]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/IPSet.pm
24a45ae9a1a046429d7ae59a65712b371ad26270
1 package PVE
::API2
::Firewall
::IPSetBase
;
5 use PVE
::Exception
qw(raise raise_param_exc);
6 use PVE
::JSONSchema
qw(get_standard_option);
10 use base
qw(PVE::RESTHandler);
12 my $api_properties = {
14 description
=> "Network/IP specification in CIDR format.",
15 type
=> 'string', format
=> 'IPv4orCIDRorAlias',
17 name
=> get_standard_option
('ipset-name'),
29 my ($class, $param) = @_;
31 die "implement this in subclass";
33 #return ($cluster_conf, $fw_conf, $ipset);
37 my ($class, $param, $fw_conf) = @_;
39 die "implement this in subclass";
43 my ($class, $param, $fw_conf, $ipset) = @_;
45 if (!defined($ipset)) {
46 delete $fw_conf->{ipset
}->{$param->{name
}};
48 $fw_conf->{ipset
}->{$param->{name
}} = $ipset;
51 $class->save_config($param, $fw_conf);
54 my $additional_param_hash = {};
56 sub additional_parameters
{
57 my ($class, $new_value) = @_;
59 if (defined($new_value)) {
60 $additional_param_hash->{$class} = $new_value;
65 my $org = $additional_param_hash->{$class} || {};
66 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
70 sub register_get_ipset
{
73 my $properties = $class->additional_parameters();
75 $properties->{name
} = $api_properties->{name
};
77 $class->register_method({
81 description
=> "List IPSet content",
83 additionalProperties
=> 0,
84 properties
=> $properties,
102 digest
=> get_standard_option
('pve-config-digest', { optional
=> 0} ),
105 links
=> [ { rel
=> 'child', href
=> "{cidr}" } ],
110 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
112 return PVE
::Firewall
::copy_list_with_digest
($ipset);
116 sub register_delete_ipset
{
119 my $properties = $class->additional_parameters();
121 $properties->{name
} = get_standard_option
('ipset-name');
123 $class->register_method({
124 name
=> 'delete_ipset',
127 description
=> "Delete IPSet",
130 additionalProperties
=> 0,
131 properties
=> $properties,
133 returns
=> { type
=> 'null' },
137 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
139 die "IPSet '$param->{name}' is not empty\n"
142 $class->save_ipset($param, $fw_conf, undef);
148 sub register_create_ip
{
151 my $properties = $class->additional_parameters();
153 $properties->{name
} = $api_properties->{name
};
154 $properties->{cidr
} = $api_properties->{cidr
};
155 $properties->{nomatch
} = $api_properties->{nomatch
};
156 $properties->{comment
} = $api_properties->{comment
};
158 $class->register_method({
162 description
=> "Add IP or Network to IPSet.",
165 additionalProperties
=> 0,
166 properties
=> $properties,
168 returns
=> { type
=> "null" },
172 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
174 my $cidr = $param->{cidr
};
176 foreach my $entry (@$ipset) {
177 raise_param_exc
({ cidr
=> "address '$cidr' already exists" })
178 if $entry->{cidr
} eq $cidr;
181 # make sure alias exists (if $cidr is an alias)
182 PVE
::Firewall
::resolve_alias
($cluster_conf, $fw_conf, $cidr);
184 my $data = { cidr
=> $cidr };
186 $data->{nomatch
} = 1 if $param->{nomatch
};
187 $data->{comment
} = $param->{comment
} if $param->{comment
};
189 unshift @$ipset, $data;
191 $class->save_ipset($param, $fw_conf, $ipset);
197 sub register_read_ip
{
200 my $properties = $class->additional_parameters();
202 $properties->{name
} = $api_properties->{name
};
203 $properties->{cidr
} = $api_properties->{cidr
};
205 $class->register_method({
209 description
=> "Read IP or Network settings from IPSet.",
212 additionalProperties
=> 0,
213 properties
=> $properties,
215 returns
=> { type
=> "object" },
219 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
221 my $list = PVE
::Firewall
::copy_list_with_digest
($ipset);
223 foreach my $entry (@$list) {
224 if ($entry->{cidr
} eq $param->{cidr
}) {
229 raise_param_exc
({ cidr
=> "no such IP/Network" });
233 sub register_update_ip
{
236 my $properties = $class->additional_parameters();
238 $properties->{name
} = $api_properties->{name
};
239 $properties->{cidr
} = $api_properties->{cidr
};
240 $properties->{nomatch
} = $api_properties->{nomatch
};
241 $properties->{comment
} = $api_properties->{comment
};
242 $properties->{digest
} = get_standard_option
('pve-config-digest');
244 $class->register_method({
248 description
=> "Update IP or Network settings",
251 additionalProperties
=> 0,
252 properties
