]>
Commit | Line | Data |
---|---|---|
009ee3ac DM |
1 | package PVE::API2::Firewall::IPSetBase; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
4a11bba5 | 5 | use PVE::Exception qw(raise raise_param_exc); |
009ee3ac DM |
6 | use PVE::JSONSchema qw(get_standard_option); |
7 | ||
8 | use PVE::Firewall; | |
9 | ||
10 | use base qw(PVE::RESTHandler); | |
11 | ||
75a12a9d | 12 | my $api_properties = { |
009ee3ac DM |
13 | cidr => { |
14 | description => "Network/IP specification in CIDR format.", | |
ae029a88 | 15 | type => 'string', format => 'IPorCIDRorAlias', |
009ee3ac | 16 | }, |
e74a87f5 | 17 | name => get_standard_option('ipset-name'), |
009ee3ac DM |
18 | comment => { |
19 | type => 'string', | |
20 | optional => 1, | |
21 | }, | |
22 | nomatch => { | |
23 | type => 'boolean', | |
24 | optional => 1, | |
25 | }, | |
26 | }; | |
27 | ||
05496017 FG |
28 | sub lock_config { |
29 | my ($class, $param, $code) = @_; | |
30 | ||
31 | die "implement this in subclass"; | |
32 | } | |
33 | ||
009ee3ac DM |
34 | sub load_config { |
35 | my ($class, $param) = @_; | |
36 | ||
37 | die "implement this in subclass"; | |
1210ae94 DM |
38 | |
39 | #return ($cluster_conf, $fw_conf, $ipset); | |
009ee3ac DM |
40 | } |
41 | ||
1210ae94 DM |
42 | sub save_config { |
43 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac DM |
44 | |
45 | die "implement this in subclass"; | |
46 | } | |
47 | ||
9f6845cf DM |
48 | sub rule_env { |
49 | my ($class, $param) = @_; | |
75a12a9d | 50 | |
9f6845cf DM |
51 | die "implement this in subclass"; |
52 | } | |
53 | ||
1210ae94 DM |
54 | sub save_ipset { |
55 | my ($class, $param, $fw_conf, $ipset) = @_; | |
56 | ||
57 | if (!defined($ipset)) { | |
58 | delete $fw_conf->{ipset}->{$param->{name}}; | |
59 | } else { | |
60 | $fw_conf->{ipset}->{$param->{name}} = $ipset; | |
61 | } | |
62 | ||
63 | $class->save_config($param, $fw_conf); | |
64 | } | |
65 | ||
009ee3ac DM |
66 | my $additional_param_hash = {}; |
67 | ||
68 | sub additional_parameters { | |
69 | my ($class, $new_value) = @_; | |
70 | ||
71 | if (defined($new_value)) { | |
72 | $additional_param_hash->{$class} = $new_value; | |
73 | } | |
74 | ||
75 | # return a copy | |
76 | my $copy = {}; | |
77 | my $org = $additional_param_hash->{$class} || {}; | |
78 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
79 | return $copy; | |
80 | } | |
81 | ||
82 | sub register_get_ipset { | |
83 | my ($class) = @_; | |
84 | ||
85 | my $properties = $class->additional_parameters(); | |
86 | ||
87 | $properties->{name} = $api_properties->{name}; | |
88 | ||
89 | $class->register_method({ | |
90 | name => 'get_ipset', | |
91 | path => '', | |
92 | method => 'GET', | |
93 | description => "List IPSet content", | |
9f6845cf | 94 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
009ee3ac DM |
95 | parameters => { |
96 | additionalProperties => 0, | |
97 | properties => $properties, | |
98 | }, | |
99 | returns => { | |
100 | type => 'array', | |
101 | items => { | |
102 | type => "object", | |
103 | properties => { | |
104 | cidr => { | |
105 | type => 'string', | |
106 | }, | |
107 | comment => { | |
108 | type => 'string', | |
109 | optional => 1, | |
110 | }, | |
111 | nomatch => { | |
112 | type => 'boolean', | |
113 | optional => 1, | |
d72c631c | 114 | }, |
75a12a9d | 115 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
009ee3ac DM |
116 | }, |
117 | }, | |
