]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Cluster.pm
1 package PVE
::API2
::Firewall
::Cluster
;
5 use PVE
::Exception
qw(raise raise_param_exc raise_perm_exc);
6 use PVE
::JSONSchema
qw(get_standard_option);
9 use PVE
::API2
::Firewall
::Aliases
;
10 use PVE
::API2
::Firewall
::Rules
;
11 use PVE
::API2
::Firewall
::Groups
;
12 use PVE
::API2
::Firewall
::IPSet
;
16 use Data
::Dumper
; # fixme: remove
18 use base
qw(PVE::RESTHandler);
20 __PACKAGE__-
>register_method ({
21 subclass
=> "PVE::API2::Firewall::Groups",
25 __PACKAGE__-
>register_method ({
26 subclass
=> "PVE::API2::Firewall::ClusterRules",
30 __PACKAGE__-
>register_method ({
31 subclass
=> "PVE::API2::Firewall::ClusterIPSetList",
35 __PACKAGE__-
>register_method ({
36 subclass
=> "PVE::API2::Firewall::ClusterAliases",
41 __PACKAGE__-
>register_method({
45 permissions
=> { user
=> 'all' },
46 description
=> "Directory index.",
48 additionalProperties
=> 0,
56 links
=> [ { rel
=> 'child', href
=> "{name}" } ],
62 { name
=> 'aliases' },
64 { name
=> 'options' },
74 my $option_properties = {
81 description
=> "Input policy.",
84 enum
=> ['ACCEPT', 'REJECT', 'DROP'],
87 description
=> "Output policy.",
90 enum
=> ['ACCEPT', 'REJECT', 'DROP'],
94 my $add_option_properties = sub {
95 my ($properties) = @_;
97 foreach my $k (keys %$option_properties) {
98 $properties->{$k} = $option_properties->{$k};
105 __PACKAGE__-
>register_method({
106 name
=> 'get_options',
109 description
=> "Get Firewall options.",
111 check
=> ['perm', '/', [ 'Sys.Audit' ]],
114 additionalProperties
=> 0,
118 #additionalProperties => 1,
119 properties
=> $option_properties,
124 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
126 return PVE
::Firewall
::copy_opject_with_digest
($cluster_conf->{options
});
130 __PACKAGE__-
>register_method({
131 name
=> 'set_options',
134 description
=> "Set Firewall options.",
137 check
=> ['perm', '/', [ 'Sys.Modify' ]],
140 additionalProperties
=> 0,
141 properties
=> &$add_option_properties({
143 type
=> 'string', format
=> 'pve-configid-list',
144 description
=> "A list of settings you want to delete.",
147 digest
=> get_standard_option
('pve-config-digest'),
150 returns
=> { type
=> "null" },
154 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
156 my (undef, $digest) = PVE
::Firewall
::copy_opject_with_digest
($cluster_conf->{options
});
157 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
159 if ($param->{delete}) {
160 foreach my $opt (PVE
::Tools
::split_list
($param->{delete})) {
161 raise_param_exc
({ delete => "no such option '$opt'" })
162 if !$option_properties->{$opt};
163 delete $cluster_conf->{options
}->{$opt};
167 if (defined($param->{enable
}) && ($param->{enable
} > 1)) {
168 $param->{enable
} = time();
171 foreach my $k (keys %$option_properties) {
172 next if !defined($param->{$k});
173 $cluster_conf->{options
}->{$k} = $param->{$k};
176 PVE
::Firewall
::save_clusterfw_conf
($cluster_conf);
178 # instant firewall update when using double (anti-lockout) API call
179 # -> not waiting for a firewall update at the first (timestamp enable) set
180 if (defined($param->{enable
}) && ($param->{enable
} > 1)) {
181 PVE
::Firewall
::update
();
187 __PACKAGE__-
>register_method({
188 name
=> 'get_macros',
191 description
=> "List available macros",
192 permissions
=> { user
=> 'all' },
194 additionalProperties
=> 0,
202 description
=> "Macro name.",
206 description
=> "More verbose description (if available).",
217 my ($macros, $descr) = PVE
::Firewall
::get_macros
();
219 foreach my $macro (keys %$macros) {
220 push @$res, { macro => $macro, descr
=> $descr->{$macro} || $macro };
226 __PACKAGE__-
>register_method({
230 description
=> "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
232 check
=> ['perm', '/', [ 'Sys.Audit' ]],
235 additionalProperties
=> 0,
238 description
=> "Only list references of specified type.",
240 enum
=> ['alias', 'ipset'],
252 enum
=> ['alias', 'ipset'],
270 my $conf = PVE
::Firewall
::load_clusterfw_conf
();
274 if (!$param->{type
} || $param->{type
} eq 'ipset') {
275 foreach my $name (keys %{$conf->{ipset
}}) {
281 if (my $comment = $conf->{ipset_comments
}->{$name}) {
282 $data->{comment
} = $comment;
288 if (!$param->{type
} || $param->{type
} eq 'alias') {
289 foreach my $name (keys %{$conf->{aliases
}}) {
290 my $e = $conf->{aliases
}->{$name};
296 $data->{comment
} = $e->{comment
} if $e->{comment
};