[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm

package PVE::API2::Firewall::VMBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Aliases;

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

my $option_properties = {
    enable => {
	description => "Enable host firewall rules.",
	type => 'boolean',
	optional => 1,
    },
    macfilter => {
	description => "Enable/disable MAC address filter.",
	type => 'boolean',
	optional => 1,
    },
    dhcp => {
	description => "Enable DHCP.",
	type => 'boolean',
	optional => 1,
    },
    ndp => {
	description => "Enable NDP.",
	type => 'boolean',
	optional => 1,
    },
    radv => {
	description => "Allow sending Router Advertisement.",
	type => 'boolean',
	optional => 1,
    },
    ipfilter => {
	description => "Enable default IP filters. " .
	   "This is equivalent to adding an empty ipfilter-net<id> ipset " .
	   "for every interface. Such ipsets implicitly contain sane default " .
	   "restrictions such as restricting IPv6 link local addresses to " .
	   "the one derived from the interface's MAC address. For containers " .
	   "the configured IP addresses will be implicitly added.",
	type => 'boolean',
	optional => 1,
    },
    policy_in => {
	description => "Input policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    policy_out => { 
	description => "Output policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    log_level_in =>  get_standard_option('pve-fw-loglevel', {
	description => "Log level for incoming traffic." }),
    log_level_out =>  get_standard_option('pve-fw-loglevel', {
	description => "Log level for outgoing traffic." }),

};

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }
    
    return $properties;
};

sub register_handlers {
    my ($class, $rule_env) = @_;

    $class->register_method({
	name => 'index',
	path => '',
	method => 'GET',
	permissions => { user => 'all' },
	description => "Directory index.",
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
	    },
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {},
	    },
	    links => [ { rel => 'child', href => "{name}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my $result = [
		{ name => 'rules' },
		{ name => 'aliases' },
		{ name => 'ipset' },
		{ name => 'refs' },
		{ name => 'options' },
		];

	    return $result;
	}});


    $class->register_method({
	name => 'get_options',
	path => 'options',
	method => 'GET',
	description => "Get VM firewall options.",
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	},
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
	    },
	},
	returns => {
	    type => "object",
	    #additionalProperties => 1,
	    properties => $option_properties,
	},
	code => sub {
	    my ($param) = @_;

	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	}});

    $class->register_method({
	name => 'set_options',
	path => 'options',
	method => 'PUT',
	description => "Set Firewall options.",
	protected => 1,
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
	},
	parameters => {
	    additionalProperties => 0,
	    properties => &$add_option_properties({
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		delete => {
		    type => 'string', format => 'pve-configid-list',
		    description => "A list of settings you want to delete.",
		    optional => 1,
		},
		digest => get_standard_option('pve-config-digest'),
	    }),
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;


	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    if ($param->{delete}) {
		foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		    raise_param_exc({ delete => "no such option '$opt'" }) 
			if !$option_properties->{$opt};
		    delete $vmfw_conf->{options}->{$opt};
		}
	    }

	    if (defined($param->{enable})) {
		$param->{enable} = $param->{enable} ? 1 : 0;
	    }

	    foreach my $k (keys %$option_properties) {
		next if !defined($param->{$k});
		$vmfw_conf->{options}->{$k} = $param->{$k}; 
	    }

	    PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	    
	    return undef;
	}});

    $class->register_method({
	name => 'log', 
	path => 'log', 
	method => 'GET',
	description => "Read firewall log",
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	},
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		start => {
		    type => 'integer',
		    minimum => 0,
		    optional => 1,
		},
		limit => {
		    type => 'integer',
		    minimum => 0,
		    optional => 1,
		},
	    },
	},
	returns => {
	    type => 'array',
	    items => { 
		type => "object",
		properties => {
		    n => {
			description=>  "Line number",
			type=> 'integer',
		    },
		    t => {
			description=>  "Line text",
			type => 'string',
		    }
		}
	    }
	},
	code => sub {
	    my ($param) = @_;

	    my $rpcenv = PVE::RPCEnvironment::get();
	    my $user = $rpcenv->get_user();
	    my $vmid = $param->{vmid};

	    my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", 
							   $param->{start}, $param->{limit},
							   "^$vmid ");
	    
	    $rpcenv->set_result_attrib('total', $count);
	    
	    return $lines; 
	}});


    $class->register_method({
	name => 'refs',
	path => 'refs',
	method => 'GET',
	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	},
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		type => {
		    description => "Only list references of specified type.",
		    type => 'string',
		    enum => ['alias', 'ipset'],
		    optional => 1,
		},
	    },
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => { 
		    type => {
			type => 'string',
			enum => ['alias', 'ipset'],
		    },
		    name => {
			type => 'string',
		    },
		    comment => { 
			type => 'string',
			optional => 1,
		    },
		},
	    },
	},
	code => sub {
	    my ($param) = @_;
	    
