[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm

package PVE::API2::Firewall::VMBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Aliases;

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

my $option_properties = $PVE::Firewall::vm_option_properties;

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }
    
    return $properties;
};

sub register_handlers {
    my ($class, $rule_env) = @_;

    $class->register_method({
	name => 'index',
	path => '',
	method => 'GET',
	permissions => { user => 'all' },
	description => "Directory index.",
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
	    },
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {},
	    },
	    links => [ { rel => 'child', href => "{name}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my $result = [
		{ name => 'rules' },
		{ name => 'aliases' },
		{ name => 'ipset' },
		{ name => 'refs' },
		{ name => 'options' },
		];

	    return $result;
	}});


    $class->register_method({
	name => 'get_options',
	path => 'options',
	method => 'GET',
	description => "Get VM firewall options.",
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	},
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
	    },
	},
	returns => {
	    type => "object",
	    #additionalProperties => 1,
	    properties => $option_properties,
	},
	code => sub {
	    my ($param) = @_;

	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	}});

    $class->register_method({
	name => 'set_options',
	path => 'options',
	method => 'PUT',
	description => "Set Firewall options.",
	protected => 1,
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
	},
	parameters => {
	    additionalProperties => 0,
	    properties => &$add_option_properties({
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		delete => {
		    type => 'string', format => 'pve-configid-list',
		    description => "A list of settings you want to delete.",
		    optional => 1,
		},
		digest => get_standard_option('pve-config-digest'),
	    }),
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;


	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    if ($param->{delete}) {
		foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		    raise_param_exc({ delete => "no such option '$opt'" }) 
			if !$option_properties->{$opt};
		    delete $vmfw_conf->{options}->{$opt};
		}
	    }

	    if (defined($param->{enable})) {
		$param->{enable} = $param->{enable} ? 1 : 0;
	    }

	    foreach my $k (keys %$option_properties) {
		next if !defined($param->{$k});
		$vmfw_conf->{options}->{$k} = $param->{$k}; 
	    }

	    PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	    
	    return undef;
	}});

    $class->register_method({
	name => 'log', 
	path => 'log', 
	method => 'GET',
	description => "Read firewall log",
	proxyto => 'node',
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	},
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		start => {
		    type => 'integer',
		    minimum => 0,
		    optional => 1,
		},
		limit => {
		    type => 'integer',
		    minimum => 0,
		    optional => 1,
		},
	    },
	},
	returns => {
	    type => 'array',
	    items => { 
		type => "object",
		properties => {
		    n => {
			description=>  "Line number",
			type=> 'integer',
		    },
		    t => {
			description=>  "Line text",
			type => 'string',
		    }
		}
	    }
	},
	code => sub {
	    my ($param) = @_;

	    my $rpcenv = PVE::RPCEnvironment::get();
	    my $user = $rpcenv->get_user();
	    my $vmid = $param->{vmid};

	    my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", 
							   $param->{start}, $param->{limit},
							   "^$vmid ");
	    
	    $rpcenv->set_result_attrib('total', $count);
	    
	    return $lines; 
	}});


    $class->register_method({
	name => 'refs',
	path => 'refs',
	method => 'GET',
	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
	permissions => {
	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	},
	parameters => {
	    additionalProperties => 0,
	    properties => {
		node => get_standard_option('pve-node'),
		vmid => get_standard_option('pve-vmid'),
		type => {
		    description => "Only list references of specified type.",
		    type => 'string',
		    enum => ['alias', 'ipset'],
		    optional => 1,
		},
	    },
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => { 
		    type => {
			type => 'string',
			enum => ['alias', 'ipset'],
		    },
		    name => {
			type => 'string',
		    },
		    comment => { 
			type => 'string',
			optional => 1,
		    },
		},
	    },
	},
	code => sub {
	    my ($param) = @_;
	    
