]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/IPSet.pm
1 package PVE
::API2
::Firewall
::IPSetBase
;
5 use PVE
::Exception
qw(raise raise_param_exc);
6 use PVE
::JSONSchema
qw(get_standard_option);
10 use base
qw(PVE::RESTHandler);
12 my $api_properties = {
14 description
=> "Network/IP specification in CIDR format.",
15 type
=> 'string', format
=> 'IPorCIDRorAlias',
17 name
=> get_standard_option
('ipset-name'),
29 my ($class, $param, $code) = @_;
31 die "implement this in subclass";
35 my ($class, $param) = @_;
37 die "implement this in subclass";
39 #return ($cluster_conf, $fw_conf, $ipset);
43 my ($class, $param, $fw_conf) = @_;
45 die "implement this in subclass";
49 my ($class, $param) = @_;
51 die "implement this in subclass";
55 my ($class, $param, $fw_conf, $ipset) = @_;
57 if (!defined($ipset)) {
58 delete $fw_conf->{ipset
}->{$param->{name
}};
60 $fw_conf->{ipset
}->{$param->{name
}} = $ipset;
63 $class->save_config($param, $fw_conf);
66 my $additional_param_hash = {};
68 sub additional_parameters
{
69 my ($class, $new_value) = @_;
71 if (defined($new_value)) {
72 $additional_param_hash->{$class} = $new_value;
77 my $org = $additional_param_hash->{$class} || {};
78 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
82 sub register_get_ipset
{
85 my $properties = $class->additional_parameters();
87 $properties->{name
} = $api_properties->{name
};
89 $class->register_method({
93 description
=> "List IPSet content",
94 permissions
=> PVE
::Firewall
::rules_audit_permissions
($class->rule_env()),
96 additionalProperties
=> 0,
97 properties
=> $properties,
115 digest
=> get_standard_option
('pve-config-digest', { optional
=> 0} ),
118 links
=> [ { rel
=> 'child', href
=> "{cidr}" } ],
123 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
125 return PVE
::Firewall
::copy_list_with_digest
($ipset);
129 sub register_delete_ipset
{
132 my $properties = $class->additional_parameters();
134 $properties->{name
} = get_standard_option
('ipset-name');
136 $class->register_method({
137 name
=> 'delete_ipset',
140 description
=> "Delete IPSet",
142 permissions
=> PVE
::Firewall
::rules_modify_permissions
($class->rule_env()),
144 additionalProperties
=> 0,
145 properties
=> $properties,
147 returns
=> { type
=> 'null' },
151 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
153 die "IPSet '$param->{name}' is not empty\n"
156 $class->save_ipset($param, $fw_conf, undef);
162 sub register_create_ip
{
165 my $properties = $class->additional_parameters();
167 $properties->{name
} = $api_properties->{name
};
168 $properties->{cidr
} = $api_properties->{cidr
};
169 $properties->{nomatch
} = $api_properties->{nomatch
};
170 $properties->{comment
} = $api_properties->{comment
};
172 $class->register_method({
176 description
=> "Add IP or Network to IPSet.",
178 permissions
=> PVE
::Firewall
::rules_modify_permissions
($class->rule_env()),
180 additionalProperties
=> 0,
181 properties
=> $properties,
183 returns
=> { type
=> "null" },
187 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
189 my $cidr = $param->{cidr
};
191 foreach my $entry (@$ipset) {
192 raise_param_exc
({ cidr
=> "address '$cidr' already exists" })
193 if $entry->{cidr
} eq $cidr;
196 raise_param_exc
({ cidr
=> "a zero prefix is not allowed in ipset entries" })
199 # make sure alias exists (if $cidr is an alias)
200 PVE
::Firewall
::resolve_alias
($cluster_conf, $fw_conf, $cidr)
201 if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
203 my $data = { cidr
=> $cidr };
205 $data->{nomatch
} = 1 if $param->{nomatch
};
206 $data->{comment
} = $param->{comment
} if $param->{comment
};
208 unshift @$ipset, $data;
210 $class->save_ipset($param, $fw_conf, $ipset);
216 sub register_read_ip
{
219 my $properties = $class->additional_parameters();
