]> git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Rules.pm
projects / pve-firewall.git / blob
? search:


df9f5621dd4612a6f15d6c00796fb4e0ef35e574
[pve-firewall.git] / src / PVE / API2 / Firewall / Rules.pm
1 package PVE::API2::Firewall::RulesBase;
2
3 use strict;
4 use warnings;
5 use PVE::JSONSchema qw(get_standard_option);
6 use PVE::Exception qw(raise raise_param_exc);
7
8 use PVE::Firewall;
9
10 use base qw(PVE::RESTHandler);
11
12 my $api_properties = {
13 pos => {
14 description => "Rule position.",
15 type => 'integer',
16 minimum => 0,
17 },
18 };
19
20 sub load_config {
21 my ($class, $param) = @_;
22
23 die "implement this in subclass";
24
25 #return ($cluster_conf, $fw_conf, $rules);
26 }
27
28 sub save_rules {
29 my ($class, $param, $fw_conf, $rules) = @_;
30
31 die "implement this in subclass";
32 }
33
34 my $additional_param_hash = {};
35
36 sub rule_env {
37 my ($class, $param) = @_;
38
39 die "implement this in subclass";
40 }
41
42 sub additional_parameters {
43 my ($class, $new_value) = @_;
44
45 if (defined($new_value)) {
46 $additional_param_hash->{$class} = $new_value;
47 }
48
49 # return a copy
50 my $copy = {};
51 my $org = $additional_param_hash->{$class} || {};
52 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
53 return $copy;
54 }
55
56 sub register_get_rules {
57 my ($class) = @_;
58
59 my $properties = $class->additional_parameters();
60
61 $class->register_method({
62 name => 'get_rules',
63 path => '',
64 method => 'GET',
65 description => "List rules.",
66 parameters => {
67 additionalProperties => 0,
68 properties => $properties,
69 },
70 returns => {
71 type => 'array',
72 items => {
73 type => "object",
74 properties => {
75 pos => {
76 type => 'integer',
77 }
78 },
79 },
80 links => [ { rel => 'child', href => "{pos}" } ],
81 },
82 code => sub {
83 my ($param) = @_;
84
85 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
86
87 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
88
89 my $ind = 0;
90 foreach my $rule (@$list) {
91 $rule->{pos} = $ind++;
92 }
93
94 return $list;
95 }});
96 }
97
98 sub register_get_rule {
99 my ($class) = @_;
100
101 my $properties = $class->additional_parameters();
102
103 $properties->{pos} = $api_properties->{pos};
104
105 $class->register_method({
106 name => 'get_rule',
107 path => '{pos}',
108 method => 'GET',
109 description => "Get single rule data.",
110 parameters => {
111 additionalProperties => 0,
112 properties => $properties,
113 },
114 returns => {
115 type => "object",
116 properties => {
117 pos => {
118 type => 'integer',
119 }
120 },
121 },
122 code => sub {
123 my ($param) = @_;
124
125 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
126
127 my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
128
129 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
130
131 my $rule = $list->[$param->{pos}];
132 $rule->{pos} = $param->{pos};
133
134 return $rule;
135 }});
136 }
137
138 sub register_create_rule {
139 my ($class) = @_;
140
141 my $properties = $class->additional_parameters();
142
143 my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
144 $create_rule_properties->{action}->{optional} = 0;
145 $create_rule_properties->{type}->{optional} = 0;
146
147 $class->register_method({
148 name => 'create_rule',
149 path => '',
150 method => 'POST',
151 description => "Create new rule.",
152 protected => 1,
153 parameters => {
154 additionalProperties => 0,
155 properties => $create_rule_properties,
156 },
157 returns => { type => "null" },
158 code => sub {
159 my ($param) = @_;
160
161 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
162
163 my $rule = {};
164
165 PVE::Firewall::copy_rule_data($rule, $param);
166 PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
167
168 $rule->{enable} = 0 if !defined($param->{enable});
169
170 unshift @$rules, $rule;
171
172 $class->save_rules($param, $fw_conf, $rules);
173
174 return undef;
175 }});
176 }
177
178 sub register_update_rule {
