]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Rules.pm
1 package PVE
::API2
::Firewall
::RulesBase
;
5 use PVE
::JSONSchema
qw(get_standard_option);
6 use PVE
::Exception
qw(raise raise_param_exc);
10 use base
qw(PVE::RESTHandler);
12 my $api_properties = {
14 description
=> "Rule position.",
21 my ($class, $param, $code) = @_;
23 die "implement this in subclass";
27 my ($class, $param) = @_;
29 die "implement this in subclass";
31 #return ($cluster_conf, $fw_conf, $rules);
35 my ($class, $param, $fw_conf, $rules) = @_;
37 die "implement this in subclass";
40 my $additional_param_hash = {};
43 my ($class, $param) = @_;
45 die "implement this in subclass";
48 sub additional_parameters
{
49 my ($class, $new_value) = @_;
51 if (defined($new_value)) {
52 $additional_param_hash->{$class} = $new_value;
57 my $org = $additional_param_hash->{$class} || {};
58 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
62 sub register_get_rules
{
65 my $properties = $class->additional_parameters();
67 my $rule_env = $class->rule_env();
69 $class->register_method({
73 description
=> "List rules.",
74 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
76 additionalProperties
=> 0,
77 properties
=> $properties,
79 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
90 links
=> [ { rel
=> 'child', href
=> "{pos}" } ],
95 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
97 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
100 foreach my $rule (@$list) {
101 $rule->{pos} = $ind++;
108 sub register_get_rule
{
111 my $properties = $class->additional_parameters();
113 $properties->{pos} = $api_properties->{pos};
115 my $rule_env = $class->rule_env();
117 $class->register_method({
121 description
=> "Get single rule data.",
122 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
124 additionalProperties
=> 0,
125 properties
=> $properties,
127 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
150 log => PVE
::Firewall
::get_standard_option
('pve-fw-loglevel', {
151 description
=> 'Log level for firewall rule',
188 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
190 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
192 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
194 my $rule = $list->[$param->{pos}];
195 $rule->{pos} = $param->{pos};
201 sub register_create_rule
{
204 my $properties = $class->additional_parameters();
206 my $create_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
207 $create_rule_properties->{action
}->{optional
} = 0;
208 $create_rule_properties->{type
}->{optional
} = 0;
210 my $rule_env = $class->rule_env();
212 $class->register_method({
213 name
=> 'create_rule',
216 description
=> "Create new rule.",
218 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
220 additionalProperties
=> 0,
221 properties
=> $create_rule_properties,
223 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
224 returns
=> { type
=> "null" },
228 $class->lock_config($param, sub {
231 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
235 PVE
::Firewall
::copy_rule_data
($rule, $param);
236 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
238 $rule->{enable
} = 0 if !defined($param->{enable
});
240 unshift @$rules, $rule;
242 $class->save_rules($param, $fw_conf, $rules);
249 sub register_update_rule
{
252 my $properties = $class->additional_parameters();
254 $properties->{pos} = $api_properties->{pos};
256 my $rule_env = $class->rule_env();
258 $properties->{moveto
} = {
259 description
=> "Move rule to new position <moveto>. Other arguments are ignored.",
265 $properties->{delete} = {
266 type
=> 'string', format
=> 'pve-configid-list',
267 description
=> "A list of settings you want to delete.",
271 my $update_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
273 $class->register_method({
274 name
=> 'update_rule',
277 description
=> "Modify rule data.",
279 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
281 additionalProperties
=> 0,
282 properties
=> $update_rule_properties,
284 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
285 returns
=> { type
=> "null" },
289 $class->lock_config($param, sub {
292 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
294 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
295 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
297 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
299 my $rule = $rules->[$param->{pos}];
301 my $moveto = $param->{moveto
};
302 if (defined($moveto) && $moveto != $param->{pos}) {
304 for (my $i = 0; $i < scalar(@$rules); $i++) {
305 next if $i == $param->{pos};
307 push @$newrules, $rule;
309 push @$newrules, $rules->[$i];
311 push @$newrules, $rule if $moveto >= scalar(@$rules);
314 PVE
::Firewall
::copy_rule_data
($rule, $param);
316 PVE
::Firewall
::delete_rule_properties
($rule, $param->{'delete'}) if $param->{'delete'};
318 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
321 $class->save_rules($param, $fw_conf, $rules);
328 sub register_delete_rule
{
331 my $properties = $class->additional_parameters();
333 $properties->{pos} = $api_properties->{pos};
335 $properties->{digest
} = get_standard_option
('pve-config-digest');
337 my $rule_env = $class->rule_env();
339 $class->register_method({
