]> git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/IPSet.pm
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
sort ipsets so that the digest is consistent
[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm
1 package PVE::API2::Firewall::IPSetBase;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise raise_param_exc);
6 use PVE::JSONSchema qw(get_standard_option);
7
8 use PVE::Firewall;
9
10 use base qw(PVE::RESTHandler);
11
12 my $api_properties = {
13 cidr => {
14 description => "Network/IP specification in CIDR format.",
15 type => 'string', format => 'IPorCIDRorAlias',
16 },
17 name => get_standard_option('ipset-name'),
18 comment => {
19 type => 'string',
20 optional => 1,
21 },
22 nomatch => {
23 type => 'boolean',
24 optional => 1,
25 },
26 };
27
28 sub load_config {
29 my ($class, $param) = @_;
30
31 die "implement this in subclass";
32
33 #return ($cluster_conf, $fw_conf, $ipset);
34 }
35
36 sub save_config {
37 my ($class, $param, $fw_conf) = @_;
38
39 die "implement this in subclass";
40 }
41
42 sub rule_env {
43 my ($class, $param) = @_;
44
45 die "implement this in subclass";
46 }
47
48 sub save_ipset {
49 my ($class, $param, $fw_conf, $ipset) = @_;
50
51 if (!defined($ipset)) {
52 delete $fw_conf->{ipset}->{$param->{name}};
53 } else {
54 $fw_conf->{ipset}->{$param->{name}} = $ipset;
55 }
56
57 $class->save_config($param, $fw_conf);
58 }
59
60 my $additional_param_hash = {};
61
62 sub additional_parameters {
63 my ($class, $new_value) = @_;
64
65 if (defined($new_value)) {
66 $additional_param_hash->{$class} = $new_value;
67 }
68
69 # return a copy
70 my $copy = {};
71 my $org = $additional_param_hash->{$class} || {};
72 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
73 return $copy;
74 }
75
76 sub register_get_ipset {
77 my ($class) = @_;
78
79 my $properties = $class->additional_parameters();
80
81 $properties->{name} = $api_properties->{name};
82
83 $class->register_method({
84 name => 'get_ipset',
85 path => '',
86 method => 'GET',
87 description => "List IPSet content",
88 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
89 parameters => {
90 additionalProperties => 0,
91 properties => $properties,
92 },
93 returns => {
94 type => 'array',
95 items => {
96 type => "object",
97 properties => {
98 cidr => {
99 type => 'string',
100 },
101 comment => {
102 type => 'string',
103 optional => 1,
104 },
105 nomatch => {
106 type => 'boolean',
107 optional => 1,
108 },
109 digest => get_standard_option('pve-config-digest', { optional => 0} ),
110 },
111 },
112 links => [ { rel => 'child', href => "{cidr}" } ],
113 },
114 code => sub {
115 my ($param) = @_;
116
117 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
118
119 return PVE::Firewall::copy_list_with_digest($ipset);
120 }});
121 }
122
123 sub register_delete_ipset {
124 my ($class) = @_;
125
126 my $properties = $class->additional_parameters();
127
128 $properties->{name} = get_standard_option('ipset-name');
129
130 $class->register_method({
131 name => 'delete_ipset',
132 path => '',
133 method => 'DELETE',
134 description => "Delete IPSet",
135 protected => 1,
136 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
137 parameters => {
138 additionalProperties => 0,
139 properties => $properties,
140 },
141 returns => { type => 'null' },
142 code => sub {
143 my ($param) = @_;
144
145 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
146
147 die "IPSet '$param->{name}' is not empty\n"
148 if scalar(@$ipset);
149
150 $class->save_ipset($param, $fw_conf, undef);
151
152 return undef;
153 }});
154 }
155
156 sub register_create_ip {
157 my ($class) = @_;
158
159 my $properties = $class->additional_parameters();
160
161 $properties->{name} = $api_properties->{name};
162 $properties->{cidr} = $api_properties->{cidr};
163 $properties->{nomatch} = $api_properties->{nomatch};
164 $properties->{comment} = $api_properties->{comment};
165
166 $class->register_method({
167 name => 'create_ip',
168 path => '',
169 method => 'POST',
170 description => "Add IP or Network to IPSet.",
171 protected => 1,
172 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
173 parameters => {
174 additionalProperties => 0,
175 properties => $properties,
176 },
177 returns => { type => "null" },
178 code => sub {
179 my ($param) = @_;
180
181 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
182
183 my $cidr = $param->{cidr};
184
185 foreach my $entry (@$ipset) {
186 raise_param_exc({ cidr => "address '$cidr' already exists" })
187 if $entry->{cidr} eq $cidr;
188 }
189
190 raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
191 if $cidr =~ m!/0+$!;
192
193 # make sure alias exists (if $cidr is an alias)