	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    my $ipsets = {};
	    my $aliases = {};

	    foreach my $conf (($cluster_conf, $fw_conf)) {
		next if !$conf;
		if (!$param->{type} || $param->{type} eq 'ipset') {
		    foreach my $name (keys %{$conf->{ipset}}) {
			my $data = { 
			    type => 'ipset',
			    name => $name,
			    ref => "+$name",
			};
			if (my $comment = $conf->{ipset_comments}->{$name}) {
			    $data->{comment} = $comment;
			}
			$ipsets->{$name} = $data;
		    }
		}

		if (!$param->{type} || $param->{type} eq 'alias') {
		    foreach my $name (keys %{$conf->{aliases}}) {
			my $e = $conf->{aliases}->{$name};
			my $data = { 
			    type => 'alias',
			    name => $name,
			    ref => $name,
			};
			$data->{comment} = $e->{comment} if $e->{comment};
			$aliases->{$name} = $data;
		    }
		}
	    }

	    my $res = [];
	    foreach my $e (values %$ipsets) { push @$res, $e; };
	    foreach my $e (values %$aliases) { push @$res, $e; };
	    
	    return $res; 
	}});
}

package PVE::API2::Firewall::VM;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::VMBase);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_handlers('vm');

package PVE::API2::Firewall::CT;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::VMBase);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_handlers('vm');

