[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm

package PVE::API2::Firewall::VMBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Aliases;

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

my $option_properties = {
    enable => {
	description => "Enable host firewall rules.",
	type => 'boolean',
	optional => 1,
    },
    macfilter => {
	description => "Enable/disable MAC address filter.",
	type => 'boolean',
	optional => 1,
    },
    dhcp => {
	description => "Enable DHCP.",
	type => 'boolean',
	optional => 1,
    },
    policy_in => {
	description => "Input policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    policy_out => { 
	description => "Output policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    log_level_in =>  get_standard_option('pve-fw-loglevel', {
	description => "Log level for incoming traffic." }),
    log_level_out =>  get_standard_option('pve-fw-loglevel', {
	description => "Log level for outgoing traffic." }),

};

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }
    
    return $properties;
};

sub register_handlers {
    my ($class, $rule_env) = @_;

    $class->register_method({
	name => 'index',
	path => '',
	method => 'GET',
	permissions => { user => 'all' },
	description => "Directory index.",
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
	    },
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {},
	    },
	    links => [ { rel => 'child', href => "{name}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my $result = [
		{ name => 'rules' },
		{ name => 'aliases' },
		{ name => 'options' },
		];

	    return $result;
	}});


    $class->register_method({
	name => 'get_options',
	path => 'options',
	method => 'GET',
	description => "Get VM firewall options.",
	proxyto => 'node',
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
	    },
	},
	returns => {
	    type => "object",
	    #additionalProperties => 1,
	    properties => $option_properties,
	},
	code => sub {
	    my ($param) = @_;

	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	}});

    $class->register_method({
	name => 'set_options',
	path => 'options',
	method => 'PUT',
	description => "Set Firewall options.",
	protected => 1,
	proxyto => 'node',
	parameters => {
	    additionalProperties => 0,
	    properties => &$add_option_properties({
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		delete => {
		    type => 'string', format => 'pve-configid-list',
		    description => "A list of settings you want to delete.",
		    optional => 1,
		},
		digest => get_standard_option('pve-config-digest'),
	    }),
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;


	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    if ($param->{delete}) {
		foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		    raise_param_exc({ delete => "no such option '$opt'" }) 
			if !$option_properties->{$opt};
		    delete $vmfw_conf->{options}->{$opt};
		}
	    }

	    if (defined($param->{enable})) {
		$param->{enable} = $param->{enable} ? 1 : 0;
	    }

	    foreach my $k (keys %$option_properties) {
		next if !defined($param->{$k});
		$vmfw_conf->{options}->{$k} = $param->{$k}; 
	    }

	    PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	    
	    return undef;
	}});

    $class->register_method({
	name => 'log', 
	path => 'log', 
	method => 'GET',
	description => "Read firewall log",
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	},
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		start => {
		    type => 'integer',
		    minimum => 0,
		    optional => 1,
		},
		limit => {
		    type => 'integer',
		    minimum => 0,
		    optional => 1,
		},
	    },
	},
	returns => {
	    type => 'array',
	    items => { 
		type => "object",
		properties => {
		    n => {
			description=>  "Line number",
			type=> 'integer',
		    },
		    t => {
			description=>  "Line text",
			type => 'string',
		    }
		}
	    }
	},
	code => sub {
	    my ($param) = @_;

	    my $rpcenv = PVE::RPCEnvironment::get();
	    my $user = $rpcenv->get_user();
	    my $vmid = $param->{vmid};

	    my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", 
							   $param->{start}, $param->{limit},
							   "^$vmid ");
	    
	    $rpcenv->set_result_attrib('total', $count);
	    
	    return $lines; 
	}});
}

package PVE::API2::Firewall::VM;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::VMBase);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_handlers('vm');

package PVE::API2::Firewall::CT;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::VMBase);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_handlers('vm');

