[pve-firewall.git] / src / PVE / API2 / Firewall / Rules.pm

package PVE::API2::Firewall::RulesBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise raise_param_exc);

use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $api_properties = {
    pos => {
	description => "Rule position.",
	type => 'integer',
	minimum => 0,
    },
};

sub lock_config {
    my ($class, $param, $code) = @_;

    die "implement this in subclass";
}

sub load_config {
    my ($class, $param) = @_;

    die "implement this in subclass";

    #return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    die "implement this in subclass";
}

my $additional_param_hash = {};

sub rule_env {
    my ($class, $param) = @_;

    die "implement this in subclass";
}

sub additional_parameters {
    my ($class, $new_value) = @_;

    if (defined($new_value)) {
	$additional_param_hash->{$class} = $new_value;
    }

    # return a copy
    my $copy = {};
    my $org = $additional_param_hash->{$class} || {};
    foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
    return $copy;
}

sub register_get_rules {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    my $rule_env = $class->rule_env();

    $class->register_method({
	name => 'get_rules',
	path => '',
	method => 'GET',
	description => "List rules.",
	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	proxyto => $rule_env eq 'host' ? 'node' : undef,
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {
		    pos => {
			type => 'integer',
		    }
		},
	    },
	    links => [ { rel => 'child', href => "{pos}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);

	    my $ind = 0;
	    foreach my $rule (@$list) {
		$rule->{pos} = $ind++;
	    }

	    return $list;
	}});
}

sub register_get_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};

    my $rule_env = $class->rule_env();

    $class->register_method({
	name => 'get_rule',
	path => '{pos}',
	method => 'GET',
	description => "Get single rule data.",
	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	proxyto => $rule_env eq 'host' ? 'node' : undef,
	returns => {
	    type => "object",
	    properties => {
		action => {
		    type => 'string',
		},
		comment => {
		    type => 'string',
		    optional => 1,
		},
		dest => {
		    type => 'string',
		    optional => 1,
		},
		dport => {
		    type => 'string',
		    optional => 1,
		},
		enable => {
		    type => 'integer',
		    optional => 1,
		},
		log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
		    description => 'Log level for firewall rule',
		}),
		iface => {
		    type => 'string',
		    optional => 1,
		},
		ipversion => {
		    type => 'integer',
		    optional => 1,
		},
		macro => {
		    type => 'string',
		    optional => 1,
		},
		pos => {
		    type => 'integer',
		},
		proto => {
		    type => 'string',
		    optional => 1,
		},
		source => {
		    type => 'string',
		    optional => 1,
		},
		sport => {
		    type => 'string',
		    optional => 1,
		},
		type => {
		    type => 'string',
		},
	    },
	},
	code => sub {
	    my ($param) = @_;

	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);

	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);

	    my $rule = $list->[$param->{pos}];
	    $rule->{pos} = $param->{pos};

	    return $rule;
	}});
}

sub register_create_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
    $create_rule_properties->{action}->{optional} = 0;
    $create_rule_properties->{type}->{optional} = 0;

    my $rule_env = $class->rule_env();

    $class->register_method({
	name => 'create_rule',
	path => '',
	method => 'POST',
	description => "Create new rule.",
	protected => 1,
	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
	parameters => {
	    additionalProperties => 0,
	    properties => $create_rule_properties,
	},
	proxyto => $rule_env eq 'host' ? 'node' : undef,
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    $class->lock_config($param, sub {
		my ($param) = @_;

		my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

		my $rule = {};

		PVE::Firewall::copy_rule_data($rule, $param);
		PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());

		$rule->{enable} = 0 if !defined($param->{enable});

		unshift @$rules, $rule;

		$class->save_rules($param, $fw_conf, $rules);
	    });

	    return undef;
	}});
}

sub register_update_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};

    my $rule_env = $class->rule_env();

    $properties->{moveto} = {
	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	type => 'integer',
	minimum => 0,
	optional => 1,
    };

    $properties->{delete} = {
	type => 'string', format => 'pve-configid-list',
	description => "A list of settings you want to delete.",
	optional => 1,
    };

    my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);