179 my ($class) = @_;
180
181 my $properties = $class->additional_parameters();
182
183 $properties->{pos} = $api_properties->{pos};
184
185 $properties->{moveto} = {
186 description => "Move rule to new position <moveto>. Other arguments are ignored.",
187 type => 'integer',
188 minimum => 0,
189 optional => 1,
190 };
191
192 $properties->{delete} = {
193 type => 'string', format => 'pve-configid-list',
194 description => "A list of settings you want to delete.",
195 optional => 1,
196 };
197
198 my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);
199
200 $class->register_method({
201 name => 'update_rule',
202 path => '{pos}',
203 method => 'PUT',
204 description => "Modify rule data.",
205 protected => 1,
206 parameters => {
207 additionalProperties => 0,
208 properties => $update_rule_properties,
209 },
210 returns => { type => "null" },
211 code => sub {
212 my ($param) = @_;
213
214 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
215
216 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
217 PVE::Tools::assert_if_modified($digest, $param->{digest});
218
219 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
220
221 my $rule = $rules->[$param->{pos}];
222
223 my $moveto = $param->{moveto};
224 if (defined($moveto) && $moveto != $param->{pos}) {
225 my $newrules = [];
226 for (my $i = 0; $i < scalar(@$rules); $i++) {
227 next if $i == $param->{pos};
228 if ($i == $moveto) {
229 push @$newrules, $rule;
230 }
231 push @$newrules, $rules->[$i];
232 }
233 push @$newrules, $rule if $moveto >= scalar(@$rules);
234 $rules = $newrules;
235 } else {
236 PVE::Firewall::copy_rule_data($rule, $param);
237
238 PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
239
240 PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
241 }
242
243 $class->save_rules($param, $fw_conf, $rules);
244
245 return undef;
246 }});
247 }
248
249 sub register_delete_rule {
250 my ($class) = @_;
251
252 my $properties = $class->additional_parameters();
253
254 $properties->{pos} = $api_properties->{pos};
255
256 $properties->{digest} = get_standard_option('pve-config-digest');
257
258 $class->register_method({
259 name => 'delete_rule',
260 path => '{pos}',
261 method => 'DELETE',
262 description => "Delete rule.",
263 protected => 1,
264 parameters => {
265 additionalProperties => 0,
266 properties => $properties,
267 },
268 returns => { type => "null" },
269 code => sub {
270 my ($param) = @_;
271
272 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
273
274 my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
275 PVE::Tools::assert_if_modified($digest, $param->{digest});
276
277 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
278
279 splice(@$rules, $param->{pos}, 1);
280
281 $class->save_rules($param, $fw_conf, $rules);
282
283 return undef;
284 }});
285 }
286
287 sub register_handlers {
288 my ($class) = @_;
289
290 $class->register_get_rules();
291 $class->register_get_rule();
292 $class->register_create_rule();
293 $class->register_update_rule();
294 $class->register_delete_rule();
295 }
296
297 package PVE::API2::Firewall::GroupRules;
298
299 use strict;
300 use warnings;
301 use PVE::JSONSchema qw(get_standard_option);
302
303 use base qw(PVE::API2::Firewall::RulesBase);
304
305 __PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });
306
307
308 sub rule_env {
309 my ($class, $param) = @_;
310
311 return 'group';
312 }
313
314 sub load_config {
315 my ($class, $param) = @_;
316
317 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
318 my $rules = $fw_conf->{groups}->{$param->{group}};
319 die "no such security group '$param->{group}'\n" if !defined($rules);
320
321 return (undef, $fw_conf, $rules);
322 }
323
324 sub save_rules {
325 my ($class, $param, $fw_conf, $rules) = @_;
326
327 if (!defined($rules)) {
328 delete $fw_conf->{groups}->{$param->{group}};
329 } else {
330 $fw_conf->{groups}->{$param->{group}} = $rules;
331 }
332
333 PVE::Firewall::save_clusterfw_conf($fw_conf);
