]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Rules.pm
1 package PVE
::API2
::Firewall
::RulesBase
;
6 use PVE
::JSONSchema
qw(get_standard_option);
7 use PVE
::Exception
qw(raise raise_param_exc);
11 use base
qw(PVE::RESTHandler);
13 my $api_properties = {
15 description
=> "Rule position.",
22 my ($class, $param, $code) = @_;
24 die "implement this in subclass";
28 my ($class, $param) = @_;
30 die "implement this in subclass";
32 #return ($cluster_conf, $fw_conf, $rules);
36 my ($class, $param, $fw_conf, $rules) = @_;
38 die "implement this in subclass";
41 my $additional_param_hash = {};
44 my ($class, $param) = @_;
46 die "implement this in subclass";
49 sub additional_parameters
{
50 my ($class, $new_value) = @_;
52 if (defined($new_value)) {
53 $additional_param_hash->{$class} = $new_value;
58 my $org = $additional_param_hash->{$class} || {};
59 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
63 sub register_get_rules
{
66 my $properties = $class->additional_parameters();
68 my $rule_env = $class->rule_env();
70 $class->register_method({
74 description
=> "List rules.",
75 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
77 additionalProperties
=> 0,
78 properties
=> $properties,
80 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
91 links
=> [ { rel
=> 'child', href
=> "{pos}" } ],
96 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
98 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
101 foreach my $rule (@$list) {
102 $rule->{pos} = $ind++;
109 sub register_get_rule
{
112 my $properties = $class->additional_parameters();
114 $properties->{pos} = $api_properties->{pos};
116 my $rule_env = $class->rule_env();
118 $class->register_method({
122 description
=> "Get single rule data.",
123 permissions
=> PVE
::Firewall
::rules_audit_permissions
($rule_env),
125 additionalProperties
=> 0,
126 properties
=> $properties,
128 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
151 log => PVE
::Firewall
::get_standard_option
('pve-fw-loglevel', {
152 description
=> 'Log level for firewall rule',
193 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
195 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
197 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
199 my $rule = $list->[$param->{pos}];
200 $rule->{pos} = $param->{pos};
206 sub register_create_rule
{
209 my $properties = $class->additional_parameters();
211 my $create_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
212 $create_rule_properties->{action
}->{optional
} = 0;
213 $create_rule_properties->{type
}->{optional
} = 0;
215 my $rule_env = $class->rule_env();
217 $class->register_method({
218 name
=> 'create_rule',
221 description
=> "Create new rule.",
223 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
225 additionalProperties
=> 0,
226 properties
=> $create_rule_properties,
228 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
229 returns
=> { type
=> "null" },
233 $class->lock_config($param, sub {
236 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
240 PVE
::Firewall
::copy_rule_data
($rule, $param);
241 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
243 $rule->{enable
} = 0 if !defined($param->{enable
});
245 unshift @$rules, $rule;
247 $class->save_rules($param, $fw_conf, $rules);
254 sub register_update_rule
{
257 my $properties = $class->additional_parameters();
259 $properties->{pos} = $api_properties->{pos};
261 my $rule_env = $class->rule_env();
263 $properties->{moveto
} = {
264 description
=> "Move rule to new position <moveto>. Other arguments are ignored.",
270 $properties->{delete} = {
271 type
=> 'string', format
=> 'pve-configid-list',
272 description
=> "A list of settings you want to delete.",
276 my $update_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
278 $class->register_method({
279 name
=> 'update_rule',
282 description
=> "Modify rule data.",
284 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
286 additionalProperties
=> 0,
287 properties
=> $update_rule_properties,
289 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
290 returns
=> { type
=> "null" },
294 $class->lock_config($param, sub {
297 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
299 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
300 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
302 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
304 my $rule = $rules->[$param->{pos}];
306 my $moveto = $param->{moveto
};
307 if (defined($moveto) && $moveto != $param->{pos}) {
309 for (my $i = 0; $i < scalar(@$rules); $i++) {
310 next if $i == $param->{pos};
312 push @$newrules, $rule;
314 push @$newrules, $rules->[$i];
316 push @$newrules, $rule if $moveto >= scalar(@$rules);
319 PVE
::Firewall
::copy_rule_data
($rule, $param);
321 PVE
::Firewall
::delete_rule_properties
($rule, $param->{'delete'}) if $param->{'delete'};
323 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
326 $class->save_rules($param, $fw_conf, $rules);
333 sub register_delete_rule
{
336 my $properties = $class->additional_parameters();
338 $properties->{pos} = $api_properties->{pos};
340 $properties->{digest
} = get_standard_option
('pve-config-digest');
342 my $rule_env = $class->rule_env();
344 $class->register_method({
345 name
=> 'delete_rule',
348 description
=> "Delete rule.",
350 permissions
=> PVE
::Firewall
::rules_modify_permissions
($rule_env),
352 additionalProperties
=> 0,
353 properties
=> $properties,
355 proxyto
=> $rule_env eq 'host' ?