340 name
=> 'delete_rule',
343 description
=> "Delete rule.",
345 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
347 additionalProperties
=> 0,
348 properties
=> $properties,
350 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
351 returns
=> { type
=> "null" },
355 $class->lock_config($param, sub {
358 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
360 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
361 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
363 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
365 splice(@$rules, $param->{pos}, 1);
367 $class->save_rules($param, $fw_conf, $rules);
374 sub register_handlers
{
377 $class->register_get_rules();
378 $class->register_get_rule();
379 $class->register_create_rule();
380 $class->register_update_rule();
381 $class->register_delete_rule();
384 package PVE
::API2
::Firewall
::GroupRules
;
388 use PVE
::JSONSchema
qw(get_standard_option);
390 use base
qw(PVE::API2::Firewall::RulesBase);
392 __PACKAGE__-
>additional_parameters({ group
=> get_standard_option
('pve-security-group-name') });
396 my ($class, $param) = @_;
402 my ($class, $param, $code) = @_;
404 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
408 my ($class, $param) = @_;
410 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
411 my $rules = $fw_conf->{groups
}->{$param->{group
}};
412 die "no such security group '$param->{group}'\n" if !defined($rules);
414 return (undef, $fw_conf, $rules);
418 my ($class, $param, $fw_conf, $rules) = @_;
420 if (!defined($rules)) {
421 delete $fw_conf->{groups
}->{$param->{group
}};
423 $fw_conf->{groups
}->{$param->{group
}} = $rules;
426 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
429 __PACKAGE__-
>register_method({
430 name
=> 'delete_security_group',
433 description
=> "Delete security group.",
436 check
=> ['perm', '/', [ 'Sys.Modify' ]],
439 additionalProperties
=> 0,
441 group
=> get_standard_option
('pve-security-group-name'),
444 returns
=> { type
=> 'null' },
448 __PACKAGE__-
>lock_config($param, sub {
451 my (undef, $cluster_conf, $rules) = __PACKAGE__-
>load_config($param);
453 die "Security group '$param->{group}' is not empty\n"
456 __PACKAGE__-
>save_rules($param, $cluster_conf, undef);
462 __PACKAGE__-
>register_handlers();
464 package PVE
::API2
::Firewall
::ClusterRules
;
469 use base
qw(PVE::API2::Firewall::RulesBase);
472 my ($class, $param) = @_;
478 my ($class, $param, $code) = @_;
480 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
484 my ($class, $param) = @_;
486 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
487 my $rules = $fw_conf->{rules
};
489 return (undef, $fw_conf, $rules);
493 my ($class, $param, $fw_conf, $rules) = @_;
495 $fw_conf->{rules
} = $rules;
496 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
499 __PACKAGE__-
>register_handlers();
501 package PVE
::API2
::Firewall
::HostRules
;
505 use PVE
::JSONSchema
qw(get_standard_option);
507 use base
qw(PVE::API2::Firewall::RulesBase);
509 __PACKAGE__-
>additional_parameters({ node
=> get_standard_option
('pve-node')});
512 my ($class, $param) = @_;
518 my ($class, $param, $code) = @_;
520 PVE
::Firewall
::lock_hostfw_conf
(10, $code, $param);
524 my ($class, $param) = @_;
526 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
527 my $fw_conf = PVE
::Firewall
::load_hostfw_conf
($cluster_conf);
528 my $rules = $fw_conf->{rules
};
530 return ($cluster_conf, $fw_conf, $rules);
534 my ($class, $param, $fw_conf, $rules) = @_;
536 $fw_conf->{rules
} = $rules;
537 PVE
::Firewall
::save_hostfw_conf
($fw_conf);
540 __PACKAGE__-
>register_handlers();
542 package PVE
::API2
::Firewall
::VMRules
;
546 use PVE
::JSONSchema
qw(get_standard_option);
548 use base
qw(PVE::API2::Firewall::RulesBase);
550 __PACKAGE__-
>additional_parameters({
551 node
=> get_standard_option
('pve-node'),
552 vmid
=> get_standard_option
('pve-vmid'),
556 my ($class, $param) = @_;
562 my ($class, $param, $code) = @_;
564 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
568 my ($class, $param) = @_;
570 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
571 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
572 my $rules = $fw_conf->{rules
};
574 return ($cluster_conf, $fw_conf, $rules);
578 my ($class, $param, $fw_conf, $rules) = @_;
580 $fw_conf->{rules
} = $rules;
581 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
584 __PACKAGE__-
>register_handlers();
586 package PVE
::API2
::Firewall
::CTRules
;
590 use PVE
::JSONSchema
qw(get_standard_option);
592 use base
qw(PVE::API2::Firewall::RulesBase);
594 __PACKAGE__-
>additional_parameters({
595 node
=> get_standard_option
('pve-node'),
596 vmid
=> get_standard_option
('pve-vmid'),
600 my ($class, $param) = @_;
606 my ($class, $param, $code) = @_;
608 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
612 my ($class, $param) = @_;
614 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
615 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
616 my $rules = $fw_conf->{rules
};
618 return ($cluster_conf, $fw_conf, $rules);
622 my ($class, $param, $fw_conf, $rules) = @_;
624 $fw_conf->{rules
} = $rules;
625 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
628 __PACKAGE__-
>register_handlers();