=> $properties,
254 returns
=> { type
=> "null" },
258 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
260 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($ipset);
261 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
263 foreach my $entry (@$ipset) {
264 if($entry->{cidr
} eq $param->{cidr
}) {
265 $entry->{nomatch
} = $param->{nomatch
};
266 $entry->{comment
} = $param->{comment
};
267 $class->save_ipset($param, $fw_conf, $ipset);
272 raise_param_exc
({ cidr
=> "no such IP/Network" });
276 sub register_delete_ip
{
279 my $properties = $class->additional_parameters();
281 $properties->{name
} = $api_properties->{name
};
282 $properties->{cidr
} = $api_properties->{cidr
};
283 $properties->{digest
} = get_standard_option
('pve-config-digest');
285 $class->register_method({
289 description
=> "Remove IP or Network from IPSet.",
292 additionalProperties
=> 0,
293 properties
=> $properties,
295 returns
=> { type
=> "null" },
299 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
301 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($ipset);
302 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
306 foreach my $entry (@$ipset) {
307 push @$new, $entry if $entry->{cidr
} ne $param->{cidr
};
310 $class->save_ipset($param, $fw_conf, $new);
316 sub register_handlers
{
319 $class->register_delete_ipset();
320 $class->register_get_ipset();
321 $class->register_create_ip();
322 $class->register_read_ip();
323 $class->register_update_ip();
324 $class->register_delete_ip();
327 package PVE
::API2
::Firewall
::ClusterIPset
;
332 use base
qw(PVE::API2::Firewall::IPSetBase);
335 my ($class, $param) = @_;
337 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
338 my $ipset = $fw_conf->{ipset
}->{$param->{name
}};
339 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
341 return (undef, $fw_conf, $ipset);
345 my ($class, $param, $fw_conf) = @_;
347 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
350 __PACKAGE__-
>register_handlers();
352 package PVE
::API2
::Firewall
::VMIPset
;
356 use PVE
::JSONSchema
qw(get_standard_option);
358 use base
qw(PVE::API2::Firewall::IPSetBase);
360 __PACKAGE__-
>additional_parameters({
361 node
=> get_standard_option
('pve-node'),
362 vmid
=> get_standard_option
('pve-vmid'),
366 my ($class, $param) = @_;
368 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
369 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
370 my $ipset = $fw_conf->{ipset
}->{$param->{name
}};
371 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
373 return ($cluster_conf, $fw_conf, $ipset);
377 my ($class, $param, $fw_conf) = @_;
379 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
382 __PACKAGE__-
>register_handlers();
384 package PVE
::API2
::Firewall
::CTIPset
;
388 use PVE
::JSONSchema
qw(get_standard_option);
390 use base
qw(PVE::API2::Firewall::IPSetBase);
392 __PACKAGE__-
>additional_parameters({
393 node
=> get_standard_option
('pve-node'),
394 vmid
=> get_standard_option
('pve-vmid'),
398 my ($class, $param) = @_;
400 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
401 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
402 my $ipset = $fw_conf->{ipset
}->{$param->{name
}};
403 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
405 return ($cluster_conf, $fw_conf, $ipset);
409 my ($class, $param, $fw_conf) = @_;
411 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
414 __PACKAGE__-
>register_handlers();
416 package PVE
::API2
::Firewall
::BaseIPSetList
;
420 use PVE
::JSONSchema
qw(get_standard_option);
421 use PVE
::Exception
qw(raise_param_exc);
424 use base
qw(PVE::RESTHandler);
427 my ($class, $param) = @_;
429 die "implement this in subclass";
431 #return ($cluster_conf, $fw_conf);
435 my ($class, $param, $fw_conf) = @_;
437 die "implement this in subclass";
440 my $additional_param_hash_list = {};
442 sub additional_parameters
{
443 my ($class, $new_value) = @_;
445 if (defined($new_value)) {
446 $additional_param_hash_list->{$class} = $new_value;
451 my $org = $additional_param_hash_list->{$class} || {};
452 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
456 my $get_ipset_list = sub {
460 foreach my $name (keys %{$fw_conf->{ipset
}}) {
464 if (my $comment = $fw_conf->{ipset_comments
}->{$name}) {
465 $data->{comment
} = $comment;
470 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($res);
472 return wantarray ?