'node' : undef,
356 returns
=> { type
=> "null" },
360 $class->lock_config($param, sub {
363 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
365 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
366 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
368 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
370 splice(@$rules, $param->{pos}, 1);
372 $class->save_rules($param, $fw_conf, $rules);
379 sub register_handlers
{
382 $class->register_get_rules();
383 $class->register_get_rule();
384 $class->register_create_rule();
385 $class->register_update_rule();
386 $class->register_delete_rule();
389 package PVE
::API2
::Firewall
::GroupRules
;
393 use PVE
::JSONSchema
qw(get_standard_option);
395 use base
qw(PVE::API2::Firewall::RulesBase);
397 __PACKAGE__-
>additional_parameters({ group
=> get_standard_option
('pve-security-group-name') });
401 my ($class, $param) = @_;
407 my ($class, $param, $code) = @_;
409 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
413 my ($class, $param) = @_;
415 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
416 my $rules = $fw_conf->{groups
}->{$param->{group
}};
417 die "no such security group '$param->{group}'\n" if !defined($rules);
419 return (undef, $fw_conf, $rules);
423 my ($class, $param, $fw_conf, $rules) = @_;
425 if (!defined($rules)) {
426 delete $fw_conf->{groups
}->{$param->{group
}};
428 $fw_conf->{groups
}->{$param->{group
}} = $rules;
431 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
434 __PACKAGE__-
>register_method({
435 name
=> 'delete_security_group',
438 description
=> "Delete security group.",
441 check
=> ['perm', '/', [ 'Sys.Modify' ]],
444 additionalProperties
=> 0,
446 group
=> get_standard_option
('pve-security-group-name'),
449 returns
=> { type
=> 'null' },
453 __PACKAGE__-
>lock_config($param, sub {
456 my (undef, $cluster_conf, $rules) = __PACKAGE__-
>load_config($param);
458 die "Security group '$param->{group}' is not empty\n"
461 __PACKAGE__-
>save_rules($param, $cluster_conf, undef);
467 __PACKAGE__-
>register_handlers();
469 package PVE
::API2
::Firewall
::ClusterRules
;
474 use base
qw(PVE::API2::Firewall::RulesBase);
477 my ($class, $param) = @_;
483 my ($class, $param, $code) = @_;
485 PVE
::Firewall
::lock_clusterfw_conf
(10, $code, $param);
489 my ($class, $param) = @_;
491 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
492 my $rules = $fw_conf->{rules
};
494 return (undef, $fw_conf, $rules);
498 my ($class, $param, $fw_conf, $rules) = @_;
500 $fw_conf->{rules
} = $rules;
501 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
504 __PACKAGE__-
>register_handlers();
506 package PVE
::API2
::Firewall
::HostRules
;
510 use PVE
::JSONSchema
qw(get_standard_option);
512 use base
qw(PVE::API2::Firewall::RulesBase);
514 __PACKAGE__-
>additional_parameters({ node
=> get_standard_option
('pve-node')});
517 my ($class, $param) = @_;
523 my ($class, $param, $code) = @_;
525 PVE
::Firewall
::lock_hostfw_conf
(undef, 10, $code, $param);
529 my ($class, $param) = @_;
531 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
532 my $fw_conf = PVE
::Firewall
::load_hostfw_conf
($cluster_conf);
533 my $rules = $fw_conf->{rules
};
535 return ($cluster_conf, $fw_conf, $rules);
539 my ($class, $param, $fw_conf, $rules) = @_;
541 $fw_conf->{rules
} = $rules;
542 PVE
::Firewall
::save_hostfw_conf
($fw_conf);
545 __PACKAGE__-
>register_handlers();
547 package PVE
::API2
::Firewall
::VMRules
;
551 use PVE
::JSONSchema
qw(get_standard_option);
553 use base
qw(PVE::API2::Firewall::RulesBase);
555 __PACKAGE__-
>additional_parameters({
556 node
=> get_standard_option
('pve-node'),
557 vmid
=> get_standard_option
('pve-vmid'),
561 my ($class, $param) = @_;
567 my ($class, $param, $code) = @_;
569 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
573 my ($class, $param) = @_;
575 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
576 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
577 my $rules = $fw_conf->{rules
};
579 return ($cluster_conf, $fw_conf, $rules);
583 my ($class, $param, $fw_conf, $rules) = @_;
585 $fw_conf->{rules
} = $rules;
586 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
589 __PACKAGE__-
>register_handlers();
591 package PVE
::API2
::Firewall
::CTRules
;
595 use PVE
::JSONSchema
qw(get_standard_option);
597 use base
qw(PVE::API2::Firewall::RulesBase);
599 __PACKAGE__-
>additional_parameters({
600 node
=> get_standard_option
('pve-node'),
601 vmid
=> get_standard_option
('pve-vmid'),
605 my ($class, $param) = @_;
611 my ($class, $param, $code) = @_;
613 PVE
::Firewall
::lock_vmfw_conf
($param->{vmid
}, 10, $code, $param);
617 my ($class, $param) = @_;
619 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
620 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
621 my $rules = $fw_conf->{rules
};
623 return ($cluster_conf, $fw_conf, $rules);
627 my ($class, $param, $fw_conf, $rules) = @_;
629 $fw_conf->{rules
} = $rules;
630 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
633 __PACKAGE__-
>register_handlers();