118 | links => [ { rel => 'child', href => "{cidr}" } ], | |
119 | }, | |
120 | code => sub { | |
121 | my ($param) = @_; | |
122 | ||
1210ae94 | 123 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
009ee3ac | 124 | |
5d38d64f | 125 | return PVE::Firewall::copy_list_with_digest($ipset); |
009ee3ac DM |
126 | }}); |
127 | } | |
128 | ||
1210ae94 DM |
129 | sub register_delete_ipset { |
130 | my ($class) = @_; | |
131 | ||
132 | my $properties = $class->additional_parameters(); | |
133 | ||
134 | $properties->{name} = get_standard_option('ipset-name'); | |
135 | ||
136 | $class->register_method({ | |
137 | name => 'delete_ipset', | |
138 | path => '', | |
139 | method => 'DELETE', | |
140 | description => "Delete IPSet", | |
141 | protected => 1, | |
9f6845cf | 142 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
1210ae94 DM |
143 | parameters => { |
144 | additionalProperties => 0, | |
145 | properties => $properties, | |
146 | }, | |
147 | returns => { type => 'null' }, | |
148 | code => sub { | |
149 | my ($param) = @_; | |
75a12a9d | 150 | |
a38849e6 FG |
151 | $class->lock_config($param, sub { |
152 | my ($param) = @_; | |
153 | ||
154 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
1210ae94 | 155 | |
a38849e6 FG |
156 | die "IPSet '$param->{name}' is not empty\n" |
157 | if scalar(@$ipset); | |
1210ae94 | 158 | |
a38849e6 FG |
159 | $class->save_ipset($param, $fw_conf, undef); |
160 | ||
161 | }); | |
1210ae94 DM |
162 | |
163 | return undef; | |
164 | }}); | |
165 | } | |
166 | ||
a33c74f6 | 167 | sub register_create_ip { |
009ee3ac DM |
168 | my ($class) = @_; |
169 | ||
170 | my $properties = $class->additional_parameters(); | |
171 | ||
172 | $properties->{name} = $api_properties->{name}; | |
173 | $properties->{cidr} = $api_properties->{cidr}; | |
174 | $properties->{nomatch} = $api_properties->{nomatch}; | |
175 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c | 176 | |
009ee3ac | 177 | $class->register_method({ |
a33c74f6 | 178 | name => 'create_ip', |
009ee3ac DM |
179 | path => '', |
180 | method => 'POST', | |
181 | description => "Add IP or Network to IPSet.", | |
182 | protected => 1, | |
9f6845cf | 183 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
184 | parameters => { |
185 | additionalProperties => 0, | |
186 | properties => $properties, | |
187 | }, | |
188 | returns => { type => "null" }, | |
189 | code => sub { | |
190 | my ($param) = @_; | |
191 | ||
a38849e6 FG |
192 | $class->lock_config($param, sub { |
193 | my ($param) = @_; | |
009ee3ac | 194 | |
a38849e6 | 195 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
75a12a9d | 196 | |
a38849e6 | 197 | my $cidr = $param->{cidr}; |
891545e8 FG |
198 | if ($cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/) { |
199 | # make sure alias exists (if $cidr is an alias) | |
200 | PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr); | |
201 | } else { | |
202 | # normalize like config parser, otherwise duplicates might slip through | |
203 | $cidr = PVE::Firewall::parse_ip_or_cidr($cidr); | |
204 | } | |
a38849e6 FG |
205 | |
206 | foreach my $entry (@$ipset) { | |
207 | raise_param_exc({ cidr => "address '$cidr' already exists" }) | |
208 | if $entry->{cidr} eq $cidr; | |
209 | } | |
210 | ||
211 | raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" }) | |
212 | if $cidr =~ m!/0+$!; | |
4a11bba5 | 213 | |
1b36f6ec | 214 | |
a38849e6 | 215 | my $data = { cidr => $cidr }; |
7c619bbb | 216 | |
