]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Rules.pm
1 package PVE
::API2
::Firewall
::RulesBase
;
5 use PVE
::JSONSchema
qw(get_standard_option);
6 use PVE
::Exception
qw(raise raise_param_exc);
10 use base
qw(PVE::RESTHandler);
12 my $api_properties = {
14 description
=> "Rule position.",
21 my ($class, $param) = @_;
23 die "implement this in subclass";
25 #return ($cluster_conf, $fw_conf, $rules);
29 my ($class, $param, $fw_conf, $rules) = @_;
31 die "implement this in subclass";
34 my $additional_param_hash = {};
37 my ($class, $param) = @_;
39 die "implement this in subclass";
42 sub additional_parameters
{
43 my ($class, $new_value) = @_;
45 if (defined($new_value)) {
46 $additional_param_hash->{$class} = $new_value;
51 my $org = $additional_param_hash->{$class} || {};
52 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
56 sub register_get_rules
{
59 my $properties = $class->additional_parameters();
61 my $rule_env = $class->rule_env();
63 $class->register_method({
67 description
=> "List rules.",
68 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
70 additionalProperties
=> 0,
71 properties
=> $properties,
73 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
84 links
=> [ { rel
=> 'child', href
=> "{pos}" } ],
89 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
91 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
94 foreach my $rule (@$list) {
95 $rule->{pos} = $ind++;
102 sub register_get_rule
{
105 my $properties = $class->additional_parameters();
107 $properties->{pos} = $api_properties->{pos};
109 my $rule_env = $class->rule_env();
111 $class->register_method({
115 description
=> "Get single rule data.",
116 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
118 additionalProperties
=> 0,
119 properties
=> $properties,
121 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
144 log => PVE
::Firewall
::get_standard_option
('pve-fw-loglevel', {
145 description
=> 'Log level for firewall rule',
182 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
184 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
186 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
188 my $rule = $list->[$param->{pos}];
189 $rule->{pos} = $param->{pos};
195 sub register_create_rule
{
198 my $properties = $class->additional_parameters();
200 my $create_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
201 $create_rule_properties->{action
}->{optional
} = 0;
202 $create_rule_properties->{type
}->{optional
} = 0;
204 my $rule_env = $class->rule_env();
206 $class->register_method({
207 name
=> 'create_rule',
210 description
=> "Create new rule.",
212 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
214 additionalProperties
=> 0,
215 properties
=> $create_rule_properties,
217 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
218 returns
=> { type
=> "null" },
222 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
226 PVE
::Firewall
::copy_rule_data
($rule, $param);
227 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
229 $rule->{enable
} = 0 if !defined($param->{enable
});
231 unshift @$rules, $rule;
233 $class->save_rules($param, $fw_conf, $rules);
239 sub register_update_rule
{
242 my $properties = $class->additional_parameters();
244 $properties->{pos} = $api_properties->{pos};
246 my $rule_env = $class->rule_env();
248 $properties->{moveto
} = {
249 description
=> "Move rule to new position <moveto>. Other arguments are ignored.",
255 $properties->{delete} = {
256 type
=> 'string', format
=> 'pve-configid-list',
257 description
=> "A list of settings you want to delete.",
261 my $update_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
263 $class->register_method({
264 name
=> 'update_rule',
267 description
=> "Modify rule data.",
269 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
271 additionalProperties
=> 0,
272 properties
=> $update_rule_properties,
274 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
275 returns
=> { type
=> "null" },
279 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
281 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
282 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
284 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
286 my $rule = $rules->[$param->{pos}];
288 my $moveto = $param->{moveto
};
289 if (defined($moveto) && $moveto != $param->{pos}) {
291 for (my $i = 0; $i < scalar(@$rules); $i++) {
292 next if $i == $param->{pos};
294 push @$newrules, $rule;
296 push @$newrules, $rules->[$i];
298 push @$newrules, $rule if $moveto >= scalar(@$rules);
301 PVE
::Firewall
::copy_rule_data
($rule, $param);
303 PVE
::Firewall
::delete_rule_properties
($rule, $param->{'delete'}) if $param->{'delete'};
305 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
308 $class->save_rules($param, $fw_conf, $rules);
314 sub register_delete_rule
{
317 my $properties = $class->additional_parameters();
