]>
Commit | Line | Data |
---|---|---|
e7b35711 DM |
1 | package PVE::API2::Firewall::VM; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::JSONSchema qw(get_standard_option); | |
6 | use PVE::Cluster; | |
7 | use PVE::Firewall; | |
464f933e | 8 | use PVE::API2::Firewall::Rules; |
e7b35711 DM |
9 | |
10 | use Data::Dumper; # fixme: remove | |
11 | ||
12 | use base qw(PVE::RESTHandler); | |
13 | ||
464f933e DM |
14 | __PACKAGE__->register_method ({ |
15 | subclass => "PVE::API2::Firewall::VMRules", | |
16 | path => 'rules', | |
17 | }); | |
18 | ||
e7b35711 DM |
19 | __PACKAGE__->register_method({ |
20 | name => 'index', | |
21 | path => '', | |
22 | method => 'GET', | |
23 | permissions => { user => 'all' }, | |
24 | description => "Directory index.", | |
25 | parameters => { | |
26 | additionalProperties => 0, | |
27 | properties => { | |
28 | node => get_standard_option('pve-node'), | |
29 | vmid => get_standard_option('pve-vmid'), | |
30 | }, | |
31 | }, | |
32 | returns => { | |
33 | type => 'array', | |
34 | items => { | |
35 | type => "object", | |
36 | properties => {}, | |
37 | }, | |
38 | links => [ { rel => 'child', href => "{name}" } ], | |
39 | }, | |
40 | code => sub { | |
41 | my ($param) = @_; | |
42 | ||
43 | my $result = [ | |
44 | { name => 'rules' }, | |
45 | { name => 'options' }, | |
46 | ]; | |
47 | ||
48 | return $result; | |
49 | }}); | |
50 | ||
2822f5c4 DM |
51 | my $option_properties = { |
52 | enable => { | |
53 | description => "Enable host firewall rules.", | |
54 | type => 'boolean', | |
55 | optional => 1, | |
56 | }, | |
57 | policy_in => { | |
58 | description => "Input policy.", | |
59 | type => 'string', | |
60 | optional => 1, | |
61 | enum => ['ACCEPT', 'REJECT', 'DROP'], | |
62 | }, | |
63 | policy_out => { | |
64 | description => "Output policy.", | |
65 | type => 'string', | |
66 | optional => 1, | |
67 | enum => ['ACCEPT', 'REJECT', 'DROP'], | |
68 | }, | |
69 | }; | |
70 | ||
71 | my $add_option_properties = sub { | |
72 | my ($properties) = @_; | |
73 | ||
74 | foreach my $k (keys %$option_properties) { | |
75 | $properties->{$k} = $option_properties->{$k}; | |
76 | } | |
77 | ||
78 | return $properties; | |
79 | }; | |
e7b35711 DM |
80 | __PACKAGE__->register_method({ |
81 | name => 'get_options', | |
82 | path => 'options', | |
83 | method => 'GET', | |
2822f5c4 | 84 | description => "Get VM firewall options.", |
e7b35711 DM |
85 | proxyto => 'node', |
86 | parameters => { | |
87 | additionalProperties => 0, | |
88 | properties => { | |
89 | node => get_standard_option('pve-node'), | |
90 | vmid => get_standard_option('pve-vmid'), | |
91 | }, | |
92 | }, | |
93 | returns => { | |
94 | type => "object", | |
2822f5c4 DM |
95 | #additionalProperties => 1, |
96 | properties => $option_properties, | |
e7b35711 DM |
97 | }, |
98 | code => sub { | |
99 | my ($param) = @_; | |
100 | ||
2822f5c4 | 101 | my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid}); |
e7b35711 | 102 | |
2822f5c4 DM |
103 | return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options}); |
104 | }}); | |
e7b35711 | 105 | |
2822f5c4 DM |
106 | __PACKAGE__->register_method({ |
107 | name => 'set_options', | |
108 | path => 'options', | |
109 | method => 'PUT', | |
110 | description => "Set Firewall options.", | |
111 | protected => 1, | |
112 | proxyto => 'node', | |
113 | parameters => { | |
114 | additionalProperties => 0, | |
115 | properties => &$add_option_properties({ | |
116 | node => get_standard_option('pve-node'), | |
117 | vmid => get_standard_option('pve-vmid'), | |
118 | delete => { | |
119 | type => 'string', format => 'pve-configid-list', | |
120 | description => "A list of settings you want to delete.", | |
121 | optional => 1, | |
122 | }, | |
123 | digest => get_standard_option('pve-config-digest'), | |
124 | }), | |
125 | }, | |
126 | returns => { type => "null" }, | |
127 | code => sub { | |
128 | my ($param) = @_; | |
e7b35711 | 129 | |
2822f5c4 | 130 | my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid}); |
e7b35711 | 131 | |
2822f5c4 DM |
132 | my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options}); |
133 | PVE::Tools::assert_if_modified($digest, $param->{digest}); | |
134 | ||
135 | if ($param->{delete}) { | |
136 | foreach my $opt (PVE::Tools::split_list($param->{delete})) { | |
137 | raise_param_exc({ delete => "no such option '$opt'" }) | |
138 | if !$option_properties->{$opt}; | |
139 | delete $vmfw_conf->{options}->{$opt}; | |
140 | } | |
141 | } | |
142 | ||
143 | if (defined($param->{enable})) { | |
144 | $param->{enable} = $param->{enable} ? 1 : 0; | |
145 | } | |
146 | ||
147 | foreach my $k (keys %$option_properties) { | |
148 | next if !defined($param->{$k}); | |
149 | $vmfw_conf->{options}->{$k} = $param->{$k}; | |
150 | } | |
151 | ||
152 | PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf); | |
153 | ||
154 | return undef; | |
155 | }}); | |
156 | ||
157 | __PACKAGE__->register_method({ | |
158 | name => 'log', | |
159 | path => 'log', | |
160 | method => 'GET', | |
161 | description => "Read firewall log", | |
162 | proxyto => 'node', | |
163 | permissions => { | |
164 | check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]], | |
165 | }, | |
166 | protected => 1, | |
167 | parameters => { | |
168 | additionalProperties => 0, | |
169 | properties => { | |
170 | node => get_standard_option('pve-node'), | |
171 | vmid => get_standard_option('pve-vmid'), | |
172 | start => { | |
173 | type => 'integer', | |
174 | minimum => 0, | |
175 | optional => 1, | |
176 | }, | |
177 | limit => { | |
178 | type => 'integer', | |
179 | minimum => 0, | |
180 | optional => 1, | |
181 | }, | |
182 | }, | |
183 | }, | |
184 | returns => { | |
185 | type => 'array', | |
186 | items => { | |
187 | type => "object", | |
188 | properties => { | |
189 | n => { | |
190 | description=> "Line number", | |
191 | type=> 'integer', | |
192 | }, | |
193 | t => { | |
194 | description=> "Line text", | |
195 | type => 'string', | |
196 | } | |
197 | } | |
198 | } | |
199 | }, | |
200 | code => sub { | |
201 | my ($param) = @_; | |
202 | ||
203 | my $rpcenv = PVE::RPCEnvironment::get(); | |
204 | my $user = $rpcenv->get_user(); | |
205 | my $vmid = $param->{vmid}; | |
206 | ||
207 | my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", | |
208 | $param->{start}, $param->{limit}, | |
209 | "^$vmid "); | |
e7b35711 | 210 | |
2822f5c4 DM |
211 | $rpcenv->set_result_attrib('total', $count); |
212 | ||
213 | return $lines; | |
e7b35711 DM |
214 | }}); |
215 | ||
216 | 1; |