    $class->register_method({
	name => 'update_rule',
	path => '{pos}',
	method => 'PUT',
	description => "Modify rule data.",
	protected => 1,
	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
	parameters => {
	    additionalProperties => 0,
	    properties => $update_rule_properties,
	},
	proxyto => $rule_env eq 'host' ? 'node' : undef,
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    $class->lock_config($param, sub {
		my ($param) = @_;

		my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

		my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
		PVE::Tools::assert_if_modified($digest, $param->{digest});

		die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);

		my $rule = $rules->[$param->{pos}];

		my $moveto = $param->{moveto};
		if (defined($moveto) && $moveto != $param->{pos}) {
		    my $newrules = [];
		    for (my $i = 0; $i < scalar(@$rules); $i++) {
			next if $i == $param->{pos};
			if ($i == $moveto) {
			    push @$newrules, $rule;
			}
			push @$newrules, $rules->[$i];
		    }
		    push @$newrules, $rule if $moveto >= scalar(@$rules);
		    $rules = $newrules;
		} else {
		    PVE::Firewall::copy_rule_data($rule, $param);

		    PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};

		    PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
		}

		$class->save_rules($param, $fw_conf, $rules);
	    });

	    return undef;
	}});
}

sub register_delete_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};

    $properties->{digest} = get_standard_option('pve-config-digest');

    my $rule_env = $class->rule_env();

    $class->register_method({
	name => 'delete_rule',
	path => '{pos}',
	method => 'DELETE',
	description => "Delete rule.",
	protected => 1,
	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	proxyto => $rule_env eq 'host' ? 'node' : undef,
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    $class->lock_config($param, sub {
		my ($param) = @_;

		my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);

		my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
		PVE::Tools::assert_if_modified($digest, $param->{digest});

		die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);

		splice(@$rules, $param->{pos}, 1);

		$class->save_rules($param, $fw_conf, $rules);
	    });

	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_get_rules();
    $class->register_get_rule();
    $class->register_create_rule();
    $class->register_update_rule();
    $class->register_delete_rule();
}

package PVE::API2::Firewall::GroupRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });


sub rule_env {
    my ($class, $param) = @_;

    return 'group';
}

sub lock_config {
    my ($class, $param, $code) = @_;

    PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
}

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{groups}->{$param->{group}};
    die "no such security group '$param->{group}'\n" if !defined($rules);

    return (undef, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    if (!defined($rules)) {
	delete $fw_conf->{groups}->{$param->{group}};
    } else {
	$fw_conf->{groups}->{$param->{group}} = $rules;
    }

    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_method({
    name => 'delete_security_group',
    path => '',
    method => 'DELETE',
    description => "Delete security group.",
    protected => 1,
    permissions => {
	check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    group => get_standard_option('pve-security-group-name'),
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	__PACKAGE__->lock_config($param, sub {
	    my ($param) = @_;

	    my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);

	    die "Security group '$param->{group}' is not empty\n"
		if scalar(@$rules);

	    __PACKAGE__->save_rules($param, $cluster_conf, undef);
	});

	return undef;
    }});

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::ClusterRules;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::RulesBase);

sub rule_env {
    my ($class, $param) = @_;

    return 'cluster';
}

sub lock_config {
    my ($class, $param, $code) = @_;

    PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
}

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{rules};

    return (undef, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::HostRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});

sub rule_env {
    my ($class, $param) = @_;

    return 'host';
}

sub lock_config {
    my ($class, $param, $code) = @_;

    PVE::Firewall::lock_hostfw_conf(10, $code, $param);
}

sub load_config {
    my ($class, $param) = @_;

    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
    my $fw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
    my $rules = $fw_conf->{rules};

    return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_hostfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::VMRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({
    node => get_standard_option('pve-node'),
    vmid => get_standard_option('pve-vmid'),
});

sub rule_env {
    my ($class, $param) = @_;

    return 'vm';
}

sub lock_config {
    my ($class, $param, $code) = @_;

    PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
}

sub load_config {
    my ($class, $param) = @_;

