]> git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/IPSet.pm
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
API2::Firewall::IPSet: fix alias check for ipv6 addresses
[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm
1 package PVE::API2::Firewall::IPSetBase;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise raise_param_exc);
6 use PVE::JSONSchema qw(get_standard_option);
7
8 use PVE::Firewall;
9
10 use base qw(PVE::RESTHandler);
11
12 my $api_properties = {
13 cidr => {
14 description => "Network/IP specification in CIDR format.",
15 type => 'string', format => 'IPorCIDRorAlias',
16 },
17 name => get_standard_option('ipset-name'),
18 comment => {
19 type => 'string',
20 optional => 1,
21 },
22 nomatch => {
23 type => 'boolean',
24 optional => 1,
25 },
26 };
27
28 sub load_config {
29 my ($class, $param) = @_;
30
31 die "implement this in subclass";
32
33 #return ($cluster_conf, $fw_conf, $ipset);
34 }
35
36 sub save_config {
37 my ($class, $param, $fw_conf) = @_;
38
39 die "implement this in subclass";
40 }
41
42 sub rule_env {
43 my ($class, $param) = @_;
44
45 die "implement this in subclass";
46 }
47
48 sub save_ipset {
49 my ($class, $param, $fw_conf, $ipset) = @_;
50
51 if (!defined($ipset)) {
52 delete $fw_conf->{ipset}->{$param->{name}};
53 } else {
54 $fw_conf->{ipset}->{$param->{name}} = $ipset;
55 }
56
57 $class->save_config($param, $fw_conf);
58 }
59
60 my $additional_param_hash = {};
61
62 sub additional_parameters {
63 my ($class, $new_value) = @_;
64
65 if (defined($new_value)) {
66 $additional_param_hash->{$class} = $new_value;
67 }
68
69 # return a copy
70 my $copy = {};
71 my $org = $additional_param_hash->{$class} || {};
72 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
73 return $copy;
74 }
75
76 sub register_get_ipset {
77 my ($class) = @_;
78
79 my $properties = $class->additional_parameters();
80
81 $properties->{name} = $api_properties->{name};
82
83 $class->register_method({
84 name => 'get_ipset',
85 path => '',
86 method => 'GET',
87 description => "List IPSet content",
88 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
89 parameters => {
90 additionalProperties => 0,
91 properties => $properties,
92 },
93 returns => {
94 type => 'array',
95 items => {
96 type => "object",
97 properties => {
98 cidr => {
99 type => 'string',
100 },
101 comment => {
102 type => 'string',
103 optional => 1,
104 },
105 nomatch => {
106 type => 'boolean',
107 optional => 1,
108 },
109 digest => get_standard_option('pve-config-digest', { optional => 0} ),
110 },
111 },
112 links => [ { rel => 'child', href => "{cidr}" } ],
113 },
114 code => sub {
115 my ($param) = @_;
116
117 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
118
119 return PVE::Firewall::copy_list_with_digest($ipset);
120 }});
121 }
122
123 sub register_delete_ipset {
124 my ($class) = @_;
125
126 my $properties = $class->additional_parameters();
127
128 $properties->{name} = get_standard_option('ipset-name');
129
130 $class->register_method({
131 name => 'delete_ipset',
132 path => '',
133 method => 'DELETE',
134 description => "Delete IPSet",
135 protected => 1,
136 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
137 parameters => {
138 additionalProperties => 0,
139 properties => $properties,
140 },
141 returns => { type => 'null' },
142 code => sub {
143 my ($param) = @_;
144
145 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
146
147 die "IPSet '$param->{name}' is not empty\n"
148 if scalar(@$ipset);
149
150 $class->save_ipset($param, $fw_conf, undef);
151
152 return undef;
153 }});
154 }
155
156 sub register_create_ip {
157 my ($class) = @_;
158
159 my $properties = $class->additional_parameters();
160
161 $properties->{name} = $api_properties->{name};
162 $properties->{cidr} = $api_properties->{cidr};
163 $properties->{nomatch} = $api_properties->{nomatch};
164 $properties->{comment} = $api_properties->{comment};
165
166 $class->register_method({
167 name => 'create_ip',
168 path => '',
169 method => 'POST',
170 description => "Add IP or Network to IPSet.",
171 protected => 1,
172 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
173 parameters => {
174 additionalProperties => 0,
175 properties => $properties,
176 },
177 returns => { type => "null" },
178 code => sub {
179 my ($param) = @_;
180
181 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
182
183 my $cidr = $param->{cidr};
184
185 foreach my $entry (@$ipset) {
186 raise_param_exc({ cidr => "address '$cidr' already exists" })
187 if $entry->{cidr} eq $cidr;
188 }
189
190 # make sure alias exists (if $cidr is an alias)