221 $properties->{name
} = $api_properties->{name
};
222 $properties->{cidr
} = $api_properties->{cidr
};
224 $class->register_method({
228 description
=> "Read IP or Network settings from IPSet.",
229 permissions
=> PVE
::Firewall
::rules_audit_permissions
($class->rule_env()),
232 additionalProperties
=> 0,
233 properties
=> $properties,
235 returns
=> { type
=> "object" },
239 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
241 my $list = PVE
::Firewall
::copy_list_with_digest
($ipset);
243 foreach my $entry (@$list) {
244 if ($entry->{cidr
} eq $param->{cidr
}) {
249 raise_param_exc
({ cidr
=> "no such IP/Network" });
253 sub register_update_ip
{
256 my $properties = $class->additional_parameters();
258 $properties->{name
} = $api_properties->{name
};
259 $properties->{cidr
} = $api_properties->{cidr
};
260 $properties->{nomatch
} = $api_properties->{nomatch
};
261 $properties->{comment
} = $api_properties->{comment
};
262 $properties->{digest
} = get_standard_option
('pve-config-digest');
264 $class->register_method({
268 description
=> "Update IP or Network settings",
270 permissions
=> PVE
::Firewall
::rules_modify_permissions
($class->rule_env()),
272 additionalProperties
=> 0,
273 properties
=> $properties,
275 returns
=> { type
=> "null" },
279 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
281 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($ipset);
282 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
284 foreach my $entry (@$ipset) {
285 if($entry->{cidr
} eq $param->{cidr
}) {
286 $entry->{nomatch
} = $param->{nomatch
};
287 $entry->{comment
} = $param->{comment
};
288 $class->save_ipset($param, $fw_conf, $ipset);
293 raise_param_exc
({ cidr
=> "no such IP/Network" });
297 sub register_delete_ip
{
300 my $properties = $class->additional_parameters();
302 $properties->{name
} = $api_properties->{name
};
303 $properties->{cidr
} = $api_properties->{cidr
};
304 $properties->{digest
} = get_standard_option
('pve-config-digest');
306 $class->register_method({
310 description
=> "Remove IP or Network from IPSet.",
312 permissions
=> PVE
::Firewall
::rules_modify_permissions
($class->rule_env()),
314 additionalProperties
=> 0,
315 properties
=> $properties,
317 returns
=> { type
=> "null" },
321 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
323 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($ipset);
324 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
328 foreach my $entry (@$ipset) {
329 push @$new, $entry if $entry->{cidr
} ne $param->{cidr
};
332 $class->save_ipset($param, $fw_conf, $new);
338 sub register_handlers
{
341 $class->register_delete_ipset();
342 $class->register_get_ipset();
343 $class->register_create_ip();
344 $class->register_read_ip();
345 $class->register_update_ip();
346 $class->register_delete_ip();
349 package PVE
::API2
::Firewall
::ClusterIPset
;
354 use base
qw(PVE::API2::Firewall::IPSetBase);
357 my ($class, $param) = @_;
363 my ($class, $param, $code) = @_;
365 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
369 my ($class, $param) = @_;
371 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
372 my $ipset = $fw_conf->{ipset
}->{$param->{name
}};
373 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
375 return (undef, $fw_conf, $ipset);
379 my ($class, $param, $fw_conf) = @_;
381 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
384 __PACKAGE__-
>register_handlers();
386 package PVE
::API2
::Firewall
::VMIPset
;
390 use PVE
::JSONSchema
qw(get_standard_option);
392 use base
qw(PVE::API2::Firewall::IPSetBase);
395 my ($class, $param) = @_;
400 __PACKAGE__-
>additional_parameters({
401 node
=> get_standard_option
('pve-node'),
402 vmid
=> get_standard_option
('pve-vmid'),
406 my ($class, $param, $code) = @_;
