[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm

package PVE::API2::Firewall::VM;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Aliases;

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::VMAliases",  
    path => 'aliases',
});

__PACKAGE__->register_method({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $result = [
	    { name => 'rules' },
	    { name => 'options' },
	    ];

	return $result;
    }});

my $option_properties = {
    enable => {
	description => "Enable host firewall rules.",
	type => 'boolean',
	optional => 1,
    },
    macfilter => {
	description => "Enable/disable MAC address filter.",
	type => 'boolean',
	optional => 1,
    },
    dhcp => {
	description => "Enable DHCP.",
	type => 'boolean',
	optional => 1,
    },
    policy_in => {
	description => "Input policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    policy_out => { 
	description => "Output policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    log_level_in =>  get_standard_option('pve-fw-loglevel', {
	description => "Log level for incoming traffic." }),
    log_level_out =>  get_standard_option('pve-fw-loglevel', {
	description => "Log level for outgoing traffic." }),

};

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }
    
    return $properties;
};
__PACKAGE__->register_method({
    name => 'get_options',
    path => 'options',
    method => 'GET',
    description => "Get VM firewall options.",
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	},
    },
    returns => {
	type => "object",
    	#additionalProperties => 1,
	properties => $option_properties,
    },
    code => sub {
	my ($param) = @_;

	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});

	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
    }});

__PACKAGE__->register_method({
    name => 'set_options',
    path => 'options',
    method => 'PUT',
    description => "Set Firewall options.",
    protected => 1,
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => &$add_option_properties({
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    },
	    digest => get_standard_option('pve-config-digest'),
	}),
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});

	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	PVE::Tools::assert_if_modified($digest, $param->{digest});

	if ($param->{delete}) {
	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		raise_param_exc({ delete => "no such option '$opt'" }) 
		    if !$option_properties->{$opt};
		delete $vmfw_conf->{options}->{$opt};
	    }
	}

	if (defined($param->{enable})) {
	    $param->{enable} = $param->{enable} ? 1 : 0;
	}

	foreach my $k (keys %$option_properties) {
	    next if !defined($param->{$k});
	    $vmfw_conf->{options}->{$k} = $param->{$k}; 
	}

	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'log', 
    path => 'log', 
    method => 'GET',
    description => "Read firewall log",
    proxyto => 'node',
    permissions => {
	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
    },
    protected => 1,
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    vmid => get_standard_option('pve-vmid'),
	    start => {
		type => 'integer',
		minimum => 0,
		optional => 1,
	    },
	    limit => {
		type => 'integer',
		minimum => 0,
		optional => 1,
	    },
	},
    },
    returns => {
	type => 'array',
	items => { 
	    type => "object",
	    properties => {
		n => {
		  description=>  "Line number",
		  type=> 'integer',
		},
		t => {
		  description=>  "Line text",
		  type => 'string',
		}
	    }
	}
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $user = $rpcenv->get_user();
	my $vmid = $param->{vmid};

	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", 
						       $param->{start}, $param->{limit},
						       "^$vmid ");

	$rpcenv->set_result_attrib('total', $count);
	    
	return $lines; 
    }});