319 $properties->{pos} = $api_properties->{pos};
321 $properties->{digest
} = get_standard_option
('pve-config-digest');
323 my $rule_env = $class->rule_env();
325 $class->register_method({
326 name
=> 'delete_rule',
329 description
=> "Delete rule.",
331 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
333 additionalProperties
=> 0,
334 properties
=> $properties,
336 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
337 returns
=> { type
=> "null" },
341 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
343 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
344 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
346 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
348 splice(@$rules, $param->{pos}, 1);
350 $class->save_rules($param, $fw_conf, $rules);
356 sub register_handlers
{
359 $class->register_get_rules();
360 $class->register_get_rule();
361 $class->register_create_rule();
362 $class->register_update_rule();
363 $class->register_delete_rule();
366 package PVE
::API2
::Firewall
::GroupRules
;
370 use PVE
::JSONSchema
qw(get_standard_option);
372 use base
qw(PVE::API2::Firewall::RulesBase);
374 __PACKAGE__-
>additional_parameters({ group
=> get_standard_option
('pve-security-group-name') });
378 my ($class, $param) = @_;
384 my ($class, $param) = @_;
386 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
387 my $rules = $fw_conf->{groups
}->{$param->{group
}};
388 die "no such security group '$param->{group}'\n" if !defined($rules);
390 return (undef, $fw_conf, $rules);
394 my ($class, $param, $fw_conf, $rules) = @_;
396 if (!defined($rules)) {
397 delete $fw_conf->{groups
}->{$param->{group
}};
399 $fw_conf->{groups
}->{$param->{group
}} = $rules;
402 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
405 __PACKAGE__-
>register_method({
406 name
=> 'delete_security_group',
409 description
=> "Delete security group.",
412 check
=> ['perm', '/', [ 'Sys.Modify' ]],
415 additionalProperties
=> 0,
417 group
=> get_standard_option
('pve-security-group-name'),
420 returns
=> { type
=> 'null' },
424 my (undef, $cluster_conf, $rules) = __PACKAGE__-
>load_config($param);
426 die "Security group '$param->{group}' is not empty\n"
429 __PACKAGE__-
>save_rules($param, $cluster_conf, undef);
434 __PACKAGE__-
>register_handlers();
436 package PVE
::API2
::Firewall
::ClusterRules
;
441 use base
qw(PVE::API2::Firewall::RulesBase);
444 my ($class, $param) = @_;
450 my ($class, $param) = @_;
452 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
453 my $rules = $fw_conf->{rules
};
455 return (undef, $fw_conf, $rules);
459 my ($class, $param, $fw_conf, $rules) = @_;
461 $fw_conf->{rules
} = $rules;
462 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
465 __PACKAGE__-
>register_handlers();
467 package PVE
::API2
::Firewall
::HostRules
;
471 use PVE
::JSONSchema
qw(get_standard_option);
473 use base
qw(PVE::API2::Firewall::RulesBase);
475 __PACKAGE__-
>additional_parameters({ node
=> get_standard_option
('pve-node')});
478 my ($class, $param) = @_;
484 my ($class, $param) = @_;
486 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
487 my $fw_conf = PVE
::Firewall
::load_hostfw_conf
($cluster_conf);
488 my $rules = $fw_conf->{rules
};
490 return ($cluster_conf, $fw_conf, $rules);
494 my ($class, $param, $fw_conf, $rules) = @_;
496 $fw_conf->{rules
} = $rules;
497 PVE
::Firewall
::save_hostfw_conf
($fw_conf);
500 __PACKAGE__-
>register_handlers();
502 package PVE
::API2
::Firewall
::VMRules
;
506 use PVE
::JSONSchema
qw(get_standard_option);
508 use base
qw(PVE::API2::Firewall::RulesBase);
510 __PACKAGE__-
>additional_parameters({
511 node
=> get_standard_option
('pve-node'),
512 vmid
=> get_standard_option
('pve-vmid'),
516 my ($class, $param) = @_;
522 my ($class, $param) = @_;
524 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
525 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
526 my $rules = $fw_conf->{rules
};
528 return ($cluster_conf, $fw_conf, $rules);
532 my ($class, $param, $fw_conf, $rules) = @_;
534 $fw_conf->{rules
} = $rules;
535 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
538 __PACKAGE__-
>register_handlers();
540 package PVE
::API2
::Firewall
::CTRules
;
544 use PVE
::JSONSchema
qw(get_standard_option);
546 use base
qw(PVE::API2::Firewall::RulesBase);
548 __PACKAGE__-
>additional_parameters({
549 node
=> get_standard_option
('pve-node'),
550 vmid
=> get_standard_option
('pve-vmid'),
554 my ($class, $param) = @_;
560 my ($class, $param) = @_;
562 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
563 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
564 my $rules = $fw_conf->{rules
};
566 return ($cluster_conf, $fw_conf, $rules);
570 my ($class, $param, $fw_conf, $rules) = @_;
572 $fw_conf->{rules
} = $rules;
573 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
576 __PACKAGE__-
>register_handlers();