    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
    my $rules = $fw_conf->{rules};

    return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::CTRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({
    node => get_standard_option('pve-node'),
    vmid => get_standard_option('pve-vmid'),
});

sub rule_env {
    my ($class, $param) = @_;

    return 'ct';
}

sub lock_config {
    my ($class, $param, $code) = @_;

    PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
}

sub load_config {
    my ($class, $param) = @_;

    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
    my $rules = $fw_conf->{rules};

    return ($cluster_conf, $fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
}

__PACKAGE__->register_handlers();

1;
Commit	Line	Data
	1	package PVE::API2::Firewall::RulesBase;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6	use PVE::Exception qw(raise raise_param_exc);
	7
	8	use PVE::Firewall;
	9
	10	use base qw(PVE::RESTHandler);
	11
	12	my $api_properties = {
	13	pos => {
	14	description => "Rule position.",
	15	type => 'integer',
	16	minimum => 0,
	17	},
	18	};
	19
	20	sub lock_config {
	21	my ($class, $param, $code) = @_;
	22
	23	die "implement this in subclass";
	24	}
	25
	26	sub load_config {
	27	my ($class, $param) = @_;
	28
	29	die "implement this in subclass";
	30
	31	#return ($cluster_conf, $fw_conf, $rules);
	32	}
	33
	34	sub save_rules {
	35	my ($class, $param, $fw_conf, $rules) = @_;
	36
	37	die "implement this in subclass";
	38	}
	39
	40	my $additional_param_hash = {};
	41
	42	sub rule_env {
	43	my ($class, $param) = @_;
	44
	45	die "implement this in subclass";
	46	}
	47
	48	sub additional_parameters {
	49	my ($class, $new_value) = @_;
	50
	51	if (defined($new_value)) {
	52	$additional_param_hash->{$class} = $new_value;
	53	}
	54
	55	# return a copy
	56	my $copy = {};
	57	my $org = $additional_param_hash->{$class} \|\| {};
	58	foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
	59	return $copy;
	60	}
	61
	62	sub register_get_rules {
	63	my ($class) = @_;
	64
	65	my $properties = $class->additional_parameters();
	66
	67	my $rule_env = $class->rule_env();
	68
	69	$class->register_method({
	70	name => 'get_rules',
	71	path => '',
	72	method => 'GET',
	73	description => "List rules.",
	74	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
	75	parameters => {
	76	additionalProperties => 0,
	77	properties => $properties,
	78	},
	79	proxyto => $rule_env eq 'host' ? 'node' : undef,
	80	returns => {
	81	type => 'array',
	82	items => {
	83	type => "object",
	84	properties => {
	85	pos => {
	86	type => 'integer',
	87	}
	88	},
	89	},
	90	links => [ { rel => 'child', href => "{pos}" } ],
	91	},
	92	code => sub {
	93	my ($param) = @_;
	94
	95	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
	96
	97	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	98
	99	my $ind = 0;
	100	foreach my $rule (@$list) {
	101	$rule->{pos} = $ind++;
	102	}
	103
	104	return $list;
	105	}});
	106	}
	107
	108	sub register_get_rule {
	109	my ($class) = @_;
	110
	111	my $properties = $class->additional_parameters();
	112
	113	$properties->{pos} = $api_properties->{pos};
	114
	115	my $rule_env = $class->rule_env();
	116
	117	$class->register_method({
	118	name => 'get_rule',
	119	path => '{pos}',
	120	method => 'GET',
	121	description => "Get single rule data.",
	122	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
	123	parameters => {
	124	additionalProperties => 0,
	125	properties => $properties,
	126	},
	127	proxyto => $rule_env eq 'host' ? 'node' : undef,
	128	returns => {
	129	type => "object",
	130	properties => {
	131	action => {
	132	type => 'string',
	133	},
	134	comment => {
	135	type => 'string',
	136	optional => 1,
	137	},
	138	dest => {
	139	type => 'string',
	140	optional => 1,
	141	},
	142	dport => {
	143	type => 'string',
	144	optional => 1,
	145	},
	146	enable => {
	147	type => 'integer',
	148	optional => 1,
	149	},
