[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm

package PVE::API2::Firewall::VM;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMRules",  
    path => 'rules',
});

__PACKAGE__->register_method({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $result = [
	    { name => 'rules' },
	    { name => 'options' },
	    ];

	return $result;
    }});

my $option_properties = {
    enable => {
	description => "Enable host firewall rules.",
	type => 'boolean',
	optional => 1,
    },
    policy_in => {
	description => "Input policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    policy_out => { 
	description => "Output policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
};

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }
    
    return $properties;
};
__PACKAGE__->register_method({
    name => 'get_options',
    path => 'options',
    method => 'GET',
    description => "Get VM firewall options.",
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	},
    },
    returns => {
	type => "object",
    	#additionalProperties => 1,
	properties => $option_properties,
    },
    code => sub {
	my ($param) = @_;

	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});

	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
    }});

__PACKAGE__->register_method({
    name => 'set_options',
    path => 'options',
    method => 'PUT',
    description => "Set Firewall options.",
    protected => 1,
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => &$add_option_properties({
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    },
	    digest => get_standard_option('pve-config-digest'),
	}),
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});

	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	PVE::Tools::assert_if_modified($digest, $param->{digest});

	if ($param->{delete}) {
	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		raise_param_exc({ delete => "no such option '$opt'" }) 
		    if !$option_properties->{$opt};
		delete $vmfw_conf->{options}->{$opt};
	    }
	}

	if (defined($param->{enable})) {
	    $param->{enable} = $param->{enable} ? 1 : 0;
	}

	foreach my $k (keys %$option_properties) {
	    next if !defined($param->{$k});
	    $vmfw_conf->{options}->{$k} = $param->{$k}; 
	}

	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'log', 
    path => 'log', 
    method => 'GET',
    description => "Read firewall log",
    proxyto => 'node',
    permissions => {
	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
    },
    protected => 1,
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	    start => {
		type => 'integer',
		minimum => 0,
		optional => 1,
	    },
	    limit => {
		type => 'integer',
		minimum => 0,
		optional => 1,
	    },
	},
    },
    returns => {
	type => 'array',
	items => { 
	    type => "object",
	    properties => {
		n => {
		  description=>  "Line number",
		  type=> 'integer',
		},
		t => {
		  description=>  "Line text",
		  type => 'string',
		}
	    }
	}
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $user = $rpcenv->get_user();
	my $vmid = $param->{vmid};

	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", 
						       $param->{start}, $param->{limit},
						       "^$vmid ");

	$rpcenv->set_result_attrib('total', $count);
	    
	return $lines; 
    }});