	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});

	    my $ipsets = {};
	    my $aliases = {};

	    foreach my $conf (($cluster_conf, $fw_conf)) {
		next if !$conf;
		if (!$param->{type} || $param->{type} eq 'ipset') {
		    foreach my $name (keys %{$conf->{ipset}}) {
			my $data = { 
			    type => 'ipset',
			    name => $name,
			    ref => "+$name",
			};
			if (my $comment = $conf->{ipset_comments}->{$name}) {
			    $data->{comment} = $comment;
			}
			$ipsets->{$name} = $data;
		    }
		}

		if (!$param->{type} || $param->{type} eq 'alias') {
		    foreach my $name (keys %{$conf->{aliases}}) {
			my $e = $conf->{aliases}->{$name};
			my $data = { 
			    type => 'alias',
			    name => $name,
			    ref => $name,
			};
			$data->{comment} = $e->{comment} if $e->{comment};
			$aliases->{$name} = $data;
		    }
		}
	    }

	    my $res = [];
	    foreach my $e (values %$ipsets) { push @$res, $e; };
	    foreach my $e (values %$aliases) { push @$res, $e; };
	    
	    return $res; 
	}});
}

package PVE::API2::Firewall::VM;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::VMBase);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_handlers('vm');

package PVE::API2::Firewall::CT;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::VMBase);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::CTIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_handlers('vm');