	150	log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
	151	description => 'Log level for firewall rule',
	152	}),
	153	iface => {
	154	type => 'string',
	155	optional => 1,
	156	},
	157	ipversion => {
	158	type => 'integer',
	159	optional => 1,
	160	},
	161	macro => {
	162	type => 'string',
	163	optional => 1,
	164	},
	165	pos => {
	166	type => 'integer',
	167	},
	168	proto => {
	169	type => 'string',
	170	optional => 1,
	171	},
	172	source => {
	173	type => 'string',
	174	optional => 1,
	175	},
	176	sport => {
	177	type => 'string',
	178	optional => 1,
	179	},
	180	type => {
	181	type => 'string',
	182	},
	183	},
	184	},
	185	code => sub {
	186	my ($param) = @_;
	187
	188	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
	189
	190	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	191
	192	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
	193
	194	my $rule = $list->[$param->{pos}];
	195	$rule->{pos} = $param->{pos};
	196
	197	return $rule;
	198	}});
	199	}
	200
	201	sub register_create_rule {
	202	my ($class) = @_;
	203
	204	my $properties = $class->additional_parameters();
	205
	206	my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
	207	$create_rule_properties->{action}->{optional} = 0;
	208	$create_rule_properties->{type}->{optional} = 0;
	209
	210	my $rule_env = $class->rule_env();
	211
	212	$class->register_method({
	213	name => 'create_rule',
	214	path => '',
	215	method => 'POST',
	216	description => "Create new rule.",
	217	protected => 1,
	218	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
	219	parameters => {
	220	additionalProperties => 0,
	221	properties => $create_rule_properties,
	222	},
	223	proxyto => $rule_env eq 'host' ? 'node' : undef,
	224	returns => { type => "null" },
	225	code => sub {
	226	my ($param) = @_;
	227
	228	$class->lock_config($param, sub {
	229	my ($param) = @_;
	230
	231	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
	232
	233	my $rule = {};
	234
	235	PVE::Firewall::copy_rule_data($rule, $param);
	236	PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
	237
	238	$rule->{enable} = 0 if !defined($param->{enable});
	239
	240	unshift @$rules, $rule;
	241
	242	$class->save_rules($param, $fw_conf, $rules);
	243	});
	244
	245	return undef;
	246	}});
	247	}
	248
	249	sub register_update_rule {
	250	my ($class) = @_;
	251
	252	my $properties = $class->additional_parameters();
	253
	254	$properties->{pos} = $api_properties->{pos};
	255
	256	my $rule_env = $class->rule_env();
	257
	258	$properties->{moveto} = {
	259	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	260	type => 'integer',
	261	minimum => 0,
	262	optional => 1,
	263	};
	264
	265	$properties->{delete} = {
	266	type => 'string', format => 'pve-configid-list',
	267	description => "A list of settings you want to delete.",
	268	optional => 1,
	269	};
	270
	271	my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);
	272
	273	$class->register_method({
	274	name => 'update_rule',
	275	path => '{pos}',
	276	method => 'PUT',
	277	description => "Modify rule data.",
	278	protected => 1,
	279	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
	280	parameters => {
	281	additionalProperties => 0,
	282	properties => $update_rule_properties,
	283	},
	284	proxyto => $rule_env eq 'host' ? 'node' : undef,
	285	returns => { type => "null" },
	286	code => sub {
	287	my ($param) = @_;
	288
	289	$class->lock_config($param, sub {
	290	my ($param) = @_;
	291
	292	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
	293
	294	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	295	PVE::Tools::assert_if_modified($digest, $param->{digest});
	296
	297	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	298
	299	my $rule = $rules->[$param->{pos}];
	300
	301	my $moveto = $param->{moveto};
	302	if (defined($moveto) && $moveto != $param->{pos}) {
	303	my $newrules = [];
	304	for (my $i = 0; $i < scalar(@$rules); $i++) {
	305	next if $i == $param->{pos};
