall::BaseIPSetList;
	306
	307	use strict;
	308	use warnings;
e74a87f5	309	use PVE::JSONSchema qw(get_standard_option);
c85c87f9	310	use PVE::Exception qw(raise_param_exc);
e74a87f5	311	use PVE::Firewall;
c85c87f9 DM	312
	313	use base qw(PVE::RESTHandler);
	314
5d38d64f DM	315	my $get_ipset_list = sub {
	316	my ($fw_conf) = @_;
	317
	318	my $res = [];
	319	foreach my $name (keys %{$fw_conf->{ipset}}) {
	320	my $data = {
	321	name => $name,
	322	};
	323	if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
	324	$data->{comment} = $comment;
	325	}
	326	push @$res, $data;
	327	}
	328
	329	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
	330
	331	return wantarray ? ($list, $digest) : $list;
	332	};
	333
c85c87f9 DM	334	sub register_index {
	335	my ($class) = @_;
	336
	337	$class->register_method({
	338	name => 'ipset_index',
	339	path => '',
	340	method => 'GET',
	341	description => "List IPSets",
	342	parameters => {
	343	additionalProperties => 0,
	344	},
	345	returns => {
	346	type => 'array',
	347	items => {
	348	type => "object",
	349	properties => {
e74a87f5	350	name => get_standard_option('ipset-name'),
d72c631c DM	351	digest => get_standard_option('pve-config-digest', { optional => 0} ),
	352	comment => {
	353	type => 'string',
	354	optional => 1,
	355	}
c85c87f9 DM	356	},
	357	},
	358	links => [ { rel => 'child', href => "{name}" } ],
	359	},
	360	code => sub {
	361	my ($param) = @_;
	362
	363	my $fw_conf = $class->load_config();
	364
5d38d64f	365	return &$get_ipset_list($fw_conf);
c85c87f9 DM	366	}});
	367	}
	368
	369	sub register_create {
	370	my ($class) = @_;
	371
	372	$class->register_method({
	373	name => 'create_ipset',
	374	path => '',
	375	method => 'POST',
	376	description => "Create new IPSet",
	377	protected => 1,
	378	parameters => {
	379	additionalProperties => 0,
	380	properties => {
e74a87f5	381	name => get_standard_option('ipset-name'),
d72c631c DM	382	comment => {
	383	type => 'string',
	384	optional => 1,
	385	},
e74a87f5	386	rename => get_standard_option('ipset-name', {
d72c631c	387	description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
bc374ca7	388	optional => 1,
e74a87f5	389	}),
d72c631c	390	digest => get_standard_option('pve-config-digest'),
c85c87f9 DM	391	}
	392	},
	393	returns => { type => 'null' },
	394	code => sub {
	395	my ($param) = @_;
	396
	397	my $fw_conf = $class->load_config();
	398
bc374ca7	399	if ($param->{rename}) {
5d38d64f DM	400	my (undef, $digest) = &$get_ipset_list($fw_conf);
	401	PVE::Tools::assert_if_modified($digest, $param->{digest});
	402
bc374ca7 DM	403	raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" })
bc374ca7 DM	404	if !$fw_conf->{ipset}->{$param->{rename}};
5d38d64f	405
bc374ca7 DM	406	my $data = delete $fw_conf->{ipset}->{$param->{rename}};
bc374ca7 DM	407	$fw_conf->{ipset}->{$param->{name}} = $data;
d72c631c DM	408	if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
	409	$fw_conf->{ipset_comments}->{$param->{name}} = $comment;
	410	}
	411	$fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
5d38d64f DM	412	} else {
	413	foreach my $name (keys %{$fw_conf->{ipset}}) {
	414	raise_param_exc({ name => "IPSet '$name' already exists" })
	415	if $name eq $param->{name};
	416	}
	417
bc374ca7	418	$fw_conf->{ipset}->{$param->{name}} = [];
d72c631c	419	$fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
bc374ca7 DM	420	}
bc374ca7 DM	421
c85c87f9 DM	422	$class->save_config($fw_conf);
	423
	424	return undef;
	425	}});
	426	}
	427
	428	sub register_delete {
	429	my ($class) = @_;
	430
	431	$class->register_method({
	432	name => 'delete_ipset',
	433	path => '{name}',
	434	method => 'DELETE',
	435	description => "Delete IPSet",
	436	protected => 1,
	437	parameters => {
	438	additionalProperties => 0,
	439	properties => {
e74a87f5	440	name => get_standard_option('ipset-name'),
d72c631c DM	441	digest => get_standard_option('pve-config-digest'),
d72c631c DM	442	},
c85c87f9 DM	443	},
	444	returns => { type => 'null' },
	445	code => sub {
	446	my ($param) = @_;
	447
	448	my $fw_conf = $class->load_config();
	449
	450	return undef if !$fw_conf->{ipset}->{$param->{name}};
	451
5d38d64f DM	452	my (undef, $digest) = &$get_ipset_list($fw_conf);
	453	PVE::Tools::assert_if_modified($digest, $param->{digest});
	454
76aad6c5	455	die "IPSet '$param->{name}' is not empty\n"
c85c87f9 DM	456	if scalar(@{$fw_conf->{ipset}->{$param->{name}}});
	457
	458	delete $fw_conf->{ipset}->{$param->{name}};
	459
	460	$class->save_config($fw_conf);
	461
	462	return undef;
	463	}});
	464	}
	465
	466	sub register_handlers {
	467	my ($class) = @_;
	468
	469	$class->register_index();
	470	$class->register_create();
	471	$class->register_delete();
	472	}
	473
	474	package PVE::API2::Firewall::ClusterIPSetList;
	475
	476	use strict;
	477	use warnings;
	478	use PVE::Firewall;
	479
	480	use base qw(PVE::API2::Firewall::BaseIPSetList);
	481
	482	sub load_config {
	483	my ($class) = @_;
	484
	485	return PVE::Firewall::load_clusterfw_conf();
	486	}
	487
	488	sub save_config {
	489	my ($class, $fw_conf) = @_;
	490
	491	PVE::Firewall::save_clusterfw_conf($fw_conf);
	492	}
	493
	494	__PACKAGE__->register_handlers();
	495
	496	__PACKAGE__->register_method ({
	497	subclass => "PVE::API2::Firewall::ClusterIPset",
	498	path => '{name}',
	499	# set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
	500	fragmentDelimiter => '',
	501	});
	502
009ee3ac	503	1;