src/PVE/API2/Firewall/Host.pm

   1 package PVE::API2::Firewall::Host;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::Exception qw(raise_param_exc);
   7 use PVE::JSONSchema qw(get_standard_option);
   8 use PVE::RPCEnvironment;
   9
  10 use PVE::Firewall;
  11 use PVE::API2::Firewall::Rules;
  12
  13
  14 use base qw(PVE::RESTHandler);
  15
  16 __PACKAGE__->register_method ({
  17     subclass => "PVE::API2::Firewall::HostRules",
  18     path => 'rules',
  19 });
  20
  21 __PACKAGE__->register_method({
  22     name => 'index',
  23     path => '',
  24     method => 'GET',
  25     permissions => { user => 'all' },
  26     description => "Directory index.",
  27     parameters => {
  28         additionalProperties => 0,
  29         properties => {
  30             node => get_standard_option('pve-node'),
  31         },
  32     },
  33     returns => {
  34         type => 'array',
  35         items => {
  36             type => "object",
  37             properties => {},
  38         },
  39         links => [ { rel => 'child', href => "{name}" } ],
  40     },
  41     code => sub {
  42         my ($param) = @_;
  43
  44         my $result = [
  45             { name => 'rules' },
  46             { name => 'options' },
  47             { name => 'log' },
  48             ];
  49
  50         return $result;
  51     }});
  52
  53 my $option_properties = $PVE::Firewall::host_option_properties;
  54
  55 my $add_option_properties = sub {
  56     my ($properties) = @_;
  57
  58     foreach my $k (keys %$option_properties) {
  59         $properties->{$k} = $option_properties->{$k};
  60     }
  61
  62     return $properties;
  63 };
  64
  65
  66 __PACKAGE__->register_method({
  67     name => 'get_options',
  68     path => 'options',
  69     method => 'GET',
  70     description => "Get host firewall options.",
  71     proxyto => 'node',
  72     permissions => {
  73         check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
  74     },
  75     parameters => {
  76         additionalProperties => 0,
  77         properties => {
  78             node => get_standard_option('pve-node'),
  79         },
  80     },
  81     returns => {
  82         type => "object",
  83         #additionalProperties => 1,
  84         properties => $option_properties,
  85     },
  86     code => sub {
  87         my ($param) = @_;
  88
  89         my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
  90         my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
  91
  92         return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
  93     }});
  94
  95 __PACKAGE__->register_method({
  96     name => 'set_options',
  97     path => 'options',
  98     method => 'PUT',
  99     description => "Set Firewall options.",
 100     protected => 1,
 101     proxyto => 'node',
 102     permissions => {
 103         check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
 104     },
 105     parameters => {
 106         additionalProperties => 0,
 107         properties => &$add_option_properties({
 108             node => get_standard_option('pve-node'),
 109             delete => {
 110                 type => 'string', format => 'pve-configid-list',
 111                 description => "A list of settings you want to delete.",
 112                 optional => 1,
 113             },
 114             digest => get_standard_option('pve-config-digest'),
 115         }),
 116     },
 117     returns => { type => "null" },
 118     code => sub {
 119         my ($param) = @_;
 120
 121         PVE::Firewall::lock_hostfw_conf(undef, 10, sub {
 122             my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 123             my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
 124
 125             my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
 126             PVE::Tools::assert_if_modified($digest, $param->{digest});
 127
 128             if ($param->{delete}) {
 129                 foreach my $opt (PVE::Tools::split_list($param->{delete})) {
 130                     raise_param_exc({ delete => "no such option '$opt'" })
 131                         if !$option_properties->{$opt};
 132                     delete $hostfw_conf->{options}->{$opt};
 133                 }
 134             }
 135
 136             if (defined($param->{enable})) {
 137                 $param->{enable} = $param->{enable} ? 1 : 0;
 138             }
 139
 140             foreach my $k (keys %$option_properties) {
 141                 next if !defined($param->{$k});
 142                 $hostfw_conf->{options}->{$k} = $param->{$k};
 143             }
 144
 145             PVE::Firewall::save_hostfw_conf($hostfw_conf);
 146         });
 147
 148         return undef;
 149     }});
 150
 151 __PACKAGE__->register_method({
 152     name => 'log',
 153     path => 'log',
 154     method => 'GET',
 155     description => "Read firewall log",
 156     proxyto => 'node',
 157     permissions => {
 158         check => ['perm', '/nodes/{node}', [ 'Sys.Syslog' ]],
 159     },
 160     protected => 1,
 161     parameters => {
 162         additionalProperties => 0,
 163         properties => {
 164             node => get_standard_option('pve-node'),
 165             start => {
 166                 type => 'integer',
 167                 minimum => 0,
 168                 optional => 1,
 169             },
 170             limit => {
 171                 type => 'integer',
 172                 minimum => 0,
 173                 optional => 1,
 174             },
 175             since => {
 176                 type => 'integer',
 177                 minimum => 0,
 178                 description => "Display log since this UNIX epoch.",
 179                 optional => 1,
 180             },
 181             until => {
 182                 type => 'integer',
 183                 minimum => 0,
 184                 description => "Display log until this UNIX epoch.",
 185                 optional => 1,
 186             },
 187         },
 188     },
 189     returns => {
 190         type => 'array',
 191         items => {
 192             type => "object",
 193             properties => {
 194                 n => {
 195                   description=>  "Line number",
 196                   type=> 'integer',
 197                 },
 198                 t => {
 199                   description=>  "Line text",
 200                   type => 'string',
 201                 }
 202             }
 203         }
 204     },
 205     code => sub {
 206         my ($param) = @_;
 207
 208         my $rpcenv = PVE::RPCEnvironment::get();
 209         my $user = $rpcenv->get_user();
 210         my $node = $param->{node};
 211         my $filename = "/var/log/pve-firewall.log";
 212
 213         my ($count, $lines) = PVE::Firewall::Helpers::dump_fw_logfile(
 214             $filename, $param, undef);
 215
 216         $rpcenv->set_result_attrib('total', $count);
 217
 218         return $lines;
 219     }});
 220
 221 1;