334 }
335
336 __PACKAGE__->register_method({
337 name => 'delete_security_group',
338 path => '',
339 method => 'DELETE',
340 description => "Delete security group.",
341 protected => 1,
342 parameters => {
343 additionalProperties => 0,
344 properties => {
345 group => get_standard_option('pve-security-group-name'),
346 },
347 },
348 returns => { type => 'null' },
349 code => sub {
350 my ($param) = @_;
351
352 my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);
353
354 die "Security group '$param->{group}' is not empty\n"
355 if scalar(@$rules);
356
357 __PACKAGE__->save_rules($param, $cluster_conf, undef);
358
359 return undef;
360 }});
361
362 __PACKAGE__->register_handlers();
363
364 package PVE::API2::Firewall::ClusterRules;
365
366 use strict;
367 use warnings;
368
369 use base qw(PVE::API2::Firewall::RulesBase);
370
371 sub rule_env {
372 my ($class, $param) = @_;
373
374 return 'cluster';
375 }
376
377 sub load_config {
378 my ($class, $param) = @_;
379
380 my $fw_conf = PVE::Firewall::load_clusterfw_conf();
381 my $rules = $fw_conf->{rules};
382
383 return (undef, $fw_conf, $rules);
384 }
385
386 sub save_rules {
387 my ($class, $param, $fw_conf, $rules) = @_;
388
389 $fw_conf->{rules} = $rules;
390 PVE::Firewall::save_clusterfw_conf($fw_conf);
391 }
392
393 __PACKAGE__->register_handlers();
394
395 package PVE::API2::Firewall::HostRules;
396
397 use strict;
398 use warnings;
399 use PVE::JSONSchema qw(get_standard_option);
400
401 use base qw(PVE::API2::Firewall::RulesBase);
402
403 __PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});
404
405 sub rule_env {
406 my ($class, $param) = @_;
407
408 return 'host';
409 }
410
411 sub load_config {
412 my ($class, $param) = @_;
413
414 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
415 my $fw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
416 my $rules = $fw_conf->{rules};
417
418 return ($cluster_conf, $fw_conf, $rules);
419 }
420
421 sub save_rules {
422 my ($class, $param, $fw_conf, $rules) = @_;
423
424 $fw_conf->{rules} = $rules;
425 PVE::Firewall::save_hostfw_conf($fw_conf);
426 }
427
428 __PACKAGE__->register_handlers();
429
430 package PVE::API2::Firewall::VMRules;
431
432 use strict;
433 use warnings;
434 use PVE::JSONSchema qw(get_standard_option);
435
436 use base qw(PVE::API2::Firewall::RulesBase);
437
438 __PACKAGE__->additional_parameters({
439 node => get_standard_option('pve-node'),
440 vmid => get_standard_option('pve-vmid'),
441 });
442
443 sub rule_env {
444 my ($class, $param) = @_;
445
446 return 'vm';
447 }
448
449 sub load_config {
450 my ($class, $param) = @_;
451
452 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
453 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
454 my $rules = $fw_conf->{rules};
455
456 return ($cluster_conf, $fw_conf, $rules);
457 }
458
459 sub save_rules {
460 my ($class, $param, $fw_conf, $rules) = @_;
461
462 $fw_conf->{rules} = $rules;
463 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
464 }
465
466 __PACKAGE__->register_handlers();
467
468 package PVE::API2::Firewall::CTRules;
469
470 use strict;
471 use warnings;
472 use PVE::JSONSchema qw(get_standard_option);
473
474 use base qw(PVE::API2::Firewall::RulesBase);
475
476 __PACKAGE__->additional_parameters({
477 node => get_standard_option('pve-node'),
478 vmid => get_standard_option('pve-vmid'),
479 });
480
481 sub rule_env {
482 my ($class, $param) = @_;
483
484 return 'ct';
485 }
486
487 sub load_config {
488 my ($class, $param) = @_;
489
490 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
491 my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
492 my $rules = $fw_conf->{rules};
493
494 return ($cluster_conf, $fw_conf, $rules);
495 }
496
497 sub save_rules {
498 my ($class, $param, $fw_conf, $rules) = @_;
499
500 $fw_conf->{rules} = $rules;
501 PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
502 }
503
504 __PACKAGE__->register_handlers();
505
506 1;
Firewall test scripts