191 PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
192 if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
193
194 my $data = { cidr => $cidr };
195
196 $data->{nomatch} = 1 if $param->{nomatch};
197 $data->{comment} = $param->{comment} if $param->{comment};
198
199 unshift @$ipset, $data;
200
201 $class->save_ipset($param, $fw_conf, $ipset);
202
203 return undef;
204 }});
205 }
206
207 sub register_read_ip {
208 my ($class) = @_;
209
210 my $properties = $class->additional_parameters();
211
212 $properties->{name} = $api_properties->{name};
213 $properties->{cidr} = $api_properties->{cidr};
214
215 $class->register_method({
216 name => 'read_ip',
217 path => '{cidr}',
218 method => 'GET',
219 description => "Read IP or Network settings from IPSet.",
220 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
221 protected => 1,
222 parameters => {
223 additionalProperties => 0,
224 properties => $properties,
225 },
226 returns => { type => "object" },
227 code => sub {
228 my ($param) = @_;
229
230 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
231
232 my $list = PVE::Firewall::copy_list_with_digest($ipset);
233
234 foreach my $entry (@$list) {
235 if ($entry->{cidr} eq $param->{cidr}) {
236 return $entry;
237 }
238 }
239
240 raise_param_exc({ cidr => "no such IP/Network" });
241 }});
242 }
243
244 sub register_update_ip {
245 my ($class) = @_;
246
247 my $properties = $class->additional_parameters();
248
249 $properties->{name} = $api_properties->{name};
250 $properties->{cidr} = $api_properties->{cidr};
251 $properties->{nomatch} = $api_properties->{nomatch};
252 $properties->{comment} = $api_properties->{comment};
253 $properties->{digest} = get_standard_option('pve-config-digest');
254
255 $class->register_method({
256 name => 'update_ip',
257 path => '{cidr}',
258 method => 'PUT',
259 description => "Update IP or Network settings",
260 protected => 1,
261 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
262 parameters => {
263 additionalProperties => 0,
264 properties => $properties,
265 },
266 returns => { type => "null" },
267 code => sub {
268 my ($param) = @_;
269
270 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
271
272 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
273 PVE::Tools::assert_if_modified($digest, $param->{digest});
274
275 foreach my $entry (@$ipset) {
276 if($entry->{cidr} eq $param->{cidr}) {
277 $entry->{nomatch} = $param->{nomatch};
278 $entry->{comment} = $param->{comment};
279 $class->save_ipset($param, $fw_conf, $ipset);
280 return;
281 }
282 }
283
284 raise_param_exc({ cidr => "no such IP/Network" });
285 }});
286 }
287
288 sub register_delete_ip {
289 my ($class) = @_;
290
291 my $properties = $class->additional_parameters();
292
293 $properties->{name} = $api_properties->{name};
294 $properties->{cidr} = $api_properties->{cidr};
295 $properties->{digest} = get_standard_option('pve-config-digest');
296
297 $class->register_method({
298 name => 'remove_ip',
299 path => '{cidr}',
300 method => 'DELETE',
301 description => "Remove IP or Network from IPSet.",
302 protected => 1,
303 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
304 parameters => {
305 additionalProperties => 0,
306 properties => $properties,
307 },
308 returns => { type => "null" },
309 code => sub {
310 my ($param) = @_;
311
312 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
313
314 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
315 PVE::Tools::assert_if_modified($digest, $param->{digest});
316
317 my $new = [];
318
319 foreach my $entry (@$ipset) {
320 push @$new, $entry if $entry->{cidr} ne $param->{cidr};
321 }
322
323 $class->save_ipset($param, $fw_conf, $new);
324
325 return undef;
326 }});
327 }
328
329 sub register_handlers {
330 my ($class) = @_;
331
332 $class->register_delete_ipset();
333 $class->register_get_ipset();
334 $class->register_create_ip();
335 $class->register_read_ip();
336 $class->register_update_ip();
337 $class->register_delete_ip();
338 }
339
340 package PVE::API2::Firewall::ClusterIPset;
341
342 use strict;
343 use warnings;
344
345 use base qw(PVE::API2::Firewall::IPSetBase);
346
347 sub rule_env {
348 my ($class, $param) = @_;
349
350 return 'cluster';
351 }
352
353 sub load_config {
354 my ($class, $param) = @_;
355
356 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
357 my $ipset = $fw_conf->{ipset}->{$param->{name}};
358 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
359
360 return (undef, $fw_conf, $ipset);
361 }
362
363 sub save_config {
364 my ($class, $param, $fw_conf) = @_;
365
