[pve-firewall.git] / src / PVE / API2 / Firewall / Rules.pm

package PVE::API2::Firewall::RulesBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise raise_param_exc);

use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $api_properties = { 
    pos => {
	description => "Rule position.",
	type => 'integer',
	minimum => 0,
    },
};

sub load_config {
    my ($class, $param) = @_;

    die "implement this in subclass";

    #return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    die "implement this in subclass";
}

my $additional_param_hash = {};

sub rule_env {
    my ($class, $param) = @_;
    
    die "implement this in subclass";
}

sub additional_parameters {
    my ($class, $new_value) = @_;

    if (defined($new_value)) {
	$additional_param_hash->{$class} = $new_value;
    }

    # return a copy
    my $copy = {};
    my $org = $additional_param_hash->{$class} || {};
    foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
    return $copy;
}

sub register_get_rules {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $class->register_method({
	name => 'get_rules',
	path => '',
	method => 'GET',
	description => "List rules.",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {
		    pos => {
			type => 'integer',
		    }
		},
	    },
	    links => [ { rel => 'child', href => "{pos}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);

	    my $ind = 0;
	    foreach my $rule (@$list) {
		$rule->{pos} = $ind++;
	    }

	    return $list;
	}});
}

sub register_get_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $class->register_method({
	name => 'get_rule',
	path => '{pos}',
	method => 'GET',
	description => "Get single rule data.",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
	returns => {
	    type => "object",
	    properties => {
		pos => {
		    type => 'integer',
		}
	    },
	},
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
	
	    my $rule = $list->[$param->{pos}];
	    $rule->{pos} = $param->{pos};

	    return $rule;
	}});
}

sub register_create_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
    $create_rule_properties->{action}->{optional} = 0;
    $create_rule_properties->{type}->{optional} = 0;
    
    $class->register_method({
	name => 'create_rule',
	path => '',
	method => 'POST',
	description => "Create new rule.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $create_rule_properties,
	},
	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my $rule = {};

	    PVE::Firewall::copy_rule_data($rule, $param);
	    PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());

	    $rule->{enable} = 0 if !defined($param->{enable});

	    unshift @$rules, $rule;

	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_update_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $properties->{moveto} = {
	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	type => 'integer',
	minimum => 0,
	optional => 1,
    };

    $properties->{delete} = {
	type => 'string', format => 'pve-configid-list',
	description => "A list of settings you want to delete.",
	optional => 1,
    };

    my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);

    $class->register_method({
	name => 'update_rule',
	path => '{pos}',
	method => 'PUT',
	description => "Modify rule data.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $update_rule_properties,
	},
	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    my $rule = $rules->[$param->{pos}];

	    my $moveto = $param->{moveto};
	    if (defined($moveto) && $moveto != $param->{pos}) {
		my $newrules = [];
		for (my $i = 0; $i < scalar(@$rules); $i++) {
		    next if $i == $param->{pos};
		    if ($i == $moveto) {
			push @$newrules, $rule;
		    }
		    push @$newrules, $rules->[$i];
		}
		push @$newrules, $rule if $moveto >= scalar(@$rules);
		$rules = $newrules;
	    } else {
		PVE::Firewall::copy_rule_data($rule, $param);
		
		PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};

		PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
	    }

	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_delete_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};

    $properties->{digest} = get_standard_option('pve-config-digest');
    
    $class->register_method({
	name => 'delete_rule',
	path => '{pos}',
	method => 'DELETE',
	description => "Delete rule.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    splice(@$rules, $param->{pos}, 1);
	    
	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_get_rules();
    $class->register_get_rule();
    $class->register_create_rule();
    $class->register_update_rule();
    $class->register_delete_rule();
}

package PVE::API2::Firewall::GroupRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });


sub rule_env {
    my ($class, $param) = @_;
    
    return 'group';
}

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{groups}->{$param->{group}};
    die "no such security group '$param->{group}'\n" if !defined($rules);

    return (undef, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    if (!defined($rules)) {
	delete $fw_conf->{groups}->{$param->{group}};
    } else {
	$fw_conf->{groups}->{$param->{group}} = $rules;
    }