1;
Commit	Line	Data
b6b8e6ad	1	package PVE::API2::Firewall::VMBase;
e7b35711 DM	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6	use PVE::Cluster;
	7	use PVE::Firewall;
464f933e	8	use PVE::API2::Firewall::Rules;
e76a9f53	9	use PVE::API2::Firewall::Aliases;
e7b35711 DM	10
	11	use Data::Dumper; # fixme: remove
	12
	13	use base qw(PVE::RESTHandler);
	14
2822f5c4 DM	15	my $option_properties = {
	16	enable => {
	17	description => "Enable host firewall rules.",
	18	type => 'boolean',
	19	optional => 1,
	20	},
44269d27 DM	21	macfilter => {
	22	description => "Enable/disable MAC address filter.",
	23	type => 'boolean',
	24	optional => 1,
	25	},
	26	dhcp => {
	27	description => "Enable DHCP.",
	28	type => 'boolean',
	29	optional => 1,
	30	},
a83abe93 WB	31	ndp => {
	32	description => "Enable NDP.",
	33	type => 'boolean',
	34	optional => 1,
	35	},
d7aa51ac WB	36	radv => {
	37	description => "Allow sending Router Advertisement.",
	38	type => 'boolean',
	39	optional => 1,
	40	},
74601077 WB	41	ipfilter => {
	42	description => "Enable default IP filters. " .
	43	"This is equivalent to adding an empty ipfilter-net<id> ipset " .
	44	"for every interface. Such ipsets implicitly contain sane default " .
	45	"restrictions such as restricting IPv6 link local addresses to " .
383fe679 WB	46	"the one derived from the interface's MAC address. For containers " .
383fe679 WB	47	"the configured IP addresses will be implicitly added.",
74601077 WB	48	type => 'boolean',
	49	optional => 1,
	50	},
2822f5c4 DM	51	policy_in => {
	52	description => "Input policy.",
	53	type => 'string',
	54	optional => 1,
	55	enum => ['ACCEPT', 'REJECT', 'DROP'],
	56	},
	57	policy_out => {
	58	description => "Output policy.",
	59	type => 'string',
	60	optional => 1,
	61	enum => ['ACCEPT', 'REJECT', 'DROP'],
	62	},
44269d27 DM	63	log_level_in => get_standard_option('pve-fw-loglevel', {
	64	description => "Log level for incoming traffic." }),
	65	log_level_out => get_standard_option('pve-fw-loglevel', {
	66	description => "Log level for outgoing traffic." }),
	67
2822f5c4 DM	68	};
	69
	70	my $add_option_properties = sub {
	71	my ($properties) = @_;
	72
	73	foreach my $k (keys %$option_properties) {
	74	$properties->{$k} = $option_properties->{$k};
	75	}
	76
	77	return $properties;
	78	};
b6b8e6ad DM	79
	80	sub register_handlers {
	81	my ($class, $rule_env) = @_;
	82
	83	$class->register_method({
	84	name => 'index',
	85	path => '',
	86	method => 'GET',
	87	permissions => { user => 'all' },
	88	description => "Directory index.",
	89	parameters => {
	90	additionalProperties => 0,
	91	properties => {
	92	node => get_standard_option('pve-node'),
	93	vmid => get_standard_option('pve-vmid'),
	94	},
e7b35711	95	},
b6b8e6ad DM	96	returns => {
	97	type => 'array',
	98	items => {
	99	type => "object",
	100	properties => {},
2822f5c4	101	},
b6b8e6ad DM	102	links => [ { rel => 'child', href => "{name}" } ],
	103	},
	104	code => sub {
	105	my ($param) = @_;
e7b35711	106
b6b8e6ad DM	107	my $result = [
	108	{ name => 'rules' },
	109	{ name => 'aliases' },
947d6ea2 DM	110	{ name => 'ipset' },
947d6ea2 DM	111	{ name => 'refs' },
b6b8e6ad DM	112	{ name => 'options' },
b6b8e6ad DM	113	];
e7b35711	114
b6b8e6ad DM	115	return $result;
b6b8e6ad DM	116	}});
2822f5c4	117
b6b8e6ad DM	118
	119	$class->register_method({
	120	name => 'get_options',
	121	path => 'options',
	122	method => 'GET',
	123	description => "Get VM firewall options.",
	124	proxyto => 'node',
16c8f5d7 DM	125	permissions => {
	126	check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	127	},
b6b8e6ad DM	128	parameters => {
	129	additionalProperties => 0,
	130	properties => {
	131	node => get_standard_option('pve-node'),
	132	vmid => get_standard_option('pve-vmid'),
2822f5c4 DM	133	},
2822f5c4 DM	134	},
b6b8e6ad	135	returns => {
2822f5c4	136	type => "object",
b6b8e6ad DM	137	#additionalProperties => 1,
	138	properties => $option_properties,
	139	},
	140	code => sub {
	141	my ($param) = @_;
	142
42ec8178 DM	143	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
42ec8178 DM	144	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
b6b8e6ad DM	145
	146	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	147	}});
	148
	149	$class->register_method({
	150	name => 'set_options',
	151	path => 'options',
	152	method => 'PUT',
	153	description => "Set Firewall options.",
	154	protected => 1,
	155	proxyto => 'node',
16c8f5d7 DM	156	permissions => {
	157	check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
	158	},
b6b8e6ad DM	159	parameters => {
	160	additionalProperties => 0,
	161	properties => &$add_option_properties({
	162	node => get_standard_option('pve-node'),
	163	vmid => get_standard_option('pve-vmid'),
	164	delete => {
	165	type => 'string', format => 'pve-configid-list',
	166	description => "A list of settings you want to delete.",
	167	optional => 1,
2822f5c4	168	},
b6b8e6ad DM	169	digest => get_standard_option('pve-config-digest'),
	170	}),
	171	},
	172	returns => { type => "null" },
	173	code => sub {
	174	my ($param) = @_;
	175
42ec8178 DM	176
	177	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	178	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
b6b8e6ad DM	179
	180	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	181	PVE::Tools::assert_if_modified($digest, $param->{digest});
	182
	183	if ($param->{delete}) {
