]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Rules.pm
1 package PVE
::API2
::Firewall
::RulesBase
;
5 use PVE
::JSONSchema
qw(get_standard_option);
6 use PVE
::Exception
qw(raise raise_param_exc);
10 use base
qw(PVE::RESTHandler);
12 my $api_properties = {
14 description
=> "Rule position.",
21 my ($class, $param) = @_;
23 die "implement this in subclass";
25 #return ($cluster_conf, $fw_conf, $rules);
29 my ($class, $param, $fw_conf, $rules) = @_;
31 die "implement this in subclass";
34 my $additional_param_hash = {};
37 my ($class, $param) = @_;
39 die "implement this in subclass";
42 sub additional_parameters
{
43 my ($class, $new_value) = @_;
45 if (defined($new_value)) {
46 $additional_param_hash->{$class} = $new_value;
51 my $org = $additional_param_hash->{$class} || {};
52 foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
56 sub register_get_rules
{
59 my $properties = $class->additional_parameters();
61 $class->register_method({
65 description
=> "List rules.",
67 additionalProperties
=> 0,
68 properties
=> $properties,
70 proxyto
=> $class->rule_env() eq 'host' ?
'node' : undef,
81 links
=> [ { rel
=> 'child', href
=> "{pos}" } ],
86 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
88 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
91 foreach my $rule (@$list) {
92 $rule->{pos} = $ind++;
99 sub register_get_rule
{
102 my $properties = $class->additional_parameters();
104 $properties->{pos} = $api_properties->{pos};
106 $class->register_method({
110 description
=> "Get single rule data.",
112 additionalProperties
=> 0,
113 properties
=> $properties,
115 proxyto
=> $class->rule_env() eq 'host' ?
'node' : undef,
127 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
129 my ($list, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
131 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
133 my $rule = $list->[$param->{pos}];
134 $rule->{pos} = $param->{pos};
140 sub register_create_rule
{
143 my $properties = $class->additional_parameters();
145 my $create_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
146 $create_rule_properties->{action
}->{optional
} = 0;
147 $create_rule_properties->{type
}->{optional
} = 0;
149 $class->register_method({
150 name
=> 'create_rule',
153 description
=> "Create new rule.",
156 additionalProperties
=> 0,
157 properties
=> $create_rule_properties,
159 proxyto
=> $class->rule_env() eq 'host' ?
'node' : undef,
160 returns
=> { type
=> "null" },
164 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
168 PVE
::Firewall
::copy_rule_data
($rule, $param);
169 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
171 $rule->{enable
} = 0 if !defined($param->{enable
});
173 unshift @$rules, $rule;
175 $class->save_rules($param, $fw_conf, $rules);
181 sub register_update_rule
{
184 my $properties = $class->additional_parameters();
186 $properties->{pos} = $api_properties->{pos};
188 $properties->{moveto
} = {
189 description
=> "Move rule to new position <moveto>. Other arguments are ignored.",
195 $properties->{delete} = {
196 type
=> 'string', format
=> 'pve-configid-list',
197 description
=> "A list of settings you want to delete.",
201 my $update_rule_properties = PVE
::Firewall
::add_rule_properties
($properties);
203 $class->register_method({
204 name
=> 'update_rule',
207 description
=> "Modify rule data.",
210 additionalProperties
=> 0,
211 properties
=> $update_rule_properties,
213 proxyto
=> $class->rule_env() eq 'host' ?