a38849e6 FG |
217 | $data->{nomatch} = 1 if $param->{nomatch}; |
218 | $data->{comment} = $param->{comment} if $param->{comment}; | |
7c619bbb | 219 | |
a38849e6 | 220 | unshift @$ipset, $data; |
009ee3ac | 221 | |
a38849e6 | 222 | $class->save_ipset($param, $fw_conf, $ipset); |
009ee3ac | 223 | |
a38849e6 | 224 | }); |
009ee3ac DM |
225 | |
226 | return undef; | |
227 | }}); | |
228 | } | |
229 | ||
a33c74f6 DM |
230 | sub register_read_ip { |
231 | my ($class) = @_; | |
232 | ||
233 | my $properties = $class->additional_parameters(); | |
234 | ||
235 | $properties->{name} = $api_properties->{name}; | |
236 | $properties->{cidr} = $api_properties->{cidr}; | |
75a12a9d | 237 | |
a33c74f6 DM |
238 | $class->register_method({ |
239 | name => 'read_ip', | |
240 | path => '{cidr}', | |
241 | method => 'GET', | |
242 | description => "Read IP or Network settings from IPSet.", | |
9f6845cf | 243 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
a33c74f6 DM |
244 | protected => 1, |
245 | parameters => { | |
246 | additionalProperties => 0, | |
247 | properties => $properties, | |
248 | }, | |
249 | returns => { type => "object" }, | |
250 | code => sub { | |
251 | my ($param) = @_; | |
252 | ||
1210ae94 | 253 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
a33c74f6 | 254 | |
5d38d64f DM |
255 | my $list = PVE::Firewall::copy_list_with_digest($ipset); |
256 | ||
257 | foreach my $entry (@$list) { | |
d72c631c | 258 | if ($entry->{cidr} eq $param->{cidr}) { |
d72c631c DM |
259 | return $entry; |
260 | } | |
a33c74f6 DM |
261 | } |
262 | ||
263 | raise_param_exc({ cidr => "no such IP/Network" }); | |
264 | }}); | |
265 | } | |
266 | ||
267 | sub register_update_ip { | |
268 | my ($class) = @_; | |
269 | ||
270 | my $properties = $class->additional_parameters(); | |
271 | ||
272 | $properties->{name} = $api_properties->{name}; | |
273 | $properties->{cidr} = $api_properties->{cidr}; | |
274 | $properties->{nomatch} = $api_properties->{nomatch}; | |
275 | $properties->{comment} = $api_properties->{comment}; | |
d72c631c DM |
276 | $properties->{digest} = get_standard_option('pve-config-digest'); |
277 | ||
a33c74f6 DM |
278 | $class->register_method({ |
279 | name => 'update_ip', | |
280 | path => '{cidr}', | |
281 | method => 'PUT', | |
282 | description => "Update IP or Network settings", | |
283 | protected => 1, | |
9f6845cf | 284 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
a33c74f6 DM |
285 | parameters => { |
286 | additionalProperties => 0, | |
287 | properties => $properties, | |
288 | }, | |
289 | returns => { type => "null" }, | |
290 | code => sub { | |
291 | my ($param) = @_; | |
292 | ||
a38849e6 FG |
293 | my $found = $class->lock_config($param, sub { |
294 | my ($param) = @_; | |
295 | ||
296 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); | |
a33c74f6 | 297 | |
a38849e6 FG |
298 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
299 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
d72c631c | 300 | |
a38849e6 FG |
301 | foreach my $entry (@$ipset) { |
302 | if($entry->{cidr} eq $param->{cidr}) { | |
303 | $entry->{nomatch} = $param->{nomatch}; | |
304 | $entry->{comment} = $param->{comment}; | |
305 | $class->save_ipset($param, $fw_conf, $ipset); | |
306 | return 1; | |
307 | } | |
a33c74f6 | 308 | } |
a38849e6 FG |
309 | |
310 | return 0; | |
311 | }); | |
312 | ||
313 | return if $found; | |
a33c74f6 DM |
314 | |