1;
Commit	Line	Data
b6b8e6ad	1	package PVE::API2::Firewall::VMBase;
e7b35711 DM	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6	use PVE::Cluster;
	7	use PVE::Firewall;
464f933e	8	use PVE::API2::Firewall::Rules;
e76a9f53	9	use PVE::API2::Firewall::Aliases;
e7b35711 DM	10
	11	use Data::Dumper; # fixme: remove
	12
	13	use base qw(PVE::RESTHandler);
	14
e313afe0	15	my $option_properties = $PVE::Firewall::vm_option_properties;
2822f5c4 DM	16
	17	my $add_option_properties = sub {
	18	my ($properties) = @_;
	19
	20	foreach my $k (keys %$option_properties) {
	21	$properties->{$k} = $option_properties->{$k};
	22	}
	23
	24	return $properties;
	25	};
b6b8e6ad DM	26
	27	sub register_handlers {
	28	my ($class, $rule_env) = @_;
	29
	30	$class->register_method({
	31	name => 'index',
	32	path => '',
	33	method => 'GET',
	34	permissions => { user => 'all' },
	35	description => "Directory index.",
	36	parameters => {
	37	additionalProperties => 0,
	38	properties => {
	39	node => get_standard_option('pve-node'),
	40	vmid => get_standard_option('pve-vmid'),
	41	},
e7b35711	42	},
b6b8e6ad DM	43	returns => {
	44	type => 'array',
	45	items => {
	46	type => "object",
	47	properties => {},
2822f5c4	48	},
b6b8e6ad DM	49	links => [ { rel => 'child', href => "{name}" } ],
	50	},
	51	code => sub {
	52	my ($param) = @_;
e7b35711	53
b6b8e6ad DM	54	my $result = [
	55	{ name => 'rules' },
	56	{ name => 'aliases' },
947d6ea2 DM	57	{ name => 'ipset' },
947d6ea2 DM	58	{ name => 'refs' },
b6b8e6ad DM	59	{ name => 'options' },
b6b8e6ad DM	60	];
e7b35711	61
b6b8e6ad DM	62	return $result;
b6b8e6ad DM	63	}});
2822f5c4	64
b6b8e6ad DM	65
	66	$class->register_method({
	67	name => 'get_options',
	68	path => 'options',
	69	method => 'GET',
	70	description => "Get VM firewall options.",
	71	proxyto => 'node',
16c8f5d7 DM	72	permissions => {
	73	check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	74	},
b6b8e6ad DM	75	parameters => {
	76	additionalProperties => 0,
	77	properties => {
	78	node => get_standard_option('pve-node'),
	79	vmid => get_standard_option('pve-vmid'),
2822f5c4 DM	80	},
2822f5c4 DM	81	},
b6b8e6ad	82	returns => {
2822f5c4	83	type => "object",
b6b8e6ad DM	84	#additionalProperties => 1,
	85	properties => $option_properties,
	86	},
	87	code => sub {
	88	my ($param) = @_;
	89
42ec8178 DM	90	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
42ec8178 DM	91	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
b6b8e6ad DM	92
	93	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	94	}});
	95
	96	$class->register_method({
	97	name => 'set_options',
	98	path => 'options',
	99	method => 'PUT',
	100	description => "Set Firewall options.",
	101	protected => 1,
	102	proxyto => 'node',
16c8f5d7 DM	103	permissions => {
	104	check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
	105	},
b6b8e6ad DM	106	parameters => {
	107	additionalProperties => 0,
	108	properties => &$add_option_properties({
	109	node => get_standard_option('pve-node'),
	110	vmid => get_standard_option('pve-vmid'),
	111	delete => {
	112	type => 'string', format => 'pve-configid-list',
	113	description => "A list of settings you want to delete.",
	114	optional => 1,
2822f5c4	115	},
b6b8e6ad DM	116	digest => get_standard_option('pve-config-digest'),
	117	}),
	118	},
	119	returns => { type => "null" },
	120	code => sub {
	121	my ($param) = @_;
	122
42ec8178 DM	123
	124	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	125	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
b6b8e6ad DM	126
	127	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	128	PVE::Tools::assert_if_modified($digest, $param->{digest});
	129
	130	if ($param->{delete}) {
	131	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
	132	raise_param_exc({ delete => "no such option '$opt'" })
	133	if !$option_properties->{$opt};
	134	delete $vmfw_conf->{options}->{$opt};
2822f5c4 DM	135	}
2822f5c4 DM	136	}
2822f5c4	137
b6b8e6ad DM	138	if (defined($param->{enable})) {
	139	$param->{enable} = $param->{enable} ? 1 : 0;
	140	}
	141
	142	foreach my $k (keys %$option_properties) {
	143	next if !defined($param->{$k});
	144	$vmfw_conf->{options}->{$k} = $param->{$k};
	145	}
	146
	147	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	148
	149	return undef;
	150	}});
2822f5c4	151
b6b8e6ad DM	152	$class->register_method({
	153	name => 'log',
	154	path => 'log',
	155	method => 'GET',
	156	description => "Read firewall log",
	157	proxyto => 'node',
	158	permissions => {
	159	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	160	},