1;
Commit	Line	Data
e7b35711 DM	1	package PVE::API2::Firewall::VM;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6	use PVE::Cluster;
	7	use PVE::Firewall;
464f933e	8	use PVE::API2::Firewall::Rules;
e76a9f53	9	use PVE::API2::Firewall::Aliases;
e7b35711 DM	10
	11	use Data::Dumper; # fixme: remove
	12
	13	use base qw(PVE::RESTHandler);
	14
464f933e DM	15	__PACKAGE__->register_method ({
	16	subclass => "PVE::API2::Firewall::VMRules",
	17	path => 'rules',
	18	});
	19
e76a9f53 DM	20	__PACKAGE__->register_method ({
	21	subclass => "PVE::API2::Firewall::VMAliases",
	22	path => 'aliases',
	23	});
	24
e7b35711 DM	25	__PACKAGE__->register_method({
	26	name => 'index',
	27	path => '',
	28	method => 'GET',
	29	permissions => { user => 'all' },
	30	description => "Directory index.",
	31	parameters => {
	32	additionalProperties => 0,
	33	properties => {
	34	node => get_standard_option('pve-node'),
	35	vmid => get_standard_option('pve-vmid'),
	36	},
	37	},
	38	returns => {
	39	type => 'array',
	40	items => {
	41	type => "object",
	42	properties => {},
	43	},
	44	links => [ { rel => 'child', href => "{name}" } ],
	45	},
	46	code => sub {
	47	my ($param) = @_;
	48
	49	my $result = [
	50	{ name => 'rules' },
	51	{ name => 'options' },
	52	];
	53
	54	return $result;
	55	}});
	56
2822f5c4 DM	57	my $option_properties = {
	58	enable => {
	59	description => "Enable host firewall rules.",
	60	type => 'boolean',
	61	optional => 1,
	62	},
44269d27 DM	63	macfilter => {
	64	description => "Enable/disable MAC address filter.",
	65	type => 'boolean',
	66	optional => 1,
	67	},
	68	dhcp => {
	69	description => "Enable DHCP.",
	70	type => 'boolean',
	71	optional => 1,
	72	},
2822f5c4 DM	73	policy_in => {
	74	description => "Input policy.",
	75	type => 'string',
	76	optional => 1,
	77	enum => ['ACCEPT', 'REJECT', 'DROP'],
	78	},
	79	policy_out => {
	80	description => "Output policy.",
	81	type => 'string',
	82	optional => 1,
	83	enum => ['ACCEPT', 'REJECT', 'DROP'],
	84	},
44269d27 DM	85	log_level_in => get_standard_option('pve-fw-loglevel', {
	86	description => "Log level for incoming traffic." }),
	87	log_level_out => get_standard_option('pve-fw-loglevel', {
	88	description => "Log level for outgoing traffic." }),
	89
2822f5c4 DM	90	};
	91
	92	my $add_option_properties = sub {
	93	my ($properties) = @_;
	94
	95	foreach my $k (keys %$option_properties) {
	96	$properties->{$k} = $option_properties->{$k};
	97	}
	98
	99	return $properties;
	100	};
e7b35711 DM	101	__PACKAGE__->register_method({
	102	name => 'get_options',
	103	path => 'options',
	104	method => 'GET',
2822f5c4	105	description => "Get VM firewall options.",
e7b35711 DM	106	proxyto => 'node',
	107	parameters => {
	108	additionalProperties => 0,
	109	properties => {
	110	node => get_standard_option('pve-node'),
	111	vmid => get_standard_option('pve-vmid'),
	112	},
	113	},
	114	returns => {
	115	type => "object",
2822f5c4 DM	116	#additionalProperties => 1,
2822f5c4 DM	117	properties => $option_properties,
e7b35711 DM	118	},
	119	code => sub {
	120	my ($param) = @_;
	121
2822f5c4	122	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
e7b35711	123
2822f5c4 DM	124	return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
2822f5c4 DM	125	}});
e7b35711	126
2822f5c4 DM	127	__PACKAGE__->register_method({
	128	name => 'set_options',
	129	path => 'options',
	130	method => 'PUT',
	131	description => "Set Firewall options.",
	132	protected => 1,
	133	proxyto => 'node',
	134	parameters => {
	135	additionalProperties => 0,
	136	properties => &$add_option_properties({
	137	node => get_standard_option('pve-node'),
	138	vmid => get_standard_option('pve-vmid'),
	139	delete => {
	140	type => 'string', format => 'pve-configid-list',
	141	description => "A list of settings you want to delete.",
	142	optional => 1,
	143	},
	144	digest => get_standard_option('pve-config-digest'),
	145	}),
	146	},
	147	returns => { type => "null" },
	148	code => sub {
	149	my ($param) = @_;
e7b35711	150
2822f5c4	151	my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
e7b35711	152
2822f5c4 DM	153	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
	154	PVE::Tools::assert_if_modified($digest, $param->{digest});
	155
	156	if ($param->{delete}) {
	157	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
	158	raise_param_exc({ delete => "no such option '$opt'" })
	159	if !$option_properties->{$opt};
	160	delete $vmfw_conf->{options}->{$opt};
	161	}
	162	}
	163
	164	if (defined($param->{enable})) {
	165	$param->{enable} = $param->{enable} ? 1 : 0;
	166	}
	167
	168	foreach my $k (keys %$option_properties) {
	169	next if !defined($param->{$k});
	170	$vmfw_conf->{options}->{$k} = $param->{$k};
	171	}
	172
	173	PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
	174
	175	return undef;
	176	}});
	177
	178	__PACKAGE__->register_method({
	179	name => 'log',
	180	path => 'log',
	181	method => 'GET',
	182	description => "Read firewall log",
	183	proxyto => 'node',
	184	permissions => {
	185	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
	186	},
	187	protected => 1,
	188	parameters => {
	189	additionalProperties => 0,
	190	properties => {
	191	node => get_standard_option('pve-node'),
	192	vmid => get_standard_option('pve-vmid'),
	193	start => {
	194	type => 'integer',
	195	minimum => 0,
	196	optional => 1,
	197	},
	198	limit => {
	199	type => 'integer',
	200	minimum => 0,
	201	optional => 1,
	202	},
	203	},
	204	},
	205	returns => {
	206	type => 'array',
	207	items => {
	208	type => "object",
	209	properties => {
	210	n => {
	211	description=> "Line number",
	212	type=> 'integer',
	213	},
	214	t => {
	215	description=> "Line text",
	216	type => 'string',
217	}
218	}
219	}
220	},
221	code => sub {
222	my ($param) = @_;
223
224	my $rpcenv = PVE::RPCEnvironment::get();
225	my $user = $rpcenv->get_user();
226	my $vmid = $param->{vmid};
227
228	my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
229	$param->{start}, $param->{limit},
230	"^$vmid ");
e7b35711	231
2822f5c4 DM	232	$rpcenv->set_result_attrib('total', $count);
	233
	234	return $lines;
e7b35711 DM	235	}});
	236
	237	1;