	184	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
	185	raise_param_exc({ delete => "no such option '$opt'" })
	186	if !$option_properties->{$opt};
	187	delete $vmfw_conf->{options}->{$opt};
2822f5c4 DM	188	}
2822f5c4 DM	189	}
2822f5c4	190
b6b8e6ad DM	191	if (defined($param->{enable})) {
	192	$param->{enable} = $param->{enable} ? 1 : 0;
	193	}
	194
	195	foreach my $k (keys %$option_properties) {
	196	next if !defined($param->{$k});
	197	$vmfw_conf->{options}->{$k} = $param->{$k};
	198	}
	199
	200	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	201
	202	return undef;
	203	}});
2822f5c4	204
b6b8e6ad DM	205	$class->register_method({
	206	name => 'log',
	207	path => 'log',
	208	method => 'GET',
	209	description => "Read firewall log",
	210	proxyto => 'node',
	211	permissions => {
	212	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	213	},
	214	protected => 1,
	215	parameters => {
	216	additionalProperties => 0,
	217	properties => {
	218	node => get_standard_option('pve-node'),
	219	vmid => get_standard_option('pve-vmid'),
	220	start => {
	221	type => 'integer',
	222	minimum => 0,
	223	optional => 1,
	224	},
	225	limit => {
	226	type => 'integer',
	227	minimum => 0,
	228	optional => 1,
	229	},
	230	},
	231	},
	232	returns => {
	233	type => 'array',
	234	items => {
	235	type => "object",
	236	properties => {
	237	n => {
	238	description=> "Line number",
	239	type=> 'integer',
	240	},
	241	t => {
	242	description=> "Line text",
	243	type => 'string',
	244	}
	245	}
	246	}
	247	},
	248	code => sub {
	249	my ($param) = @_;
e7b35711	250
b6b8e6ad DM	251	my $rpcenv = PVE::RPCEnvironment::get();
	252	my $user = $rpcenv->get_user();
	253	my $vmid = $param->{vmid};
	254
	255	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
	256	$param->{start}, $param->{limit},
	257	"^$vmid ");
	258
	259	$rpcenv->set_result_attrib('total', $count);
2822f5c4	260
b6b8e6ad DM	261	return $lines;
b6b8e6ad DM	262	}});
947d6ea2 DM	263
	264
	265	$class->register_method({
	266	name => 'refs',
	267	path => 'refs',
	268	method => 'GET',
	269	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
16c8f5d7 DM	270	permissions => {
	271	check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	272	},
947d6ea2 DM	273	parameters => {
	274	additionalProperties => 0,
	275	properties => {
	276	node => get_standard_option('pve-node'),
	277	vmid => get_standard_option('pve-vmid'),
f2c0865c DM	278	type => {
	279	description => "Only list references of specified type.",
	280	type => 'string',
	281	enum => ['alias', 'ipset'],
	282	optional => 1,
	283	},
947d6ea2 DM	284	},
	285	},
	286	returns => {
	287	type => 'array',
	288	items => {
	289	type => "object",
	290	properties => {
	291	type => {
	292	type => 'string',
	293	enum => ['alias', 'ipset'],
	294	},
	295	name => {
	296	type => 'string',
	297	},
	298	comment => {
	299	type => 'string',
	300	optional => 1,
	301	},
	302	},
	303	},
	304	},
	305	code => sub {
	306	my ($param) = @_;
	307
	308	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	309	my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
	310
	311	my $ipsets = {};
	312	my $aliases = {};
	313
	314	foreach my $conf (($cluster_conf, $fw_conf)) {
	315	next if !$conf;
f2c0865c DM	316	if (!$param->{type} \|\| $param->{type} eq 'ipset') {
	317	foreach my $name (keys %{$conf->{ipset}}) {
	318	my $data = {
	319	type => 'ipset',
	320	name => $name,
	321	ref => "+$name",
	322	};
	323	if (my $comment = $conf->{ipset_comments}->{$name}) {
	324	$data->{comment} = $comment;
	325	}
	326	$ipsets->{$name} = $data;
947d6ea2	327	}
947d6ea2 DM	328	}
947d6ea2 DM	329
f2c0865c DM	330	if (!$param->{type} \|\| $param->{type} eq 'alias') {
	331	foreach my $name (keys %{$conf->{aliases}}) {
	332	my $e = $conf->{aliases}->{$name};
	333	my $data = {
	334	type => 'alias',
	335	name => $name,
	336	ref => $name,
	337	};
	338	$data->{comment} = $e->{comment} if $e->{comment};
	339	$aliases->{$name} = $data;
	340	}
947d6ea2 DM	341	}
	342	}
	343
	344	my $res = [];
	345	foreach my $e (values %$ipsets) { push @$res, $e; };
	346	foreach my $e (values %$aliases) { push @$res, $e; };
	347
	348	return $res;
	349	}});
b6b8e6ad DM	350	}
	351
	352	package PVE::API2::Firewall::VM;
	353
	354	use strict;
	355	use warnings;
	356
	357	use base qw(PVE::API2::Firewall::VMBase);
	358
	359	__PACKAGE__->register_method ({
	360	subclass => "PVE::API2::Firewall::VMRules",
	361	path => 'rules',
	362	});
	363
	364	__PACKAGE__->register_method ({
	365	subclass => "PVE::API2::Firewall::VMAliases",
	366	path => 'aliases',
	367	});
	368
1210ae94 DM	369	__PACKAGE__->register_method ({
	370	subclass => "PVE::API2::Firewall::VMIPSetList",
	371	path => 'ipset',
	372	});
	373
b6b8e6ad DM	374	__PACKAGE__->register_handlers('vm');
	375
	376	package PVE::API2::Firewall::CT;
	377
	378	use strict;
	379	use warnings;
	380
	381	use base qw(PVE::API2::Firewall::VMBase);
	382
	383	__PACKAGE__->register_method ({
	384	subclass => "PVE::API2::Firewall::CTRules",
	385	path => 'rules',
	386	});
	387
	388	__PACKAGE__->register_method ({
	389	subclass => "PVE::API2::Firewall::CTAliases",
	390	path => 'aliases',
	391	});
	392
1210ae94 DM	393	__PACKAGE__->register_method ({
	394	subclass => "PVE::API2::Firewall::CTIPSetList",
	395	path => 'ipset',
	396	});
	397
b6b8e6ad	398	__PACKAGE__->register_handlers('vm');
e7b35711 DM	399
e7b35711 DM	400	1;