	306	if ($i == $moveto) {
	307	push @$newrules, $rule;
	308	}
	309	push @$newrules, $rules->[$i];
	310	}
	311	push @$newrules, $rule if $moveto >= scalar(@$rules);
	312	$rules = $newrules;
	313	} else {
	314	PVE::Firewall::copy_rule_data($rule, $param);
	315
	316	PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
	317
	318	PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
	319	}
	320
	321	$class->save_rules($param, $fw_conf, $rules);
	322	});
	323
	324	return undef;
	325	}});
	326	}
	327
	328	sub register_delete_rule {
	329	my ($class) = @_;
	330
	331	my $properties = $class->additional_parameters();
	332
	333	$properties->{pos} = $api_properties->{pos};
	334
	335	$properties->{digest} = get_standard_option('pve-config-digest');
	336
	337	my $rule_env = $class->rule_env();
	338
	339	$class->register_method({
	340	name => 'delete_rule',
	341	path => '{pos}',
	342	method => 'DELETE',
	343	description => "Delete rule.",
	344	protected => 1,
	345	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
	346	parameters => {
	347	additionalProperties => 0,
	348	properties => $properties,
	349	},
	350	proxyto => $rule_env eq 'host' ? 'node' : undef,
	351	returns => { type => "null" },
	352	code => sub {
	353	my ($param) = @_;
	354
	355	$class->lock_config($param, sub {
	356	my ($param) = @_;
	357
	358	my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
	359
	360	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	361	PVE::Tools::assert_if_modified($digest, $param->{digest});
	362
	363	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	364
	365	splice(@$rules, $param->{pos}, 1);
	366
	367	$class->save_rules($param, $fw_conf, $rules);
	368	});
	369
	370	return undef;
	371	}});
	372	}
	373
	374	sub register_handlers {
	375	my ($class) = @_;
	376
	377	$class->register_get_rules();
	378	$class->register_get_rule();
	379	$class->register_create_rule();
	380	$class->register_update_rule();
	381	$class->register_delete_rule();
	382	}
	383
	384	package PVE::API2::Firewall::GroupRules;
	385
	386	use strict;
	387	use warnings;
	388	use PVE::JSONSchema qw(get_standard_option);
	389
	390	use base qw(PVE::API2::Firewall::RulesBase);
	391
	392	__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });
	393
	394
	395	sub rule_env {
	396	my ($class, $param) = @_;
	397
	398	return 'group';
	399	}
	400
	401	sub lock_config {
	402	my ($class, $param, $code) = @_;
	403
	404	PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
	405	}
	406
	407	sub load_config {
	408	my ($class, $param) = @_;
	409
	410	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	411	my $rules = $fw_conf->{groups}->{$param->{group}};
	412	die "no such security group '$param->{group}'\n" if !defined($rules);
	413
	414	return (undef, $fw_conf, $rules);
	415	}
	416
	417	sub save_rules {
	418	my ($class, $param, $fw_conf, $rules) = @_;
	419
	420	if (!defined($rules)) {
	421	delete $fw_conf->{groups}->{$param->{group}};
	422	} else {
	423	$fw_conf->{groups}->{$param->{group}} = $rules;
	424	}
	425
	426	PVE::Firewall::save_clusterfw_conf($fw_conf);
	427	}
	428
	429	__PACKAGE__->register_method({
	430	name => 'delete_security_group',
	431	path => '',
	432	method => 'DELETE',
	433	description => "Delete security group.",
	434	protected => 1,
	435	permissions => {
	436	check => ['perm', '/', [ 'Sys.Modify' ]],
	437	},
	438	parameters => {
	439	additionalProperties => 0,
	440	properties => {
	441	group => get_standard_option('pve-security-group-name'),
	442	},
	443	},
	444	returns => { type => 'null' },
	445	code => sub {
	446	my ($param) = @_;
	447
	448	__PACKAGE__->lock_config($param, sub {
	449	my ($param) = @_;
	450
	451	my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);
	452
	453	die "Security group '$param->{group}' is not empty\n"
	454	if scalar(@$rules);
	455
	456	__PACKAGE__->save_rules($param, $cluster_conf, undef);
	457	});
	458
	459	return undef;
	460	}});
	461
	462	__PACKAGE__->register_handlers();