315 | raise_param_exc({ cidr => "no such IP/Network" }); | |
316 | }}); | |
317 | } | |
318 | ||
319 | sub register_delete_ip { | |
009ee3ac DM |
320 | my ($class) = @_; |
321 | ||
322 | my $properties = $class->additional_parameters(); | |
323 | ||
324 | $properties->{name} = $api_properties->{name}; | |
325 | $properties->{cidr} = $api_properties->{cidr}; | |
d72c631c DM |
326 | $properties->{digest} = get_standard_option('pve-config-digest'); |
327 | ||
009ee3ac DM |
328 | $class->register_method({ |
329 | name => 'remove_ip', | |
330 | path => '{cidr}', | |
331 | method => 'DELETE', | |
332 | description => "Remove IP or Network from IPSet.", | |
333 | protected => 1, | |
9f6845cf | 334 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
009ee3ac DM |
335 | parameters => { |
336 | additionalProperties => 0, | |
337 | properties => $properties, | |
338 | }, | |
339 | returns => { type => "null" }, | |
340 | code => sub { | |
341 | my ($param) = @_; | |
342 | ||
a38849e6 FG |
343 | $class->lock_config($param, sub { |
344 | my ($param) = @_; | |
009ee3ac | 345 | |
a38849e6 | 346 | my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param); |
d72c631c | 347 | |
a38849e6 FG |
348 | my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset); |
349 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
75a12a9d | 350 | |
a38849e6 | 351 | my $new = []; |
009ee3ac | 352 | |
a38849e6 FG |
353 | foreach my $entry (@$ipset) { |
354 | push @$new, $entry if $entry->{cidr} ne $param->{cidr}; | |
355 | } | |
356 | ||
357 | $class->save_ipset($param, $fw_conf, $new); | |
358 | }); | |
75a12a9d | 359 | |
009ee3ac DM |
360 | return undef; |
361 | }}); | |
362 | } | |
363 | ||
364 | sub register_handlers { | |
365 | my ($class) = @_; | |
366 | ||
1210ae94 | 367 | $class->register_delete_ipset(); |
009ee3ac | 368 | $class->register_get_ipset(); |
a33c74f6 DM |
369 | $class->register_create_ip(); |
370 | $class->register_read_ip(); | |
371 | $class->register_update_ip(); | |
372 | $class->register_delete_ip(); | |
009ee3ac DM |
373 | } |
374 | ||
375 | package PVE::API2::Firewall::ClusterIPset; | |
376 | ||
377 | use strict; | |
378 | use warnings; | |
379 | ||
380 | use base qw(PVE::API2::Firewall::IPSetBase); | |
381 | ||
9f6845cf DM |
382 | sub rule_env { |
383 | my ($class, $param) = @_; | |
75a12a9d | 384 | |
9f6845cf DM |
385 | return 'cluster'; |
386 | } | |
387 | ||
05496017 FG |
388 | sub lock_config { |
389 | my ($class, $param, $code) = @_; | |
390 | ||
391 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
392 | } | |
393 | ||
009ee3ac DM |
394 | sub load_config { |
395 | my ($class, $param) = @_; | |
396 | ||
397 | my $fw_conf = PVE::Firewall::load_clusterfw_conf(); | |
398 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
399 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
400 | ||
1210ae94 | 401 | return (undef, $fw_conf, $ipset); |
009ee3ac DM |
402 | } |
403 | ||
1210ae94 DM |
404 | sub save_config { |
405 | my ($class, $param, $fw_conf) = @_; | |
009ee3ac | 406 | |
009ee3ac DM |
407 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
408 | } | |
409 | ||
410 | __PACKAGE__->register_handlers(); | |
411 | ||
1210ae94 DM |
412 | package PVE::API2::Firewall::VMIPset; |
413 | ||
414 | use strict; | |
415 | use warnings; | |
416 | use PVE::JSONSchema qw(get_standard_option); | |
417 | ||
418 | use base qw(PVE::API2::Firewall::IPSetBase); | |
419 | ||
9f6845cf DM |
420 | sub rule_env { |