366 PVE::Firewall::save_clusterfw_conf($fw_conf);
367 }
368
369 __PACKAGE__->register_handlers();
370
371 package PVE::API2::Firewall::VMIPset;
372
373 use strict;
374 use warnings;
375 use PVE::JSONSchema qw(get_standard_option);
376
377 use base qw(PVE::API2::Firewall::IPSetBase);
378
379 sub rule_env {
380 my ($class, $param) = @_;
381
382 return 'vm';
383 }
384
385 __PACKAGE__->additional_parameters({
386 node => get_standard_option('pve-node'),
387 vmid => get_standard_option('pve-vmid'),
388 });
389
390 sub load_config {
391 my ($class, $param) = @_;
392
393 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
394 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
395 my $ipset = $fw_conf->{ipset}->{$param->{name}};
396 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
397
398 return ($cluster_conf, $fw_conf, $ipset);
399 }
400
401 sub save_config {
402 my ($class, $param, $fw_conf) = @_;
403
404 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
405 }
406
407 __PACKAGE__->register_handlers();
408
409 package PVE::API2::Firewall::CTIPset;
410
411 use strict;
412 use warnings;
413 use PVE::JSONSchema qw(get_standard_option);
414
415 use base qw(PVE::API2::Firewall::IPSetBase);
416
417 sub rule_env {
418 my ($class, $param) = @_;
419
420 return 'ct';
421 }
422
423 __PACKAGE__->additional_parameters({
424 node => get_standard_option('pve-node'),
425 vmid => get_standard_option('pve-vmid'),
426 });
427
428 sub load_config {
429 my ($class, $param) = @_;
430
431 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
432 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
433 my $ipset = $fw_conf->{ipset}->{$param->{name}};
434 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
435
436 return ($cluster_conf, $fw_conf, $ipset);
437 }
438
439 sub save_config {
440 my ($class, $param, $fw_conf) = @_;
441
442 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
443 }
444
445 __PACKAGE__->register_handlers();
446
447 package PVE::API2::Firewall::BaseIPSetList;
448
449 use strict;
450 use warnings;
451 use PVE::JSONSchema qw(get_standard_option);
452 use PVE::Exception qw(raise_param_exc);
453 use PVE::Firewall;
454
455 use base qw(PVE::RESTHandler);
456
457 sub load_config {
458 my ($class, $param) = @_;
459
460 die "implement this in subclass";
461
462 #return ($cluster_conf, $fw_conf);
463 }
464
465 sub save_config {
466 my ($class, $param, $fw_conf) = @_;
467
468 die "implement this in subclass";
469 }
470
471 sub rule_env {
472 my ($class, $param) = @_;
473
474 die "implement this in subclass";
475 }
476
477 my $additional_param_hash_list = {};
478
479 sub additional_parameters {
480 my ($class, $new_value) = @_;
481
482 if (defined($new_value)) {
483 $additional_param_hash_list->{$class} = $new_value;
484 }
485
486 # return a copy
487 my $copy = {};
488 my $org = $additional_param_hash_list->{$class} || {};
489 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
490 return $copy;
491 }
492
493 my $get_ipset_list = sub {
494 my ($fw_conf) = @_;
495
496 my $res = [];
497 foreach my $name (keys %{$fw_conf->{ipset}}) {
498 my $data = {
499 name => $name,
500 };
501 if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
502 $data->{comment} = $comment;
503 }
504 push @$res, $data;
505 }
506
507 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
508
509 return wantarray ? ($list, $digest) : $list;
510 };
511
512 sub register_index {
513 my ($class) = @_;
514
515 my $properties = $class->additional_parameters();
516
517 $class->register_method({
518 name => 'ipset_index',
519 path => '',
520 method => 'GET',
521 description => "List IPSets",
522 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
523 parameters => {
524 additionalProperties => 0,
525 properties => $properties,
526 },
527 returns => {
528 type => 'array',
529 items => {
530 type => "object",
531 properties => {
532 name => get_standard_option('ipset-name'),
533 digest => get_standard_option('pve-config-digest', { optional => 0} ),
534 comment => {
535 type => 'string',
536 optional => 1,
537 }
538 },
539 },
540 links => [ { rel => 'child', href => "{name}" } ],
541 },
542 code => sub {
543 my ($param) = @_;
544
545 my ($cluster_conf, $fw_conf) = $class->load_config($param);
546
547 return &$get_ipset_list($fw_conf);
548 }});
549 }
550
551 sub register_create {
552 my ($class) = @_;
553
554 my $properties = $class->additional_parameters();
555
556 $properties->{name} = get_standard_option('ipset-name');
557
558 $properties->{comment} = { type => 'string', optional => 1 };
559
560 $properties->{digest} = get_standard_option('pve-config-digest');