    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_method({
    name => 'delete_security_group',
    path => '',
    method => 'DELETE',
    description => "Delete security group.",
    protected => 1,
    parameters => {
	additionalProperties => 0,
	properties => { 
	    group => get_standard_option('pve-security-group-name'),
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;
	    
	my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);

	die "Security group '$param->{group}' is not empty\n" 
	    if scalar(@$rules);

	__PACKAGE__->save_rules($param, $cluster_conf, undef);

	return undef;
    }});

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::ClusterRules;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::RulesBase);

sub rule_env {
    my ($class, $param) = @_;
    
    return 'cluster';
}

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{rules};

    return (undef, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::HostRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});

sub rule_env {
    my ($class, $param) = @_;
    
    return 'host';
}

sub load_config {
    my ($class, $param) = @_;

    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
    my $fw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
    my $rules = $fw_conf->{rules};

    return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_hostfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::VMRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ 
    node => get_standard_option('pve-node'),
    vmid => get_standard_option('pve-vmid'),				   
});

sub rule_env {
    my ($class, $param) = @_;
    
    return 'vm';
}

sub load_config {
    my ($class, $param) = @_;

    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
    my $rules = $fw_conf->{rules};

    return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::CTRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ 
    node => get_standard_option('pve-node'),
    vmid => get_standard_option('pve-vmid'),				   
});

sub rule_env {
    my ($class, $param) = @_;
    
    return 'ct';
}

sub load_config {
    my ($class, $param) = @_;

    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
    my $rules = $fw_conf->{rules};