($list, $digest) : $list;
478 my $properties = $class->additional_parameters();
480 $class->register_method({
481 name
=> 'ipset_index',
484 description
=> "List IPSets",
486 additionalProperties
=> 0,
487 properties
=> $properties,
494 name
=> get_standard_option
('ipset-name'),
495 digest
=> get_standard_option
('pve-config-digest', { optional
=> 0} ),
502 links
=> [ { rel
=> 'child', href
=> "{name}" } ],
507 my ($cluster_conf, $fw_conf) = $class->load_config($param);
509 return &$get_ipset_list($fw_conf);
513 sub register_create
{
516 my $properties = $class->additional_parameters();
518 $properties->{name
} = get_standard_option
('ipset-name');
520 $properties->{comment
} = { type
=> 'string', optional
=> 1 };
522 $properties->{digest
} = get_standard_option
('pve-config-digest');
524 $properties->{rename} = get_standard_option
('ipset-name', {
525 description
=> "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
528 $class->register_method({
529 name
=> 'create_ipset',
532 description
=> "Create new IPSet",
535 additionalProperties
=> 0,
536 properties
=> $properties,
538 returns
=> { type
=> 'null' },
542 my ($cluster_conf, $fw_conf) = $class->load_config($param);
544 if ($param->{rename}) {
545 my (undef, $digest) = &$get_ipset_list($fw_conf);
546 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
548 raise_param_exc
({ name
=> "IPSet '$param->{rename}' does not exists" })
549 if !$fw_conf->{ipset
}->{$param->{rename}};
551 my $data = delete $fw_conf->{ipset
}->{$param->{rename}};
552 $fw_conf->{ipset
}->{$param->{name
}} = $data;
553 if (my $comment = delete $fw_conf->{ipset_comments
}->{$param->{rename}}) {
554 $fw_conf->{ipset_comments
}->{$param->{name
}} = $comment;
556 $fw_conf->{ipset_comments
}->{$param->{name
}} = $param->{comment
} if defined($param->{comment
});
558 foreach my $name (keys %{$fw_conf->{ipset
}}) {
559 raise_param_exc
({ name
=> "IPSet '$name' already exists" })
560 if $name eq $param->{name
};
563 $fw_conf->{ipset
}->{$param->{name
}} = [];
564 $fw_conf->{ipset_comments
}->{$param->{name
}} = $param->{comment
} if defined($param->{comment
});
567 $class->save_config($param, $fw_conf);
573 sub register_handlers
{
576 $class->register_index();
577 $class->register_create();
580 package PVE
::API2
::Firewall
::ClusterIPSetList
;
586 use base
qw(PVE::API2::Firewall::BaseIPSetList);
589 my ($class, $param) = @_;
591 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
592 return (undef, $cluster_conf);
596 my ($class, $param, $fw_conf) = @_;
598 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
601 __PACKAGE__-
>register_handlers();
603 __PACKAGE__-
>register_method ({
604 subclass
=> "PVE::API2::Firewall::ClusterIPset",
606 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
607 fragmentDelimiter
=> '',
610 package PVE
::API2
::Firewall
::VMIPSetList
;
614 use PVE
::JSONSchema
qw(get_standard_option);
617 use base
qw(PVE::API2::Firewall::BaseIPSetList);
619 __PACKAGE__-
>additional_parameters({
620 node
=> get_standard_option
('pve-node'),
621 vmid
=> get_standard_option
('pve-vmid'),
625 my ($class, $param) = @_;
627 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
628 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
629 return ($cluster_conf, $fw_conf);
633 my ($class, $param, $fw_conf) = @_;
635 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
638 __PACKAGE__-
>register_handlers();
640 __PACKAGE__-
>register_method ({
641 subclass
=> "PVE::API2::Firewall::VMIPset",
643 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
644 fragmentDelimiter
=> '',
647 package PVE
::API2
::Firewall
::CTIPSetList
;
651 use PVE
::JSONSchema
qw(get_standard_option);
654 use base
qw(PVE::API2::Firewall::BaseIPSetList);
656 __PACKAGE__-
>additional_parameters({
657 node
=> get_standard_option
('pve-node'),
658 vmid
=> get_standard_option
('pve-vmid'),
662 my ($class, $param) = @_;
664 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
665 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
666 return ($cluster_conf, $fw_conf);
670 my ($class, $param, $fw_conf) = @_;
672 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
675 __PACKAGE__-
>register_handlers();
677 __PACKAGE__-
>register_method ({
678 subclass
=> "PVE::API2::Firewall::CTIPset",
680 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
681 fragmentDelimiter
=> '',