1;
Commit	Line	Data
b6b8e6ad	1	package PVE::API2::Firewall::VMBase;
e7b35711 DM	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6	use PVE::Cluster;
	7	use PVE::Firewall;
464f933e	8	use PVE::API2::Firewall::Rules;
e76a9f53	9	use PVE::API2::Firewall::Aliases;
e7b35711 DM	10
	11	use Data::Dumper; # fixme: remove
	12
	13	use base qw(PVE::RESTHandler);
	14
2822f5c4 DM	15	my $option_properties = {
	16	enable => {
	17	description => "Enable host firewall rules.",
	18	type => 'boolean',
	19	optional => 1,
	20	},
44269d27 DM	21	macfilter => {
	22	description => "Enable/disable MAC address filter.",
	23	type => 'boolean',
	24	optional => 1,
	25	},
	26	dhcp => {
	27	description => "Enable DHCP.",
	28	type => 'boolean',
	29	optional => 1,
	30	},
2822f5c4 DM	31	policy_in => {
	32	description => "Input policy.",
	33	type => 'string',
	34	optional => 1,
	35	enum => ['ACCEPT', 'REJECT', 'DROP'],
	36	},
	37	policy_out => {
	38	description => "Output policy.",
	39	type => 'string',
	40	optional => 1,
	41	enum => ['ACCEPT', 'REJECT', 'DROP'],
	42	},
44269d27 DM	43	log_level_in => get_standard_option('pve-fw-loglevel', {
	44	description => "Log level for incoming traffic." }),
	45	log_level_out => get_standard_option('pve-fw-loglevel', {
	46	description => "Log level for outgoing traffic." }),
	47
2822f5c4 DM	48	};
	49
	50	my $add_option_properties = sub {
	51	my ($properties) = @_;
	52
	53	foreach my $k (keys %$option_properties) {
	54	$properties->{$k} = $option_properties->{$k};
	55	}
	56
	57	return $properties;
	58	};
b6b8e6ad DM	59
	60	sub register_handlers {
	61	my ($class, $rule_env) = @_;
	62
	63	$class->register_method({
	64	name => 'index',
	65	path => '',
	66	method => 'GET',
	67	permissions => { user => 'all' },
	68	description => "Directory index.",
	69	parameters => {
	70	additionalProperties => 0,
	71	properties => {
	72	node => get_standard_option('pve-node'),
	73	vmid => get_standard_option('pve-vmid'),
	74	},
e7b35711	75	},
b6b8e6ad DM	76	returns => {
	77	type => 'array',
	78	items => {
	79	type => "object",
	80	properties => {},
2822f5c4	81	},
b6b8e6ad DM	82	links => [ { rel => 'child', href => "{name}" } ],
	83	},
	84	code => sub {
	85	my ($param) = @_;
e7b35711	86
b6b8e6ad DM	87	my $result = [
	88	{ name => 'rules' },
	89	{ name => 'aliases' },
	90	{ name => 'options' },
	91	];
e7b35711	92
b6b8e6ad DM	93	return $result;
b6b8e6ad DM	94	}});
2822f5c4	95
b6b8e6ad DM	96
	97	$class->register_method({
	98	name => 'get_options',
	99	path => 'options',
	100	method => 'GET',
	101	description => "Get VM firewall options.",
	102	proxyto => 'node',
	103	parameters => {
	104	additionalProperties => 0,
	105	properties => {
	106	node => get_standard_option('pve-node'),
	107	vmid => get_standard_option('pve-vmid'),
2822f5c4 DM	108	},
2822f5c4 DM	109	},
b6b8e6ad	110	returns => {
2822f5c4	111	type => "object",
b6b8e6ad DM	112	#additionalProperties => 1,
	113	properties => $option_properties,
	114	},
	115	code => sub {
	116	my ($param) = @_;
	117
42ec8178 DM	118	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
42ec8178 DM	119	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
b6b8e6ad DM	120
	121	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	122	}});
	123
	124	$class->register_method({
	125	name => 'set_options',
	126	path => 'options',
	127	method => 'PUT',
	128	description => "Set Firewall options.",
	129	protected => 1,
	130	proxyto => 'node',
	131	parameters => {
	132	additionalProperties => 0,
	133	properties => &$add_option_properties({
	134	node => get_standard_option('pve-node'),
	135	vmid => get_standard_option('pve-vmid'),
	136	delete => {
	137	type => 'string', format => 'pve-configid-list',
