]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Rules.pm
1 package PVE
::API2
::Firewall
::RulesBase
;
6 use PVE
::JSONSchema
qw(get_standard_option);
7 use PVE
::Exception
qw(raise raise_param_exc);
11 use base
qw(PVE::RESTHandler);
13 my $api_properties = {
15 description
=> "Rule position.",
22 my ($class, $param, $code) = @_;
24 die "implement this in subclass";
28 my ($class, $param) = @_;
30 die "implement this in subclass";
32 #return ($cluster_conf, $fw_conf, $rules);
36 my ($class, $param, $fw_conf, $rules) = @_;
38 die "implement this in subclass";
41 my $additional_param_hash = {};
44 my ($class, $param) = @_;
46 die "implement this in subclass";
49 sub additional_parameters
{
50 my ($class, $new_value) = @_;
52 if (defined($new_value)) {
53 $additional_param_hash->{$class} = $new_value;
58 my $org = $additional_param_hash->{$class} || {};
59 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
63 sub register_get_rules
{
66 my $properties = $class->additional_parameters();
68 my $rule_env = $class->rule_env();
70 $class->register_method({
74 description
=> "List rules.",
75 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
77 additionalProperties
=> 0,
78 properties
=> $properties,
80 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
91 links
=> [ { rel
=> 'child', href
=> "{pos}" } ],
96 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
98 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
101 foreach my $rule (@$list) {
102 $rule->{pos} = $ind++;
109 sub register_get_rule
{
112 my $properties = $class->additional_parameters();
114 $properties->{pos} = $api_properties->{pos};
116 my $rule_env = $class->rule_env();
118 $class->register_method({
122 description
=> "Get single rule data.",
123 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
125 additionalProperties
=> 0,
126 properties
=> $properties,
128 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
151 log => PVE
::Firewall
::get_standard_option
('pve-fw-loglevel', {
152 description
=> 'Log level for firewall rule',
189 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
191 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
193 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
195 my $rule = $list->[$param->{pos}];
196 $rule->{pos} = $param->{pos};
202 sub register_create_rule
{
205 my $properties = $class->additional_parameters();
207 my $create_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
208 $create_rule_properties->{action
}->{optional
} = 0;
209 $create_rule_properties->{type
}->{optional
} = 0;
211 my $rule_env = $class->rule_env();
213 $class->register_method({
214 name
=> 'create_rule',
217 description
=> "Create new rule.",
219 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
221 additionalProperties
=> 0,
222 properties
=> $create_rule_properties,
224 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
225 returns
=> { type
=> "null" },
229 $class->lock_config($param, sub {
232 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
236 PVE
::Firewall
::copy_rule_data
($rule, $param);
237 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
239 $rule->{enable
} = 0 if !defined($param->{enable
});
241 unshift @$rules, $rule;
243 $class->save_rules($param, $fw_conf, $rules);
250 sub register_update_rule
{
253 my $properties = $class->additional_parameters();
255 $properties->{pos} = $api_properties->{pos};
257 my $rule_env = $class->rule_env();
259 $properties->{moveto
} = {
260 description
=> "Move rule to new position <moveto>. Other arguments are ignored.",
266 $properties->{delete} = {
267 type
=> 'string', format
=> 'pve-configid-list',
268 description
=> "A list of settings you want to delete.",
272 my $update_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
274 $class->register_method({
275 name
=> 'update_rule',
278 description
=> "Modify rule data.",
280 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
282 additionalProperties
=> 0,
283 properties
=> $update_rule_properties,
285 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
286 returns
=> { type
=> "null" },
290 $class->lock_config($param, sub {
293 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
295 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
296 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
298 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
300 my $rule = $rules->[$param->{pos}];
302 my $moveto = $param->{moveto
};
303 if (defined($moveto) && $moveto != $param->{pos}) {
305 for (my $i = 0; $i < scalar(@$rules); $i++) {
306 next if $i == $param->{pos};
308 push @$newrules, $rule;
310 push @$newrules, $rules->[$i];
312 push @$newrules, $rule if $moveto >= scalar(@$rules);
315 PVE
::Firewall
::copy_rule_data
($rule, $param);
317 PVE
::Firewall
::delete_rule_properties
($rule, $param->{'delete'}) if $param->{'delete'};
319 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
322 $class->save_rules($param, $fw_conf, $rules);
329 sub register_delete_rule
{
332 my $properties = $class->additional_parameters();
334 $properties->{pos} = $api_properties->{pos};
336 $properties->{digest
} = get_standard_option
('pve-config-digest');
338 my $rule_env = $class->rule_env();
340 $class->register_method({