421 | my ($class, $param) = @_; | |
75a12a9d | 422 | |
9f6845cf DM |
423 | return 'vm'; |
424 | } | |
425 | ||
75a12a9d | 426 | __PACKAGE__->additional_parameters({ |
1210ae94 | 427 | node => get_standard_option('pve-node'), |
75a12a9d | 428 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
429 | }); |
430 | ||
05496017 FG |
431 | sub lock_config { |
432 | my ($class, $param, $code) = @_; | |
433 | ||
434 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
435 | } | |
436 | ||
1210ae94 DM |
437 | sub load_config { |
438 | my ($class, $param) = @_; | |
439 | ||
440 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
441 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
442 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
443 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
444 | ||
445 | return ($cluster_conf, $fw_conf, $ipset); | |
446 | } | |
447 | ||
448 | sub save_config { | |
449 | my ($class, $param, $fw_conf) = @_; | |
450 | ||
451 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
452 | } | |
453 | ||
454 | __PACKAGE__->register_handlers(); | |
455 | ||
456 | package PVE::API2::Firewall::CTIPset; | |
457 | ||
458 | use strict; | |
459 | use warnings; | |
460 | use PVE::JSONSchema qw(get_standard_option); | |
461 | ||
462 | use base qw(PVE::API2::Firewall::IPSetBase); | |
463 | ||
9f6845cf DM |
464 | sub rule_env { |
465 | my ($class, $param) = @_; | |
75a12a9d | 466 | |
9f6845cf DM |
467 | return 'ct'; |
468 | } | |
469 | ||
75a12a9d | 470 | __PACKAGE__->additional_parameters({ |
1210ae94 | 471 | node => get_standard_option('pve-node'), |
75a12a9d | 472 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
473 | }); |
474 | ||
05496017 FG |
475 | sub lock_config { |
476 | my ($class, $param, $code) = @_; | |
477 | ||
478 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
479 | } | |
480 | ||
1210ae94 DM |
481 | sub load_config { |
482 | my ($class, $param) = @_; | |
483 | ||
484 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
485 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
486 | my $ipset = $fw_conf->{ipset}->{$param->{name}}; | |
487 | die "no such IPSet '$param->{name}'\n" if !defined($ipset); | |
488 | ||
489 | return ($cluster_conf, $fw_conf, $ipset); | |
490 | } | |
491 | ||
492 | sub save_config { | |
493 | my ($class, $param, $fw_conf) = @_; | |
494 | ||
495 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); | |
496 | } | |
497 | ||
498 | __PACKAGE__->register_handlers(); | |
499 | ||
c85c87f9 DM |
500 | package PVE::API2::Firewall::BaseIPSetList; |
501 | ||
502 | use strict; | |
503 | use warnings; | |
e74a87f5 | 504 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 | 505 | use PVE::Exception qw(raise_param_exc); |
e74a87f5 | 506 | use PVE::Firewall; |
c85c87f9 DM |
507 | |
508 | use base qw(PVE::RESTHandler); | |
509 | ||
05496017 FG |
510 | sub lock_config { |
511 | my ($class, $param, $code) = @_; | |
512 | ||
513 | die "implement this in subclass"; | |
514 | } | |
515 | ||
1210ae94 DM |
516 | sub load_config { |
517 | my ($class, $param) = @_; | |
75a12a9d | 518 | |
1210ae94 DM |
519 | die "implement this in subclass"; |
520 | ||
521 | #return ($cluster_conf, $fw_conf); | |
522 | } | |
523 | ||
524 | sub save_config { | |
525 | my ($class, $param, $fw_conf) = @_; | |
526 | ||
527 | die "implement this in subclass"; | |
528 | } | |
529 | ||
9f6845cf DM |
530 | sub rule_env { |