	138	description => "A list of settings you want to delete.",
	139	optional => 1,
2822f5c4	140	},
b6b8e6ad DM	141	digest => get_standard_option('pve-config-digest'),
	142	}),
	143	},
	144	returns => { type => "null" },
	145	code => sub {
	146	my ($param) = @_;
	147
42ec8178 DM	148
	149	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	150	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
b6b8e6ad DM	151
	152	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	153	PVE::Tools::assert_if_modified($digest, $param->{digest});
	154
	155	if ($param->{delete}) {
	156	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
	157	raise_param_exc({ delete => "no such option '$opt'" })
	158	if !$option_properties->{$opt};
	159	delete $vmfw_conf->{options}->{$opt};
2822f5c4 DM	160	}
2822f5c4 DM	161	}
2822f5c4	162
b6b8e6ad DM	163	if (defined($param->{enable})) {
	164	$param->{enable} = $param->{enable} ? 1 : 0;
	165	}
	166
	167	foreach my $k (keys %$option_properties) {
	168	next if !defined($param->{$k});
	169	$vmfw_conf->{options}->{$k} = $param->{$k};
	170	}
	171
	172	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	173
	174	return undef;
	175	}});
2822f5c4	176
b6b8e6ad DM	177	$class->register_method({
	178	name => 'log',
	179	path => 'log',
	180	method => 'GET',
	181	description => "Read firewall log",
	182	proxyto => 'node',
	183	permissions => {
	184	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	185	},
	186	protected => 1,
	187	parameters => {
	188	additionalProperties => 0,
	189	properties => {
	190	node => get_standard_option('pve-node'),
	191	vmid => get_standard_option('pve-vmid'),
	192	start => {
	193	type => 'integer',
	194	minimum => 0,
	195	optional => 1,
	196	},
	197	limit => {
	198	type => 'integer',
	199	minimum => 0,
	200	optional => 1,
	201	},
	202	},
	203	},
	204	returns => {
	205	type => 'array',
	206	items => {
	207	type => "object",
	208	properties => {
	209	n => {
	210	description=> "Line number",
	211	type=> 'integer',
	212	},
	213	t => {
	214	description=> "Line text",
	215	type => 'string',
	216	}
	217	}
	218	}
	219	},
	220	code => sub {
	221	my ($param) = @_;
e7b35711	222
b6b8e6ad DM	223	my $rpcenv = PVE::RPCEnvironment::get();
	224	my $user = $rpcenv->get_user();
	225	my $vmid = $param->{vmid};
	226
	227	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
	228	$param->{start}, $param->{limit},
	229	"^$vmid ");
	230
	231	$rpcenv->set_result_attrib('total', $count);
2822f5c4	232
b6b8e6ad DM	233	return $lines;
	234	}});
	235	}
	236
	237	package PVE::API2::Firewall::VM;
	238
	239	use strict;
	240	use warnings;
	241
	242	use base qw(PVE::API2::Firewall::VMBase);
	243
	244	__PACKAGE__->register_method ({
	245	subclass => "PVE::API2::Firewall::VMRules",
	246	path => 'rules',
	247	});
	248
	249	__PACKAGE__->register_method ({
	250	subclass => "PVE::API2::Firewall::VMAliases",
	251	path => 'aliases',
	252	});
	253
1210ae94 DM	254	__PACKAGE__->register_method ({
	255	subclass => "PVE::API2::Firewall::VMIPSetList",
	256	path => 'ipset',
	257	});
	258
b6b8e6ad DM	259	__PACKAGE__->register_handlers('vm');
	260
	261	package PVE::API2::Firewall::CT;
	262
	263	use strict;
	264	use warnings;
	265
	266	use base qw(PVE::API2::Firewall::VMBase);
	267
	268	__PACKAGE__->register_method ({
	269	subclass => "PVE::API2::Firewall::CTRules",
	270	path => 'rules',
	271	});
	272
	273	__PACKAGE__->register_method ({
	274	subclass => "PVE::API2::Firewall::CTAliases",
	275	path => 'aliases',
	276	});
	277
1210ae94 DM	278	__PACKAGE__->register_method ({
	279	subclass => "PVE::API2::Firewall::CTIPSetList",
	280	path => 'ipset',
	281	});
	282
b6b8e6ad	283	__PACKAGE__->register_handlers('vm');
e7b35711 DM	284
e7b35711 DM	285	1;