    return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
}

__PACKAGE__->register_handlers();

1;
Commit	Line	Data
86791289 DM	1	package PVE::API2::Firewall::RulesBase;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
0d22acb3	6	use PVE::Exception qw(raise raise_param_exc);
86791289 DM	7
	8	use PVE::Firewall;
	9
	10	use base qw(PVE::RESTHandler);
	11
	12	my $api_properties = {
86791289 DM	13	pos => {
	14	description => "Rule position.",
	15	type => 'integer',
	16	minimum => 0,
	17	},
	18	};
	19
	20	sub load_config {
	21	my ($class, $param) = @_;
	22
	23	die "implement this in subclass";
	24
a523e057	25	#return ($cluster_conf, $fw_conf, $rules);
86791289 DM	26	}
	27
	28	sub save_rules {
	29	my ($class, $param, $fw_conf, $rules) = @_;
	30
	31	die "implement this in subclass";
	32	}
	33
63c91681	34	my $additional_param_hash = {};
86791289	35
b6b8e6ad DM	36	sub rule_env {
	37	my ($class, $param) = @_;
	38
	39	die "implement this in subclass";
7ca36671 DM	40	}
7ca36671 DM	41
63c91681	42	sub additional_parameters {
86791289 DM	43	my ($class, $new_value) = @_;
86791289 DM	44
63c91681 DM	45	if (defined($new_value)) {
	46	$additional_param_hash->{$class} = $new_value;
	47	}
86791289	48
63c91681 DM	49	# return a copy
	50	my $copy = {};
	51	my $org = $additional_param_hash->{$class} \|\| {};
	52	foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
	53	return $copy;
86791289 DM	54	}
	55
	56	sub register_get_rules {
	57	my ($class) = @_;
	58
63c91681	59	my $properties = $class->additional_parameters();
86791289 DM	60
	61	$class->register_method({
	62	name => 'get_rules',
	63	path => '',
	64	method => 'GET',
	65	description => "List rules.",
	66	parameters => {
	67	additionalProperties => 0,
	68	properties => $properties,
	69	},
eadbc1de	70	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
86791289 DM	71	returns => {
	72	type => 'array',
	73	items => {
	74	type => "object",
	75	properties => {
	76	pos => {
	77	type => 'integer',
	78	}
	79	},
	80	},
	81	links => [ { rel => 'child', href => "{pos}" } ],
	82	},
	83	code => sub {
	84	my ($param) = @_;
	85
a523e057	86	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
86791289	87
5d38d64f	88	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
86791289 DM	89
86791289 DM	90	my $ind = 0;
5d38d64f DM	91	foreach my $rule (@$list) {
5d38d64f DM	92	$rule->{pos} = $ind++;
86791289 DM	93	}
86791289 DM	94
5d38d64f	95	return $list;
86791289 DM	96	}});
	97	}
	98
	99	sub register_get_rule {
	100	my ($class) = @_;
	101
63c91681	102	my $properties = $class->additional_parameters();
86791289 DM	103
	104	$properties->{pos} = $api_properties->{pos};
	105
86791289 DM	106	$class->register_method({
	107	name => 'get_rule',
	108	path => '{pos}',
	109	method => 'GET',
	110	description => "Get single rule data.",
	111	parameters => {
	112	additionalProperties => 0,
	113	properties => $properties,
	114	},
eadbc1de	115	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
86791289 DM	116	returns => {
	117	type => "object",
	118	properties => {
	119	pos => {
	120	type => 'integer',
	121	}
	122	},
	123	},
	124	code => sub {
	125	my ($param) = @_;
	126
a523e057	127	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
86791289	128
5d38d64f	129	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
86791289	130
5d38d64f	131	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
86791289	132
5d38d64f DM	133	my $rule = $list->[$param->{pos}];
	134	$rule->{pos} = $param->{pos};
	135
	136	return $rule;
86791289 DM	137	}});
	138	}
	139
	140	sub register_create_rule {
	141	my ($class) = @_;
	142
63c91681	143	my $properties = $class->additional_parameters();
86791289 DM	144
86791289 DM	145	my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
3655b01f DM	146	$create_rule_properties->{action}->{optional} = 0;
	147	$create_rule_properties->{type}->{optional} = 0;
	148
86791289 DM	149	$class->register_method({
	150	name => 'create_rule',
	151	path => '',
	152	method => 'POST',
	153	description => "Create new rule.",
	154	protected => 1,
	155	parameters => {
	156	additionalProperties => 0,
	157	properties => $create_rule_properties,
	158	},
eadbc1de	159	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
86791289 DM	160	returns => { type => "null" },
	161	code => sub {
	162	my ($param) = @_;
	163
a523e057	164	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
86791289	165
3655b01f	166	my $rule = {};
86791289 DM	167
86791289 DM	168	PVE::Firewall::copy_rule_data($rule, $param);
a523e057	169	PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
86791289	170
3655b01f DM	171	$rule->{enable} = 0 if !defined($param->{enable});
3655b01f DM	172