531 | my ($class, $param) = @_; | |
75a12a9d | 532 | |
9f6845cf DM |
533 | die "implement this in subclass"; |
534 | } | |
535 | ||
1210ae94 DM |
536 | my $additional_param_hash_list = {}; |
537 | ||
538 | sub additional_parameters { | |
539 | my ($class, $new_value) = @_; | |
540 | ||
541 | if (defined($new_value)) { | |
542 | $additional_param_hash_list->{$class} = $new_value; | |
543 | } | |
544 | ||
545 | # return a copy | |
546 | my $copy = {}; | |
547 | my $org = $additional_param_hash_list->{$class} || {}; | |
548 | foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; } | |
549 | return $copy; | |
550 | } | |
551 | ||
5d38d64f DM |
552 | my $get_ipset_list = sub { |
553 | my ($fw_conf) = @_; | |
554 | ||
555 | my $res = []; | |
53bbbf31 | 556 | foreach my $name (sort keys %{$fw_conf->{ipset}}) { |
75a12a9d | 557 | my $data = { |
5d38d64f DM |
558 | name => $name, |
559 | }; | |
560 | if (my $comment = $fw_conf->{ipset_comments}->{$name}) { | |
561 | $data->{comment} = $comment; | |
562 | } | |
563 | push @$res, $data; | |
564 | } | |
565 | ||
566 | my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res); | |
567 | ||
568 | return wantarray ? ($list, $digest) : $list; | |
569 | }; | |
570 | ||
c85c87f9 DM |
571 | sub register_index { |
572 | my ($class) = @_; | |
573 | ||
1210ae94 DM |
574 | my $properties = $class->additional_parameters(); |
575 | ||
c85c87f9 DM |
576 | $class->register_method({ |
577 | name => 'ipset_index', | |
578 | path => '', | |
579 | method => 'GET', | |
580 | description => "List IPSets", | |
9f6845cf | 581 | permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()), |
c85c87f9 DM |
582 | parameters => { |
583 | additionalProperties => 0, | |
1210ae94 | 584 | properties => $properties, |
c85c87f9 DM |
585 | }, |
586 | returns => { | |
587 | type => 'array', | |
588 | items => { | |
589 | type => "object", | |
75a12a9d | 590 | properties => { |
e74a87f5 | 591 | name => get_standard_option('ipset-name'), |
d72c631c | 592 | digest => get_standard_option('pve-config-digest', { optional => 0} ), |
75a12a9d | 593 | comment => { |
d72c631c DM |
594 | type => 'string', |
595 | optional => 1, | |
596 | } | |
c85c87f9 DM |
597 | }, |
598 | }, | |
599 | links => [ { rel => 'child', href => "{name}" } ], | |
600 | }, | |
601 | code => sub { | |
602 | my ($param) = @_; | |
75a12a9d | 603 | |
1210ae94 | 604 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
c85c87f9 | 605 | |
75a12a9d | 606 | return &$get_ipset_list($fw_conf); |
c85c87f9 DM |
607 | }}); |
608 | } | |
609 | ||
610 | sub register_create { | |
611 | my ($class) = @_; | |
612 | ||
1210ae94 DM |
613 | my $properties = $class->additional_parameters(); |
614 | ||
615 | $properties->{name} = get_standard_option('ipset-name'); | |
616 | ||
617 | $properties->{comment} = { type => 'string', optional => 1 }; | |
618 | ||
619 | $properties->{digest} = get_standard_option('pve-config-digest'); | |
620 | ||
621 | $properties->{rename} = get_standard_option('ipset-name', { | |
622 | description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.", | |
623 | optional => 1 }); | |
624 | ||
c85c87f9 DM |
625 | $class->register_method({ |
626 | name => 'create_ipset', | |
627 | path => '', | |
628 | method => 'POST', | |
629 | description => "Create new IPSet", | |
630 | protected => 1, | |
9f6845cf | 631 | permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()), |
c85c87f9 DM |
632 | parameters => { |