1;
Commit	Line	Data
e7b35711 DM	1	package PVE::API2::Firewall::VM;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6	use PVE::Cluster;
	7	use PVE::Firewall;
464f933e	8	use PVE::API2::Firewall::Rules;
e7b35711 DM	9
	10	use Data::Dumper; # fixme: remove
	11
	12	use base qw(PVE::RESTHandler);
	13
464f933e DM	14	__PACKAGE__->register_method ({
	15	subclass => "PVE::API2::Firewall::VMRules",
	16	path => 'rules',
	17	});
	18
e7b35711 DM	19	__PACKAGE__->register_method({
	20	name => 'index',
	21	path => '',
	22	method => 'GET',
	23	permissions => { user => 'all' },
	24	description => "Directory index.",
	25	parameters => {
	26	additionalProperties => 0,
	27	properties => {
	28	node => get_standard_option('pve-node'),
	29	vmid => get_standard_option('pve-vmid'),
	30	},
	31	},
	32	returns => {
	33	type => 'array',
	34	items => {
	35	type => "object",
	36	properties => {},
	37	},
	38	links => [ { rel => 'child', href => "{name}" } ],
	39	},
	40	code => sub {
	41	my ($param) = @_;
	42
	43	my $result = [
	44	{ name => 'rules' },
	45	{ name => 'options' },
	46	];
	47
	48	return $result;
	49	}});
	50
2822f5c4 DM	51	my $option_properties = {
	52	enable => {
	53	description => "Enable host firewall rules.",
	54	type => 'boolean',
	55	optional => 1,
	56	},
	57	policy_in => {
	58	description => "Input policy.",
	59	type => 'string',
	60	optional => 1,
	61	enum => ['ACCEPT', 'REJECT', 'DROP'],
	62	},
	63	policy_out => {
	64	description => "Output policy.",
	65	type => 'string',
	66	optional => 1,
	67	enum => ['ACCEPT', 'REJECT', 'DROP'],
	68	},
	69	};
	70
	71	my $add_option_properties = sub {
	72	my ($properties) = @_;
	73
	74	foreach my $k (keys %$option_properties) {
	75	$properties->{$k} = $option_properties->{$k};
	76	}
	77
	78	return $properties;
	79	};
e7b35711 DM	80	__PACKAGE__->register_method({
	81	name => 'get_options',
	82	path => 'options',
	83	method => 'GET',
2822f5c4	84	description => "Get VM firewall options.",
e7b35711 DM	85	proxyto => 'node',
	86	parameters => {
	87	additionalProperties => 0,
	88	properties => {
	89	node => get_standard_option('pve-node'),
	90	vmid => get_standard_option('pve-vmid'),
	91	},
	92	},
	93	returns => {
	94	type => "object",
2822f5c4 DM	95	#additionalProperties => 1,
2822f5c4 DM	96	properties => $option_properties,
e7b35711 DM	97	},
	98	code => sub {
	99	my ($param) = @_;
	100
2822f5c4	101	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
e7b35711	102
2822f5c4 DM	103	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
2822f5c4 DM	104	}});
e7b35711	105
2822f5c4 DM	106	__PACKAGE__->register_method({
	107	name => 'set_options',
	108	path => 'options',
	109	method => 'PUT',
	110	description => "Set Firewall options.",
	111	protected => 1,
	112	proxyto => 'node',
	113	parameters => {
	114	additionalProperties => 0,
	115	properties => &$add_option_properties({
	116	node => get_standard_option('pve-node'),
	117	vmid => get_standard_option('pve-vmid'),
	118	delete => {
	119	type => 'string', format => 'pve-configid-list',
	120	description => "A list of settings you want to delete.",
	121	optional => 1,
	122	},
	123	digest => get_standard_option('pve-config-digest'),
	124	}),
	125	},
	126	returns => { type => "null" },
	127	code => sub {
	128	my ($param) = @_;
e7b35711	129
2822f5c4	130	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
e7b35711	131
2822f5c4 DM	132	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	133	PVE::Tools::assert_if_modified($digest, $param->{digest});
	134
	135	if ($param->{delete}) {
	136	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
	137	raise_param_exc({ delete => "no such option '$opt'" })
	138	if !$option_properties->{$opt};
	139	delete $vmfw_conf->{options}->{$opt};
	140	}
	141	}
	142
	143	if (defined($param->{enable})) {
	144	$param->{enable} = $param->{enable} ? 1 : 0;
	145	}
	146
	147	foreach my $k (keys %$option_properties) {
	148	next if !defined($param->{$k});
	149	$vmfw_conf->{options}->{$k} = $param->{$k};
	150	}
	151
	152	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	153
	154	return undef;
	155	}});
	156
	157	__PACKAGE__->register_method({
	158	name => 'log',
	159	path => 'log',
	160	method => 'GET',
	161	description => "Read firewall log",
	162	proxyto => 'node',
	163	permissions => {
	164	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	165	},
	166	protected => 1,
	167	parameters => {
	168	additionalProperties => 0,
	169	properties => {
	170	node => get_standard_option('pve-node'),
	171	vmid => get_standard_option('pve-vmid'),
	172	start => {
	173	type => 'integer',
	174	minimum => 0,
	175	optional => 1,
	176	},
	177	limit => {
	178	type => 'integer',
	179	minimum => 0,
	180	optional => 1,
	181	},
	182	},
	183	},
	184	returns => {
	185	type => 'array',
	186	items => {
	187	type => "object",
	188	properties => {
	189	n => {
	190	description=> "Line number",
	191	type=> 'integer',
	192	},
	193	t => {
	194	description=> "Line text",
	195	type => 'string',
196	}
197	}
198	}
199	},
200	code => sub {
201	my ($param) = @_;
202
203	my $rpcenv = PVE::RPCEnvironment::get();
204	my $user = $rpcenv->get_user();
205	my $vmid = $param->{vmid};
206
207	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
208	$param->{start}, $param->{limit},
209	"^$vmid ");
e7b35711	210
2822f5c4 DM	211	$rpcenv->set_result_attrib('total', $count);
	212
	213	return $lines;
e7b35711 DM	214	}});
	215
	216	1;