86791289 DM	173	unshift @$rules, $rule;
	174
	175	$class->save_rules($param, $fw_conf, $rules);
	176
	177	return undef;
	178	}});
	179	}
	180
	181	sub register_update_rule {
	182	my ($class) = @_;
	183
63c91681	184	my $properties = $class->additional_parameters();
86791289 DM	185
	186	$properties->{pos} = $api_properties->{pos};
	187
86791289 DM	188	$properties->{moveto} = {
	189	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	190	type => 'integer',
	191	minimum => 0,
	192	optional => 1,
	193	};
	194
5b7974df DM	195	$properties->{delete} = {
	196	type => 'string', format => 'pve-configid-list',
	197	description => "A list of settings you want to delete.",
	198	optional => 1,
	199	};
	200
86791289 DM	201	my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);
	202
	203	$class->register_method({
	204	name => 'update_rule',
	205	path => '{pos}',
	206	method => 'PUT',
	207	description => "Modify rule data.",
	208	protected => 1,
	209	parameters => {
	210	additionalProperties => 0,
	211	properties => $update_rule_properties,
	212	},
eadbc1de	213	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
86791289 DM	214	returns => { type => "null" },
	215	code => sub {
	216	my ($param) = @_;
	217
a523e057	218	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
86791289	219
5d38d64f DM	220	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
5d38d64f DM	221	PVE::Tools::assert_if_modified($digest, $param->{digest});
ddf1e07d	222
86791289 DM	223	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	224
	225	my $rule = $rules->[$param->{pos}];
	226
	227	my $moveto = $param->{moveto};
	228	if (defined($moveto) && $moveto != $param->{pos}) {
	229	my $newrules = [];
	230	for (my $i = 0; $i < scalar(@$rules); $i++) {
	231	next if $i == $param->{pos};
	232	if ($i == $moveto) {
	233	push @$newrules, $rule;
	234	}
	235	push @$newrules, $rules->[$i];
	236	}
	237	push @$newrules, $rule if $moveto >= scalar(@$rules);
	238	$rules = $newrules;
	239	} else {
	240	PVE::Firewall::copy_rule_data($rule, $param);
5b7974df DM	241
5b7974df DM	242	PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
7ca36671	243
a523e057	244	PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
86791289 DM	245	}
	246
	247	$class->save_rules($param, $fw_conf, $rules);
	248
	249	return undef;
	250	}});
	251	}
	252
	253	sub register_delete_rule {
	254	my ($class) = @_;
	255
63c91681	256	my $properties = $class->additional_parameters();
86791289 DM	257
86791289 DM	258	$properties->{pos} = $api_properties->{pos};
ddf1e07d DM	259
ddf1e07d DM	260	$properties->{digest} = get_standard_option('pve-config-digest');
86791289	261
86791289 DM	262	$class->register_method({
	263	name => 'delete_rule',
	264	path => '{pos}',
	265	method => 'DELETE',
	266	description => "Delete rule.",
	267	protected => 1,
	268	parameters => {
	269	additionalProperties => 0,
	270	properties => $properties,
	271	},
eadbc1de	272	proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
86791289 DM	273	returns => { type => "null" },
	274	code => sub {
	275	my ($param) = @_;
	276
a523e057	277	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
86791289	278
5d38d64f DM	279	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
5d38d64f DM	280	PVE::Tools::assert_if_modified($digest, $param->{digest});
86791289 DM	281
	282	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	283
	284	splice(@$rules, $param->{pos}, 1);
	285
	286	$class->save_rules($param, $fw_conf, $rules);
	287
	288	return undef;
	289	}});
	290	}
	291
	292	sub register_handlers {
	293	my ($class) = @_;
	294
	295	$class->register_get_rules();
	296	$class->register_get_rule();
	297	$class->register_create_rule();
	298	$class->register_update_rule();
	299	$class->register_delete_rule();
	300	}
	301
	302	package PVE::API2::Firewall::GroupRules;
	303
	304	use strict;
	305	use warnings;
387d0ffc	306	use PVE::JSONSchema qw(get_standard_option);
86791289 DM	307
	308	use base qw(PVE::API2::Firewall::RulesBase);
	309
387d0ffc	310	__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });
86791289	311
1210ae94	312
b6b8e6ad DM	313	sub rule_env {
	314	my ($class, $param) = @_;
	315
	316	return 'group';
7ca36671 DM	317	}
7ca36671 DM	318
86791289 DM	319	sub load_config {
	320	my ($class, $param) = @_;
	321
	322	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	323	my $rules = $fw_conf->{groups}->{$param->{group}};
	324	die "no such security group '$param->{group}'\n" if !defined($rules);
	325
a523e057	326	return (undef, $fw_conf, $rules);
86791289 DM	327	}
	328
	329	sub save_rules {
	330	my ($class, $param, $fw_conf, $rules) = @_;
	331
1210ae94 DM	332	if (!defined($rules)) {