633 | additionalProperties => 0, | |
1210ae94 | 634 | properties => $properties, |
c85c87f9 DM |
635 | }, |
636 | returns => { type => 'null' }, | |
637 | code => sub { | |
638 | my ($param) = @_; | |
75a12a9d | 639 | |
a38849e6 FG |
640 | $class->lock_config($param, sub { |
641 | my ($param) = @_; | |
c85c87f9 | 642 | |
a38849e6 | 643 | my ($cluster_conf, $fw_conf) = $class->load_config($param); |
5d38d64f | 644 | |
a38849e6 FG |
645 | if ($param->{rename}) { |
646 | my (undef, $digest) = &$get_ipset_list($fw_conf); | |
647 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
5d38d64f | 648 | |
a38849e6 FG |
649 | raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" }) |
650 | if !$fw_conf->{ipset}->{$param->{rename}}; | |
5da1a229 | 651 | |
a38849e6 FG |
652 | # prevent overwriting existing ipset |
653 | raise_param_exc({ name => "IPSet '$param->{name}' does already exist"}) | |
654 | if $fw_conf->{ipset}->{$param->{name}} && | |
655 | $param->{name} ne $param->{rename}; | |
5d38d64f | 656 | |
a38849e6 FG |
657 | my $data = delete $fw_conf->{ipset}->{$param->{rename}}; |
658 | $fw_conf->{ipset}->{$param->{name}} = $data; | |
659 | if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) { | |
660 | $fw_conf->{ipset_comments}->{$param->{name}} = $comment; | |
661 | } | |
662 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
663 | } else { | |
664 | foreach my $name (keys %{$fw_conf->{ipset}}) { | |
665 | raise_param_exc({ name => "IPSet '$name' already exists" }) | |
666 | if $name eq $param->{name}; | |
667 | } | |
668 | ||
669 | $fw_conf->{ipset}->{$param->{name}} = []; | |
670 | $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment}); | |
671 | } | |
bc374ca7 | 672 | |
a38849e6 FG |
673 | $class->save_config($param, $fw_conf); |
674 | }); | |
c85c87f9 DM |
675 | |
676 | return undef; | |
677 | }}); | |
678 | } | |
679 | ||
1210ae94 | 680 | sub register_handlers { |
c85c87f9 DM |
681 | my ($class) = @_; |
682 | ||
1210ae94 DM |
683 | $class->register_index(); |
684 | $class->register_create(); | |
685 | } | |
c85c87f9 | 686 | |
1210ae94 | 687 | package PVE::API2::Firewall::ClusterIPSetList; |
c85c87f9 | 688 | |
1210ae94 DM |
689 | use strict; |
690 | use warnings; | |
691 | use PVE::Firewall; | |
5d38d64f | 692 | |
1210ae94 DM |
693 | use base qw(PVE::API2::Firewall::BaseIPSetList); |
694 | ||
9f6845cf DM |
695 | sub rule_env { |
696 | my ($class, $param) = @_; | |
75a12a9d | 697 | |
9f6845cf DM |
698 | return 'cluster'; |
699 | } | |
700 | ||
05496017 FG |
701 | sub lock_config { |
702 | my ($class, $param, $code) = @_; | |
703 | ||
704 | PVE::Firewall::lock_clusterfw_conf(10, $code, $param); | |
705 | } | |
706 | ||
1210ae94 DM |
707 | sub load_config { |
708 | my ($class, $param) = @_; | |
75a12a9d | 709 | |
1210ae94 DM |
710 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
711 | return (undef, $cluster_conf); | |
712 | } | |
c85c87f9 | 713 | |
1210ae94 DM |
714 | sub save_config { |
715 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 716 | |
1210ae94 DM |
717 | PVE::Firewall::save_clusterfw_conf($fw_conf); |
718 | } | |
c85c87f9 | 719 | |
1210ae94 DM |
720 | __PACKAGE__->register_handlers(); |
721 | ||
722 | __PACKAGE__->register_method ({ | |
75a12a9d | 723 | subclass => "PVE::API2::Firewall::ClusterIPset", |
1210ae94 | 724 | path => '{name}', |
75a12a9d TL |
725 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
726 | fragmentDelimiter => '', | |