194 PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
195 if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
196
197 my $data = { cidr => $cidr };
198
199 $data->{nomatch} = 1 if $param->{nomatch};
200 $data->{comment} = $param->{comment} if $param->{comment};
201
202 unshift @$ipset, $data;
203
204 $class->save_ipset($param, $fw_conf, $ipset);
205
206 return undef;
207 }});
208 }
209
210 sub register_read_ip {
211 my ($class) = @_;
212
213 my $properties = $class->additional_parameters();
214
215 $properties->{name} = $api_properties->{name};
216 $properties->{cidr} = $api_properties->{cidr};
217
218 $class->register_method({
219 name => 'read_ip',
220 path => '{cidr}',
221 method => 'GET',
222 description => "Read IP or Network settings from IPSet.",
223 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
224 protected => 1,
225 parameters => {
226 additionalProperties => 0,
227 properties => $properties,
228 },
229 returns => { type => "object" },
230 code => sub {
231 my ($param) = @_;
232
233 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
234
235 my $list = PVE::Firewall::copy_list_with_digest($ipset);
236
237 foreach my $entry (@$list) {
238 if ($entry->{cidr} eq $param->{cidr}) {
239 return $entry;
240 }
241 }
242
243 raise_param_exc({ cidr => "no such IP/Network" });
244 }});
245 }
246
247 sub register_update_ip {
248 my ($class) = @_;
249
250 my $properties = $class->additional_parameters();
251
252 $properties->{name} = $api_properties->{name};
253 $properties->{cidr} = $api_properties->{cidr};
254 $properties->{nomatch} = $api_properties->{nomatch};
255 $properties->{comment} = $api_properties->{comment};
256 $properties->{digest} = get_standard_option('pve-config-digest');
257
258 $class->register_method({
259 name => 'update_ip',
260 path => '{cidr}',
261 method => 'PUT',
262 description => "Update IP or Network settings",
263 protected => 1,
264 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
265 parameters => {
266 additionalProperties => 0,
267 properties => $properties,
268 },
269 returns => { type => "null" },
270 code => sub {
271 my ($param) = @_;
272
273 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
274
275 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
276 PVE::Tools::assert_if_modified($digest, $param->{digest});
277
278 foreach my $entry (@$ipset) {
279 if($entry->{cidr} eq $param->{cidr}) {
280 $entry->{nomatch} = $param->{nomatch};
281 $entry->{comment} = $param->{comment};
282 $class->save_ipset($param, $fw_conf, $ipset);
283 return;
284 }
285 }
286
287 raise_param_exc({ cidr => "no such IP/Network" });
288 }});
289 }
290
291 sub register_delete_ip {
292 my ($class) = @_;
293
294 my $properties = $class->additional_parameters();
295
296 $properties->{name} = $api_properties->{name};
297 $properties->{cidr} = $api_properties->{cidr};
298 $properties->{digest} = get_standard_option('pve-config-digest');
299
300 $class->register_method({
301 name => 'remove_ip',
302 path => '{cidr}',
303 method => 'DELETE',
304 description => "Remove IP or Network from IPSet.",
305 protected => 1,
306 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
307 parameters => {
308 additionalProperties => 0,
309 properties => $properties,
310 },
311 returns => { type => "null" },
312 code => sub {
313 my ($param) = @_;
314
315 my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
316
317 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($ipset);
318 PVE::Tools::assert_if_modified($digest, $param->{digest});
319
320 my $new = [];
321
322 foreach my $entry (@$ipset) {
323 push @$new, $entry if $entry->{cidr} ne $param->{cidr};
324 }
325
326 $class->save_ipset($param, $fw_conf, $new);
327
328 return undef;
329 }});
330 }
331
332 sub register_handlers {
333 my ($class) = @_;
334
335 $class->register_delete_ipset();
336 $class->register_get_ipset();
337 $class->register_create_ip();
338 $class->register_read_ip();
339 $class->register_update_ip();
340 $class->register_delete_ip();
341 }
342
343 package PVE::API2::Firewall::ClusterIPset;
344
345 use strict;
346 use warnings;
347
348 use base qw(PVE::API2::Firewall::IPSetBase);
349
350 sub rule_env {
351 my ($class, $param) = @_;
352
353 return 'cluster';
354 }
355
356 sub load_config {
357 my ($class, $param) = @_;
358
359 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
360 my $ipset = $fw_conf->{ipset}->{$param->{name}};
361 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
362
363 return (undef, $fw_conf, $ipset);
364 }
365
366 sub save_config {
367 my ($class, $param, $fw_conf) = @_;
368
369 PVE::Firewall::save_clusterfw_conf($fw_conf);
370 }
371