	161	protected => 1,
	162	parameters => {
	163	additionalProperties => 0,
	164	properties => {
	165	node => get_standard_option('pve-node'),
	166	vmid => get_standard_option('pve-vmid'),
	167	start => {
	168	type => 'integer',
	169	minimum => 0,
	170	optional => 1,
	171	},
	172	limit => {
	173	type => 'integer',
	174	minimum => 0,
	175	optional => 1,
	176	},
	177	},
	178	},
	179	returns => {
	180	type => 'array',
	181	items => {
	182	type => "object",
	183	properties => {
	184	n => {
	185	description=> "Line number",
	186	type=> 'integer',
	187	},
	188	t => {
	189	description=> "Line text",
	190	type => 'string',
	191	}
	192	}
	193	}
	194	},
	195	code => sub {
	196	my ($param) = @_;
e7b35711	197
b6b8e6ad DM	198	my $rpcenv = PVE::RPCEnvironment::get();
	199	my $user = $rpcenv->get_user();
	200	my $vmid = $param->{vmid};
	201
	202	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
	203	$param->{start}, $param->{limit},
	204	"^$vmid ");
	205
	206	$rpcenv->set_result_attrib('total', $count);
2822f5c4	207
b6b8e6ad DM	208	return $lines;
b6b8e6ad DM	209	}});
947d6ea2 DM	210
	211
	212	$class->register_method({
	213	name => 'refs',
	214	path => 'refs',
	215	method => 'GET',
	216	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
16c8f5d7 DM	217	permissions => {
	218	check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
	219	},
947d6ea2 DM	220	parameters => {
	221	additionalProperties => 0,
	222	properties => {
	223	node => get_standard_option('pve-node'),
	224	vmid => get_standard_option('pve-vmid'),
f2c0865c DM	225	type => {
	226	description => "Only list references of specified type.",
	227	type => 'string',
	228	enum => ['alias', 'ipset'],
	229	optional => 1,
	230	},
947d6ea2 DM	231	},
	232	},
	233	returns => {
	234	type => 'array',
	235	items => {
	236	type => "object",
	237	properties => {
	238	type => {
	239	type => 'string',
	240	enum => ['alias', 'ipset'],
	241	},
	242	name => {
	243	type => 'string',
	244	},
	245	comment => {
	246	type => 'string',
	247	optional => 1,
	248	},
	249	},
	250	},
	251	},
	252	code => sub {
	253	my ($param) = @_;
	254
	255	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	256	my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
	257
	258	my $ipsets = {};
	259	my $aliases = {};
	260
	261	foreach my $conf (($cluster_conf, $fw_conf)) {
	262	next if !$conf;
f2c0865c DM	263	if (!$param->{type} \|\| $param->{type} eq 'ipset') {
	264	foreach my $name (keys %{$conf->{ipset}}) {
	265	my $data = {
	266	type => 'ipset',
	267	name => $name,
	268	ref => "+$name",
	269	};
	270	if (my $comment = $conf->{ipset_comments}->{$name}) {
	271	$data->{comment} = $comment;
	272	}
	273	$ipsets->{$name} = $data;
947d6ea2	274	}
947d6ea2 DM	275	}
947d6ea2 DM	276
f2c0865c DM	277	if (!$param->{type} \|\| $param->{type} eq 'alias') {
	278	foreach my $name (keys %{$conf->{aliases}}) {
	279	my $e = $conf->{aliases}->{$name};
	280	my $data = {
	281	type => 'alias',
	282	name => $name,
	283	ref => $name,
	284	};
	285	$data->{comment} = $e->{comment} if $e->{comment};
	286	$aliases->{$name} = $data;
	287	}
947d6ea2 DM	288	}
	289	}
	290
	291	my $res = [];
	292	foreach my $e (values %$ipsets) { push @$res, $e; };
	293	foreach my $e (values %$aliases) { push @$res, $e; };
	294
	295	return $res;
	296	}});
b6b8e6ad DM	297	}
	298
	299	package PVE::API2::Firewall::VM;
	300
	301	use strict;
	302	use warnings;
	303
	304	use base qw(PVE::API2::Firewall::VMBase);
	305
	306	__PACKAGE__->register_method ({
	307	subclass => "PVE::API2::Firewall::VMRules",
	308	path => 'rules',
	309	});
	310
	311	__PACKAGE__->register_method ({
	312	subclass => "PVE::API2::Firewall::VMAliases",
	313	path => 'aliases',
	314	});
	315
1210ae94 DM	316	__PACKAGE__->register_method ({
	317	subclass => "PVE::API2::Firewall::VMIPSetList",
	318	path => 'ipset',
	319	});
	320
b6b8e6ad DM	321	__PACKAGE__->register_handlers('vm');
	322
	323	package PVE::API2::Firewall::CT;
	324
	325	use strict;
	326	use warnings;
	327
	328	use base qw(PVE::API2::Firewall::VMBase);
	329
	330	__PACKAGE__->register_method ({
	331	subclass => "PVE::API2::Firewall::CTRules",
	332	path => 'rules',
	333	});
	334
	335	__PACKAGE__->register_method ({
	336	subclass => "PVE::API2::Firewall::CTAliases",
	337	path => 'aliases',
	338	});
	339
1210ae94 DM	340	__PACKAGE__->register_method ({
	341	subclass => "PVE::API2::Firewall::CTIPSetList",
	342	path => 'ipset',
	343	});
	344
b6b8e6ad	345	__PACKAGE__->register_handlers('vm');
e7b35711 DM	346
e7b35711 DM	347	1;