1210ae94 DM |
727 | }); |
728 | ||
729 | package PVE::API2::Firewall::VMIPSetList; | |
730 | ||
731 | use strict; | |
732 | use warnings; | |
733 | use PVE::JSONSchema qw(get_standard_option); | |
734 | use PVE::Firewall; | |
735 | ||
736 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
737 | ||
75a12a9d | 738 | __PACKAGE__->additional_parameters({ |
1210ae94 | 739 | node => get_standard_option('pve-node'), |
75a12a9d | 740 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
741 | }); |
742 | ||
9f6845cf DM |
743 | sub rule_env { |
744 | my ($class, $param) = @_; | |
75a12a9d | 745 | |
9f6845cf DM |
746 | return 'vm'; |
747 | } | |
748 | ||
05496017 FG |
749 | sub lock_config { |
750 | my ($class, $param, $code) = @_; | |
751 | ||
752 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
753 | } | |
754 | ||
1210ae94 DM |
755 | sub load_config { |
756 | my ($class, $param) = @_; | |
75a12a9d | 757 | |
1210ae94 DM |
758 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
759 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid}); | |
760 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
761 | } |
762 | ||
1210ae94 DM |
763 | sub save_config { |
764 | my ($class, $param, $fw_conf) = @_; | |
c85c87f9 | 765 | |
1210ae94 | 766 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
767 | } |
768 | ||
1210ae94 DM |
769 | __PACKAGE__->register_handlers(); |
770 | ||
771 | __PACKAGE__->register_method ({ | |
75a12a9d | 772 | subclass => "PVE::API2::Firewall::VMIPset", |
1210ae94 | 773 | path => '{name}', |
75a12a9d TL |
774 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
775 | fragmentDelimiter => '', | |
1210ae94 DM |
776 | }); |
777 | ||
778 | package PVE::API2::Firewall::CTIPSetList; | |
c85c87f9 DM |
779 | |
780 | use strict; | |
781 | use warnings; | |
1210ae94 | 782 | use PVE::JSONSchema qw(get_standard_option); |
c85c87f9 DM |
783 | use PVE::Firewall; |
784 | ||
785 | use base qw(PVE::API2::Firewall::BaseIPSetList); | |
786 | ||
75a12a9d | 787 | __PACKAGE__->additional_parameters({ |
1210ae94 | 788 | node => get_standard_option('pve-node'), |
75a12a9d | 789 | vmid => get_standard_option('pve-vmid'), |
1210ae94 DM |
790 | }); |
791 | ||
9f6845cf DM |
792 | sub rule_env { |
793 | my ($class, $param) = @_; | |
75a12a9d | 794 | |
9f6845cf DM |
795 | return 'ct'; |
796 | } | |
797 | ||
05496017 FG |
798 | sub lock_config { |
799 | my ($class, $param, $code) = @_; | |
800 | ||
801 | PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param); | |
802 | } | |
803 | ||
c85c87f9 | 804 | sub load_config { |
1210ae94 | 805 | my ($class, $param) = @_; |
75a12a9d | 806 | |
1210ae94 DM |
807 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); |
808 | my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid}); | |
809 | return ($cluster_conf, $fw_conf); | |
c85c87f9 DM |
810 | } |
811 | ||
812 | sub save_config { | |
1210ae94 | 813 | my ($class, $param, $fw_conf) = @_; |
c85c87f9 | 814 | |
1210ae94 | 815 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf); |
c85c87f9 DM |
816 | } |
817 | ||
818 | __PACKAGE__->register_handlers(); | |
819 | ||
820 | __PACKAGE__->register_method ({ | |
75a12a9d | 821 | subclass => "PVE::API2::Firewall::CTIPset", |
c85c87f9 | 822 | path => '{name}', |
75a12a9d TL |
823 | # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/' |
824 | fragmentDelimiter => '', | |
c85c87f9 DM |
825 | }); |
826 | ||
009ee3ac | 827 | 1; |