408 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
412 my ($class, $param) = @_;
414 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
415 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
416 my $ipset = $fw_conf->{ipset
}->{$param->{name
}};
417 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
419 return ($cluster_conf, $fw_conf, $ipset);
423 my ($class, $param, $fw_conf) = @_;
425 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
428 __PACKAGE__-
>register_handlers();
430 package PVE
::API2
::Firewall
::CTIPset
;
434 use PVE
::JSONSchema
qw(get_standard_option);
436 use base
qw(PVE::API2::Firewall::IPSetBase);
439 my ($class, $param) = @_;
444 __PACKAGE__-
>additional_parameters({
445 node
=> get_standard_option
('pve-node'),
446 vmid
=> get_standard_option
('pve-vmid'),
450 my ($class, $param, $code) = @_;
452 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
456 my ($class, $param) = @_;
458 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
459 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
460 my $ipset = $fw_conf->{ipset
}->{$param->{name
}};
461 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
463 return ($cluster_conf, $fw_conf, $ipset);
467 my ($class, $param, $fw_conf) = @_;
469 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
472 __PACKAGE__-
>register_handlers();
474 package PVE
::API2
::Firewall
::BaseIPSetList
;
478 use PVE
::JSONSchema
qw(get_standard_option);
479 use PVE
::Exception
qw(raise_param_exc);
482 use base
qw(PVE::RESTHandler);
485 my ($class, $param, $code) = @_;
487 die "implement this in subclass";
491 my ($class, $param) = @_;
493 die "implement this in subclass";
495 #return ($cluster_conf, $fw_conf);
499 my ($class, $param, $fw_conf) = @_;
501 die "implement this in subclass";
505 my ($class, $param) = @_;
507 die "implement this in subclass";
510 my $additional_param_hash_list = {};
512 sub additional_parameters
{
513 my ($class, $new_value) = @_;
515 if (defined($new_value)) {
516 $additional_param_hash_list->{$class} = $new_value;
521 my $org = $additional_param_hash_list->{$class} || {};
522 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
526 my $get_ipset_list = sub {
530 foreach my $name (sort keys %{$fw_conf->{ipset
}}) {
534 if (my $comment = $fw_conf->{ipset_comments
}->{$name}) {
535 $data->{comment
} = $comment;
540 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($res);
542 return wantarray ?
($list, $digest) : $list;
548 my $properties = $class->additional_parameters();
550 $class->register_method({
551 name
=> 'ipset_index',
554 description
=> "List IPSets",
555 permissions
=> PVE
::Firewall
::rules_audit_permissions
($class->rule_env()),
557 additionalProperties
=> 0,
558 properties
=> $properties,
565 name
=> get_standard_option
('ipset-name'),
566 digest
=> get_standard_option
('pve-config-digest', { optional
=> 0} ),
573 links
=> [ { rel
=> 'child', href
=> "{name}" } ],
578 my ($cluster_conf, $fw_conf) = $class->load_config($param);
580 return &$get_ipset_list($fw_conf);
584 sub register_create
{
587 my $properties = $class->additional_parameters();
589 $properties->{name
} = get_standard_option
('ipset-name');
591 $properties->{comment
} = { type
=> 'string', optional
=> 1 };
593 $properties->{digest
} = get_standard_option
('pve-config-digest');
595 $properties->{rename} = get_standard_option
('ipset-name', {
596 description
=> "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
599 $class->register_method({
600 name
=> 'create_ipset',
603 description
=> "Create new IPSet",
605 permissions
=> PVE
::Firewall
::rules_modify_permissions
($class->rule_env()),
607 additionalProperties
=> 0,
608 properties
=> $properties,
610 returns
=> { type
=> 'null' },
614 my ($cluster_conf, $fw_conf) = $class->load_config($param);