372 __PACKAGE__->register_handlers();
373
374 package PVE::API2::Firewall::VMIPset;
375
376 use strict;
377 use warnings;
378 use PVE::JSONSchema qw(get_standard_option);
379
380 use base qw(PVE::API2::Firewall::IPSetBase);
381
382 sub rule_env {
383 my ($class, $param) = @_;
384
385 return 'vm';
386 }
387
388 __PACKAGE__->additional_parameters({
389 node => get_standard_option('pve-node'),
390 vmid => get_standard_option('pve-vmid'),
391 });
392
393 sub load_config {
394 my ($class, $param) = @_;
395
396 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
397 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
398 my $ipset = $fw_conf->{ipset}->{$param->{name}};
399 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
400
401 return ($cluster_conf, $fw_conf, $ipset);
402 }
403
404 sub save_config {
405 my ($class, $param, $fw_conf) = @_;
406
407 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
408 }
409
410 __PACKAGE__->register_handlers();
411
412 package PVE::API2::Firewall::CTIPset;
413
414 use strict;
415 use warnings;
416 use PVE::JSONSchema qw(get_standard_option);
417
418 use base qw(PVE::API2::Firewall::IPSetBase);
419
420 sub rule_env {
421 my ($class, $param) = @_;
422
423 return 'ct';
424 }
425
426 __PACKAGE__->additional_parameters({
427 node => get_standard_option('pve-node'),
428 vmid => get_standard_option('pve-vmid'),
429 });
430
431 sub load_config {
432 my ($class, $param) = @_;
433
434 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
435 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
436 my $ipset = $fw_conf->{ipset}->{$param->{name}};
437 die "no such IPSet '$param->{name}'\n" if !defined($ipset);
438
439 return ($cluster_conf, $fw_conf, $ipset);
440 }
441
442 sub save_config {
443 my ($class, $param, $fw_conf) = @_;
444
445 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
446 }
447
448 __PACKAGE__->register_handlers();
449
450 package PVE::API2::Firewall::BaseIPSetList;
451
452 use strict;
453 use warnings;
454 use PVE::JSONSchema qw(get_standard_option);
455 use PVE::Exception qw(raise_param_exc);
456 use PVE::Firewall;
457
458 use base qw(PVE::RESTHandler);
459
460 sub load_config {
461 my ($class, $param) = @_;
462
463 die "implement this in subclass";
464
465 #return ($cluster_conf, $fw_conf);
466 }
467
468 sub save_config {
469 my ($class, $param, $fw_conf) = @_;
470
471 die "implement this in subclass";
472 }
473
474 sub rule_env {
475 my ($class, $param) = @_;
476
477 die "implement this in subclass";
478 }
479
480 my $additional_param_hash_list = {};
481
482 sub additional_parameters {
483 my ($class, $new_value) = @_;
484
485 if (defined($new_value)) {
486 $additional_param_hash_list->{$class} = $new_value;
487 }
488
489 # return a copy
490 my $copy = {};
491 my $org = $additional_param_hash_list->{$class} || {};
492 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
493 return $copy;
494 }
495
496 my $get_ipset_list = sub {
497 my ($fw_conf) = @_;
498
499 my $res = [];
500 foreach my $name (sort keys %{$fw_conf->{ipset}}) {
501 my $data = {
502 name => $name,
503 };
504 if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
505 $data->{comment} = $comment;
506 }
507 push @$res, $data;
508 }
509
510 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
511
512 return wantarray ? ($list, $digest) : $list;
513 };
514
515 sub register_index {
516 my ($class) = @_;
517
518 my $properties = $class->additional_parameters();
519
520 $class->register_method({
521 name => 'ipset_index',
522 path => '',
523 method => 'GET',
524 description => "List IPSets",
525 permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
526 parameters => {
527 additionalProperties => 0,
528 properties => $properties,
529 },
530 returns => {
531 type => 'array',
532 items => {
533 type => "object",
534 properties => {
535 name => get_standard_option('ipset-name'),
536 digest => get_standard_option('pve-config-digest', { optional => 0} ),
537 comment => {
538 type => 'string',
539 optional => 1,
540 }
541 },
542 },
543 links => [ { rel => 'child', href => "{name}" } ],
544 },
545 code => sub {
546 my ($param) = @_;
547
548 my ($cluster_conf, $fw_conf) = $class->load_config($param);
549
550 return &$get_ipset_list($fw_conf);
551 }});
552 }
553
554 sub register_create {
555 my ($class) = @_;
556
557 my $properties = $class->additional_parameters();
558
559 $properties->{name} = get_standard_option('ipset-name');
560
561 $properties->{comment} = { type => 'string', optional => 1 };
562
563 $properties->{digest} = get_standard_option('pve-config-digest');
564
565 $properties->{rename} = get_standard_option('ipset-name', {
566 description => "Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.",