	333	delete $fw_conf->{groups}->{$param->{group}};
	334	} else {
	335	$fw_conf->{groups}->{$param->{group}} = $rules;
	336	}
	337
86791289 DM	338	PVE::Firewall::save_clusterfw_conf($fw_conf);
	339	}
	340
1210ae94 DM	341	__PACKAGE__->register_method({
	342	name => 'delete_security_group',
	343	path => '',
	344	method => 'DELETE',
	345	description => "Delete security group.",
	346	protected => 1,
	347	parameters => {
	348	additionalProperties => 0,
	349	properties => {
	350	group => get_standard_option('pve-security-group-name'),
	351	},
	352	},
	353	returns => { type => 'null' },
	354	code => sub {
	355	my ($param) = @_;
	356
	357	my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);
	358
	359	die "Security group '$param->{group}' is not empty\n"
	360	if scalar(@$rules);
	361
	362	__PACKAGE__->save_rules($param, $cluster_conf, undef);
	363
	364	return undef;
	365	}});
	366
63c91681	367	__PACKAGE__->register_handlers();
86791289 DM	368
	369	package PVE::API2::Firewall::ClusterRules;
	370
	371	use strict;
	372	use warnings;
	373
	374	use base qw(PVE::API2::Firewall::RulesBase);
	375
b6b8e6ad DM	376	sub rule_env {
	377	my ($class, $param) = @_;
	378
	379	return 'cluster';
	380	}
	381
86791289 DM	382	sub load_config {
	383	my ($class, $param) = @_;
	384
	385	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	386	my $rules = $fw_conf->{rules};
	387
a523e057	388	return (undef, $fw_conf, $rules);
86791289 DM	389	}
	390
	391	sub save_rules {
	392	my ($class, $param, $fw_conf, $rules) = @_;
	393
	394	$fw_conf->{rules} = $rules;
	395	PVE::Firewall::save_clusterfw_conf($fw_conf);
	396	}
	397
63c91681 DM	398	__PACKAGE__->register_handlers();
	399
	400	package PVE::API2::Firewall::HostRules;
	401
	402	use strict;
	403	use warnings;
	404	use PVE::JSONSchema qw(get_standard_option);
	405
	406	use base qw(PVE::API2::Firewall::RulesBase);
	407
	408	__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});
	409
b6b8e6ad DM	410	sub rule_env {
	411	my ($class, $param) = @_;
	412
	413	return 'host';
	414	}
	415
63c91681 DM	416	sub load_config {
	417	my ($class, $param) = @_;
	418
a523e057 DM	419	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
a523e057 DM	420	my $fw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
63c91681 DM	421	my $rules = $fw_conf->{rules};
63c91681 DM	422
a523e057	423	return ($cluster_conf, $fw_conf, $rules);
63c91681 DM	424	}
	425
	426	sub save_rules {
	427	my ($class, $param, $fw_conf, $rules) = @_;
	428
	429	$fw_conf->{rules} = $rules;
	430	PVE::Firewall::save_hostfw_conf($fw_conf);
	431	}
	432
	433	__PACKAGE__->register_handlers();
86791289	434
464f933e DM	435	package PVE::API2::Firewall::VMRules;
	436
	437	use strict;
	438	use warnings;
	439	use PVE::JSONSchema qw(get_standard_option);
	440
	441	use base qw(PVE::API2::Firewall::RulesBase);
	442
	443	__PACKAGE__->additional_parameters({
	444	node => get_standard_option('pve-node'),
	445	vmid => get_standard_option('pve-vmid'),
	446	});
	447
b6b8e6ad DM	448	sub rule_env {
	449	my ($class, $param) = @_;
	450
	451	return 'vm';
	452	}
	453
	454	sub load_config {
	455	my ($class, $param) = @_;
	456
a523e057 DM	457	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
a523e057 DM	458	my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
b6b8e6ad DM	459	my $rules = $fw_conf->{rules};
b6b8e6ad DM	460
a523e057	461	return ($cluster_conf, $fw_conf, $rules);
b6b8e6ad DM	462	}
	463
	464	sub save_rules {
	465	my ($class, $param, $fw_conf, $rules) = @_;
	466
	467	$fw_conf->{rules} = $rules;
	468	PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
	469	}
	470
	471	__PACKAGE__->register_handlers();
	472
	473	package PVE::API2::Firewall::CTRules;
	474
	475	use strict;
	476	use warnings;
	477	use PVE::JSONSchema qw(get_standard_option);
	478
	479	use base qw(PVE::API2::Firewall::RulesBase);
	480
	481	__PACKAGE__->additional_parameters({
	482	node => get_standard_option('pve-node'),
	483	vmid => get_standard_option('pve-vmid'),
	484	});
	485
	486	sub rule_env {
	487	my ($class, $param) = @_;
	488
	489	return 'ct';
	490	}
	491
464f933e DM	492	sub load_config {
	493	my ($class, $param) = @_;
	494
a523e057 DM	495	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
a523e057 DM	496	my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
464f933e DM	497	my $rules = $fw_conf->{rules};
464f933e DM	498
a523e057	499	return ($cluster_conf, $fw_conf, $rules);
464f933e DM	500	}
	501
	502	sub save_rules {
	503	my ($class, $param, $fw_conf, $rules) = @_;
	504
	505	$fw_conf->{rules} = $rules;
	506	PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
	507	}
	508
	509	__PACKAGE__->register_handlers();
	510
86791289	511	1;