616 if ($param->{rename}) {
617 my (undef, $digest) = &$get_ipset_list($fw_conf);
618 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
620 raise_param_exc
({ name
=> "IPSet '$param->{rename}' does not exist" })
621 if !$fw_conf->{ipset
}->{$param->{rename}};
623 # prevent overwriting existing ipset
624 raise_param_exc
({ name
=> "IPSet '$param->{name}' does already exist"})
625 if $fw_conf->{ipset
}->{$param->{name
}} &&
626 $param->{name
} ne $param->{rename};
628 my $data = delete $fw_conf->{ipset
}->{$param->{rename}};
629 $fw_conf->{ipset
}->{$param->{name
}} = $data;
630 if (my $comment = delete $fw_conf->{ipset_comments
}->{$param->{rename}}) {
631 $fw_conf->{ipset_comments
}->{$param->{name
}} = $comment;
633 $fw_conf->{ipset_comments
}->{$param->{name
}} = $param->{comment
} if defined($param->{comment
});
635 foreach my $name (keys %{$fw_conf->{ipset
}}) {
636 raise_param_exc
({ name
=> "IPSet '$name' already exists" })
637 if $name eq $param->{name
};
640 $fw_conf->{ipset
}->{$param->{name
}} = [];
641 $fw_conf->{ipset_comments
}->{$param->{name
}} = $param->{comment
} if defined($param->{comment
});
644 $class->save_config($param, $fw_conf);
650 sub register_handlers
{
653 $class->register_index();
654 $class->register_create();
657 package PVE
::API2
::Firewall
::ClusterIPSetList
;
663 use base
qw(PVE::API2::Firewall::BaseIPSetList);
666 my ($class, $param) = @_;
672 my ($class, $param, $code) = @_;
674 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
678 my ($class, $param) = @_;
680 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
681 return (undef, $cluster_conf);
685 my ($class, $param, $fw_conf) = @_;
687 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
690 __PACKAGE__-
>register_handlers();
692 __PACKAGE__-
>register_method ({
693 subclass
=> "PVE::API2::Firewall::ClusterIPset",
695 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
696 fragmentDelimiter
=> '',
699 package PVE
::API2
::Firewall
::VMIPSetList
;
703 use PVE
::JSONSchema
qw(get_standard_option);
706 use base
qw(PVE::API2::Firewall::BaseIPSetList);
708 __PACKAGE__-
>additional_parameters({
709 node
=> get_standard_option
('pve-node'),
710 vmid
=> get_standard_option
('pve-vmid'),
714 my ($class, $param) = @_;
720 my ($class, $param, $code) = @_;
722 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
726 my ($class, $param) = @_;
728 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
729 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
730 return ($cluster_conf, $fw_conf);
734 my ($class, $param, $fw_conf) = @_;
736 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
739 __PACKAGE__-
>register_handlers();
741 __PACKAGE__-
>register_method ({
742 subclass
=> "PVE::API2::Firewall::VMIPset",
744 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
745 fragmentDelimiter
=> '',
748 package PVE
::API2
::Firewall
::CTIPSetList
;
752 use PVE
::JSONSchema
qw(get_standard_option);
755 use base
qw(PVE::API2::Firewall::BaseIPSetList);
757 __PACKAGE__-
>additional_parameters({
758 node
=> get_standard_option
('pve-node'),
759 vmid
=> get_standard_option
('pve-vmid'),
763 my ($class, $param) = @_;
769 my ($class, $param, $code) = @_;
771 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
775 my ($class, $param) = @_;
777 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
778 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
779 return ($cluster_conf, $fw_conf);
783 my ($class, $param, $fw_conf) = @_;
785 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
788 __PACKAGE__-
>register_handlers();
790 __PACKAGE__-
>register_method ({
791 subclass
=> "PVE::API2::Firewall::CTIPset",
793 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
794 fragmentDelimiter
=> '',