	463
	464	package PVE::API2::Firewall::ClusterRules;
	465
	466	use strict;
	467	use warnings;
	468
	469	use base qw(PVE::API2::Firewall::RulesBase);
	470
	471	sub rule_env {
	472	my ($class, $param) = @_;
	473
	474	return 'cluster';
	475	}
	476
	477	sub lock_config {
	478	my ($class, $param, $code) = @_;
	479
	480	PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
	481	}
	482
	483	sub load_config {
	484	my ($class, $param) = @_;
	485
	486	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	487	my $rules = $fw_conf->{rules};
	488
	489	return (undef, $fw_conf, $rules);
	490	}
	491
	492	sub save_rules {
	493	my ($class, $param, $fw_conf, $rules) = @_;
	494
	495	$fw_conf->{rules} = $rules;
	496	PVE::Firewall::save_clusterfw_conf($fw_conf);
	497	}
	498
	499	__PACKAGE__->register_handlers();
	500
	501	package PVE::API2::Firewall::HostRules;
	502
	503	use strict;
	504	use warnings;
	505	use PVE::JSONSchema qw(get_standard_option);
	506
	507	use base qw(PVE::API2::Firewall::RulesBase);
	508
	509	__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});
	510
	511	sub rule_env {
	512	my ($class, $param) = @_;
	513
	514	return 'host';
	515	}
	516
	517	sub lock_config {
	518	my ($class, $param, $code) = @_;
	519
	520	PVE::Firewall::lock_hostfw_conf(10, $code, $param);
	521	}
	522
	523	sub load_config {
	524	my ($class, $param) = @_;
	525
	526	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	527	my $fw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
	528	my $rules = $fw_conf->{rules};
	529
	530	return ($cluster_conf, $fw_conf, $rules);
	531	}
	532
	533	sub save_rules {
	534	my ($class, $param, $fw_conf, $rules) = @_;
	535
	536	$fw_conf->{rules} = $rules;
	537	PVE::Firewall::save_hostfw_conf($fw_conf);
	538	}
	539
	540	__PACKAGE__->register_handlers();
	541
	542	package PVE::API2::Firewall::VMRules;
	543
	544	use strict;
	545	use warnings;
	546	use PVE::JSONSchema qw(get_standard_option);
	547
	548	use base qw(PVE::API2::Firewall::RulesBase);
	549
	550	__PACKAGE__->additional_parameters({
	551	node => get_standard_option('pve-node'),
	552	vmid => get_standard_option('pve-vmid'),
	553	});
	554
	555	sub rule_env {
	556	my ($class, $param) = @_;
	557
	558	return 'vm';
	559	}
	560
	561	sub lock_config {
	562	my ($class, $param, $code) = @_;
	563
	564	PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
	565	}
	566
	567	sub load_config {
	568	my ($class, $param) = @_;
	569
	570	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	571	my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
	572	my $rules = $fw_conf->{rules};
	573
	574	return ($cluster_conf, $fw_conf, $rules);
	575	}
	576
	577	sub save_rules {
	578	my ($class, $param, $fw_conf, $rules) = @_;
	579
	580	$fw_conf->{rules} = $rules;
	581	PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
	582	}
	583
	584	__PACKAGE__->register_handlers();
	585
	586	package PVE::API2::Firewall::CTRules;
	587
	588	use strict;
	589	use warnings;
	590	use PVE::JSONSchema qw(get_standard_option);
	591
	592	use base qw(PVE::API2::Firewall::RulesBase);
	593
	594	__PACKAGE__->additional_parameters({
	595	node => get_standard_option('pve-node'),
	596	vmid => get_standard_option('pve-vmid'),
	597	});
	598
	599	sub rule_env {
	600	my ($class, $param) = @_;
	601
	602	return 'ct';
	603	}
	604
	605	sub lock_config {
	606	my ($class, $param, $code) = @_;
	607
	608	PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
	609	}
	610
	611	sub load_config {
	612	my ($class, $param) = @_;
	613
	614	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	615	my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
	616	my $rules = $fw_conf->{rules};
	617
	618	return ($cluster_conf, $fw_conf, $rules);
	619	}
	620
	621	sub save_rules {
	622	my ($class, $param, $fw_conf, $rules) = @_;
	623
	624	$fw_conf->{rules} = $rules;
	625	PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
	626	}
	627
	628	__PACKAGE__->register_handlers();
	629
	630	1;