341 name
=> 'delete_rule',
344 description
=> "Delete rule.",
346 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
348 additionalProperties
=> 0,
349 properties
=> $properties,
351 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
352 returns
=> { type
=> "null" },
356 $class->lock_config($param, sub {
359 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
361 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
362 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
364 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
366 splice(@$rules, $param->{pos}, 1);
368 $class->save_rules($param, $fw_conf, $rules);
375 sub register_handlers
{
378 $class->register_get_rules();
379 $class->register_get_rule();
380 $class->register_create_rule();
381 $class->register_update_rule();
382 $class->register_delete_rule();
385 package PVE
::API2
::Firewall
::GroupRules
;
389 use PVE
::JSONSchema
qw(get_standard_option);
391 use base
qw(PVE::API2::Firewall::RulesBase);
393 __PACKAGE__-
>additional_parameters({ group
=> get_standard_option
('pve-security-group-name') });
397 my ($class, $param) = @_;
403 my ($class, $param, $code) = @_;
405 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
409 my ($class, $param) = @_;
411 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
412 my $rules = $fw_conf->{groups
}->{$param->{group
}};
413 die "no such security group '$param->{group}'\n" if !defined($rules);
415 return (undef, $fw_conf, $rules);
419 my ($class, $param, $fw_conf, $rules) = @_;
421 if (!defined($rules)) {
422 delete $fw_conf->{groups
}->{$param->{group
}};
424 $fw_conf->{groups
}->{$param->{group
}} = $rules;
427 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
430 __PACKAGE__-
>register_method({
431 name
=> 'delete_security_group',
434 description
=> "Delete security group.",
437 check
=> ['perm', '/', [ 'Sys.Modify' ]],
440 additionalProperties
=> 0,
442 group
=> get_standard_option
('pve-security-group-name'),
445 returns
=> { type
=> 'null' },
449 __PACKAGE__-
>lock_config($param, sub {
452 my (undef, $cluster_conf, $rules) = __PACKAGE__-
>load_config($param);
454 die "Security group '$param->{group}' is not empty\n"
457 __PACKAGE__-
>save_rules($param, $cluster_conf, undef);
463 __PACKAGE__-
>register_handlers();
465 package PVE
::API2
::Firewall
::ClusterRules
;
470 use base
qw(PVE::API2::Firewall::RulesBase);
473 my ($class, $param) = @_;
479 my ($class, $param, $code) = @_;
481 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
485 my ($class, $param) = @_;
487 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
488 my $rules = $fw_conf->{rules
};
490 return (undef, $fw_conf, $rules);
494 my ($class, $param, $fw_conf, $rules) = @_;
496 $fw_conf->{rules
} = $rules;
497 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
500 __PACKAGE__-
>register_handlers();
502 package PVE
::API2
::Firewall
::HostRules
;
506 use PVE
::JSONSchema
qw(get_standard_option);
508 use base
qw(PVE::API2::Firewall::RulesBase);
510 __PACKAGE__-
>additional_parameters({ node
=> get_standard_option
('pve-node')});
513 my ($class, $param) = @_;
519 my ($class, $param, $code) = @_;
521 PVE
::Firewall
::lock_hostfw_conf
(10, $code, $param);
525 my ($class, $param) = @_;
527 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
528 my $fw_conf = PVE
::Firewall
::load_hostfw_conf
($cluster_conf);
529 my $rules = $fw_conf->{rules
};
531 return ($cluster_conf, $fw_conf, $rules);
535 my ($class, $param, $fw_conf, $rules) = @_;
537 $fw_conf->{rules
} = $rules;
538 PVE
::Firewall
::save_hostfw_conf
($fw_conf);
541 __PACKAGE__-
>register_handlers();
543 package PVE
::API2
::Firewall
::VMRules
;
547 use PVE
::JSONSchema
qw(get_standard_option);
549 use base
qw(PVE::API2::Firewall::RulesBase);
551 __PACKAGE__-
>additional_parameters({
552 node
=> get_standard_option
('pve-node'),
553 vmid
=> get_standard_option
('pve-vmid'),
557 my ($class, $param) = @_;
563 my ($class, $param, $code) = @_;
565 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
569 my ($class, $param) = @_;
571 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
572 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
573 my $rules = $fw_conf->{rules
};
575 return ($cluster_conf, $fw_conf, $rules);
579 my ($class, $param, $fw_conf, $rules) = @_;
581 $fw_conf->{rules
} = $rules;
582 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
585 __PACKAGE__-
>register_handlers();
587 package PVE
::API2
::Firewall
::CTRules
;
591 use PVE
::JSONSchema
qw(get_standard_option);
593 use base
qw(PVE::API2::Firewall::RulesBase);
595 __PACKAGE__-
>additional_parameters({
596 node
=> get_standard_option
('pve-node'),
597 vmid
=> get_standard_option
('pve-vmid'),
601 my ($class, $param) = @_;
607 my ($class, $param, $code) = @_;
609 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
613 my ($class, $param) = @_;
615 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
616 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
617 my $rules = $fw_conf->{rules
};
619 return ($cluster_conf, $fw_conf, $rules);
623 my ($class, $param, $fw_conf, $rules) = @_;
625 $fw_conf->{rules
} = $rules;
626 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
629 __PACKAGE__-
>register_handlers();