561
562 $properties->{rename} = get_standard_option('ipset-name', {
563 description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
564 optional => 1 });
565
566 $class->register_method({
567 name => 'create_ipset',
568 path => '',
569 method => 'POST',
570 description => "Create new IPSet",
571 protected => 1,
572 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
573 parameters => {
574 additionalProperties => 0,
575 properties => $properties,
576 },
577 returns => { type => 'null' },
578 code => sub {
579 my ($param) = @_;
580
581 my ($cluster_conf, $fw_conf) = $class->load_config($param);
582
583 if ($param->{rename}) {
584 my (undef, $digest) = &$get_ipset_list($fw_conf);
585 PVE::Tools::assert_if_modified($digest, $param->{digest});
586
587 raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" })
588 if !$fw_conf->{ipset}->{$param->{rename}};
589
590 my $data = delete $fw_conf->{ipset}->{$param->{rename}};
591 $fw_conf->{ipset}->{$param->{name}} = $data;
592 if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
593 $fw_conf->{ipset_comments}->{$param->{name}} = $comment;
594 }
595 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
596 } else {
597 foreach my $name (keys %{$fw_conf->{ipset}}) {
598 raise_param_exc({ name => "IPSet '$name' already exists" })
599 if $name eq $param->{name};
600 }
601
602 $fw_conf->{ipset}->{$param->{name}} = [];
603 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
604 }
605
606 $class->save_config($param, $fw_conf);
607
608 return undef;
609 }});
610 }
611
612 sub register_handlers {
613 my ($class) = @_;
614
615 $class->register_index();
616 $class->register_create();
617 }
618
619 package PVE::API2::Firewall::ClusterIPSetList;
620
621 use strict;
622 use warnings;
623 use PVE::Firewall;
624
625 use base qw(PVE::API2::Firewall::BaseIPSetList);
626
627 sub rule_env {
628 my ($class, $param) = @_;
629
630 return 'cluster';
631 }
632
633 sub load_config {
634 my ($class, $param) = @_;
635
636 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
637 return (undef, $cluster_conf);
638 }
639
640 sub save_config {
641 my ($class, $param, $fw_conf) = @_;
642
643 PVE::Firewall::save_clusterfw_conf($fw_conf);
644 }
645
646 __PACKAGE__->register_handlers();
647
648 __PACKAGE__->register_method ({
649 subclass => "PVE::API2::Firewall::ClusterIPset",
650 path => '{name}',
651 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
652 fragmentDelimiter => '',
653 });
654
655 package PVE::API2::Firewall::VMIPSetList;
656
657 use strict;
658 use warnings;
659 use PVE::JSONSchema qw(get_standard_option);
660 use PVE::Firewall;
661
662 use base qw(PVE::API2::Firewall::BaseIPSetList);
663
664 __PACKAGE__->additional_parameters({
665 node => get_standard_option('pve-node'),
666 vmid => get_standard_option('pve-vmid'),
667 });
668
669 sub rule_env {
670 my ($class, $param) = @_;
671
672 return 'vm';
673 }
674
675 sub load_config {
676 my ($class, $param) = @_;
677
678 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
679 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
680 return ($cluster_conf, $fw_conf);
681 }
682
683 sub save_config {
684 my ($class, $param, $fw_conf) = @_;
685
686 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
687 }
688
689 __PACKAGE__->register_handlers();
690
691 __PACKAGE__->register_method ({
692 subclass => "PVE::API2::Firewall::VMIPset",
693 path => '{name}',
694 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
695 fragmentDelimiter => '',
696 });
697
698 package PVE::API2::Firewall::CTIPSetList;
699
700 use strict;
701 use warnings;
702 use PVE::JSONSchema qw(get_standard_option);
703 use PVE::Firewall;
704
705 use base qw(PVE::API2::Firewall::BaseIPSetList);
706
707 __PACKAGE__->additional_parameters({
708 node => get_standard_option('pve-node'),
709 vmid => get_standard_option('pve-vmid'),
710 });
711
712 sub rule_env {
713 my ($class, $param) = @_;
714
715 return 'ct';
716 }
717
718 sub load_config {
719 my ($class, $param) = @_;
720
721 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
722 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
723 return ($cluster_conf, $fw_conf);
724 }
725
726 sub save_config {
727 my ($class, $param, $fw_conf) = @_;
728
729 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
730 }
731
732 __PACKAGE__->register_handlers();
733
734 __PACKAGE__->register_method ({
735 subclass => "PVE::API2::Firewall::CTIPset",
736 path => '{name}',
737 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
738 fragmentDelimiter => '',
739 });
740
741 1;
Firewall test scripts