567 optional => 1 });
568
569 $class->register_method({
570 name => 'create_ipset',
571 path => '',
572 method => 'POST',
573 description => "Create new IPSet",
574 protected => 1,
575 permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
576 parameters => {
577 additionalProperties => 0,
578 properties => $properties,
579 },
580 returns => { type => 'null' },
581 code => sub {
582 my ($param) = @_;
583
584 my ($cluster_conf, $fw_conf) = $class->load_config($param);
585
586 if ($param->{rename}) {
587 my (undef, $digest) = &$get_ipset_list($fw_conf);
588 PVE::Tools::assert_if_modified($digest, $param->{digest});
589
590 raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" })
591 if !$fw_conf->{ipset}->{$param->{rename}};
592
593 # prevent overwriting existing ipset
594 raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
595 if $fw_conf->{ipset}->{$param->{name}} &&
596 $param->{name} ne $param->{rename};
597
598 my $data = delete $fw_conf->{ipset}->{$param->{rename}};
599 $fw_conf->{ipset}->{$param->{name}} = $data;
600 if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
601 $fw_conf->{ipset_comments}->{$param->{name}} = $comment;
602 }
603 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
604 } else {
605 foreach my $name (keys %{$fw_conf->{ipset}}) {
606 raise_param_exc({ name => "IPSet '$name' already exists" })
607 if $name eq $param->{name};
608 }
609
610 $fw_conf->{ipset}->{$param->{name}} = [];
611 $fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
612 }
613
614 $class->save_config($param, $fw_conf);
615
616 return undef;
617 }});
618 }
619
620 sub register_handlers {
621 my ($class) = @_;
622
623 $class->register_index();
624 $class->register_create();
625 }
626
627 package PVE::API2::Firewall::ClusterIPSetList;
628
629 use strict;
630 use warnings;
631 use PVE::Firewall;
632
633 use base qw(PVE::API2::Firewall::BaseIPSetList);
634
635 sub rule_env {
636 my ($class, $param) = @_;
637
638 return 'cluster';
639 }
640
641 sub load_config {
642 my ($class, $param) = @_;
643
644 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
645 return (undef, $cluster_conf);
646 }
647
648 sub save_config {
649 my ($class, $param, $fw_conf) = @_;
650
651 PVE::Firewall::save_clusterfw_conf($fw_conf);
652 }
653
654 __PACKAGE__->register_handlers();
655
656 __PACKAGE__->register_method ({
657 subclass => "PVE::API2::Firewall::ClusterIPset",
658 path => '{name}',
659 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
660 fragmentDelimiter => '',
661 });
662
663 package PVE::API2::Firewall::VMIPSetList;
664
665 use strict;
666 use warnings;
667 use PVE::JSONSchema qw(get_standard_option);
668 use PVE::Firewall;
669
670 use base qw(PVE::API2::Firewall::BaseIPSetList);
671
672 __PACKAGE__->additional_parameters({
673 node => get_standard_option('pve-node'),
674 vmid => get_standard_option('pve-vmid'),
675 });
676
677 sub rule_env {
678 my ($class, $param) = @_;
679
680 return 'vm';
681 }
682
683 sub load_config {
684 my ($class, $param) = @_;
685
686 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
687 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
688 return ($cluster_conf, $fw_conf);
689 }
690
691 sub save_config {
692 my ($class, $param, $fw_conf) = @_;
693
694 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
695 }
696
697 __PACKAGE__->register_handlers();
698
699 __PACKAGE__->register_method ({
700 subclass => "PVE::API2::Firewall::VMIPset",
701 path => '{name}',
702 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
703 fragmentDelimiter => '',
704 });
705
706 package PVE::API2::Firewall::CTIPSetList;
707
708 use strict;
709 use warnings;
710 use PVE::JSONSchema qw(get_standard_option);
711 use PVE::Firewall;
712
713 use base qw(PVE::API2::Firewall::BaseIPSetList);
714
715 __PACKAGE__->additional_parameters({
716 node => get_standard_option('pve-node'),
717 vmid => get_standard_option('pve-vmid'),
718 });
719
720 sub rule_env {
721 my ($class, $param) = @_;
722
723 return 'ct';
724 }
725
726 sub load_config {
727 my ($class, $param) = @_;
728
729 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
730 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
731 return ($cluster_conf, $fw_conf);
732 }
733
734 sub save_config {
735 my ($class, $param, $fw_conf) = @_;
736
737 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
738 }
739
740 __PACKAGE__->register_handlers();
741
742 __PACKAGE__->register_method ({
743 subclass => "PVE::API2::Firewall::CTIPset",
744 path => '{name}',
745 # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
746 fragmentDelimiter => '',
747 });
748
749 1;
Firewall test scripts