'node' : undef,
214 returns
=> { type
=> "null" },
218 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
220 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
221 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
223 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
225 my $rule = $rules->[$param->{pos}];
227 my $moveto = $param->{moveto
};
228 if (defined($moveto) && $moveto != $param->{pos}) {
230 for (my $i = 0; $i < scalar(@$rules); $i++) {
231 next if $i == $param->{pos};
233 push @$newrules, $rule;
235 push @$newrules, $rules->[$i];
237 push @$newrules, $rule if $moveto >= scalar(@$rules);
240 PVE
::Firewall
::copy_rule_data
($rule, $param);
242 PVE
::Firewall
::delete_rule_properties
($rule, $param->{'delete'}) if $param->{'delete'};
244 PVE
::Firewall
::verify_rule
($rule, $cluster_conf, $fw_conf, $class->rule_env());
247 $class->save_rules($param, $fw_conf, $rules);
253 sub register_delete_rule
{
256 my $properties = $class->additional_parameters();
258 $properties->{pos} = $api_properties->{pos};
260 $properties->{digest
} = get_standard_option
('pve-config-digest');
262 $class->register_method({
263 name
=> 'delete_rule',
266 description
=> "Delete rule.",
269 additionalProperties
=> 0,
270 properties
=> $properties,
272 proxyto
=> $class->rule_env() eq 'host' ?
'node' : undef,
273 returns
=> { type
=> "null" },
277 my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
279 my (undef, $digest) = PVE
::Firewall
::copy_list_with_digest
($rules);
280 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
282 die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
284 splice(@$rules, $param->{pos}, 1);
286 $class->save_rules($param, $fw_conf, $rules);
292 sub register_handlers
{
295 $class->register_get_rules();
296 $class->register_get_rule();
297 $class->register_create_rule();
298 $class->register_update_rule();
299 $class->register_delete_rule();
302 package PVE
::API2
::Firewall
::GroupRules
;
306 use PVE
::JSONSchema
qw(get_standard_option);
308 use base
qw(PVE::API2::Firewall::RulesBase);
310 __PACKAGE__-
>additional_parameters({ group
=> get_standard_option
('pve-security-group-name') });
314 my ($class, $param) = @_;
320 my ($class, $param) = @_;
322 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
323 my $rules = $fw_conf->{groups
}->{$param->{group
}};
324 die "no such security group '$param->{group}'\n" if !defined($rules);
326 return (undef, $fw_conf, $rules);
330 my ($class, $param, $fw_conf, $rules) = @_;
332 if (!defined($rules)) {
333 delete $fw_conf->{groups
}->{$param->{group
}};
335 $fw_conf->{groups
}->{$param->{group
}} = $rules;
338 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
341 __PACKAGE__-
>register_method({
342 name
=> 'delete_security_group',
345 description
=> "Delete security group.",
348 additionalProperties
=> 0,
350 group
=> get_standard_option
('pve-security-group-name'),
353 returns
=> { type
=> 'null' },
357 my (undef, $cluster_conf, $rules) = __PACKAGE__-
>load_config($param);
359 die "Security group '$param->{group}' is not empty\n"
362 __PACKAGE__-
>save_rules($param, $cluster_conf, undef);
367 __PACKAGE__-
>register_handlers();
369 package PVE
::API2
::Firewall
::ClusterRules
;
374 use base
qw(PVE::API2::Firewall::RulesBase);
377 my ($class, $param) = @_;
383 my ($class, $param) = @_;
385 my $fw_conf = PVE
::Firewall
::load_clusterfw_conf
();
386 my $rules = $fw_conf->{rules
};
388 return (undef, $fw_conf, $rules);
392 my ($class, $param, $fw_conf, $rules) = @_;
394 $fw_conf->{rules
} = $rules;
395 PVE
::Firewall
::save_clusterfw_conf
($fw_conf);
398 __PACKAGE__-
>register_handlers();
400 package PVE
::API2
::Firewall
::HostRules
;
404 use PVE
::JSONSchema
qw(get_standard_option);
406 use base
qw(PVE::API2::Firewall::RulesBase);
408 __PACKAGE__-
>additional_parameters({ node
=> get_standard_option
('pve-node')});
411 my ($class, $param) = @_;
417 my ($class, $param) = @_;
419 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
420 my $fw_conf = PVE
::Firewall
::load_hostfw_conf
($cluster_conf);
421 my $rules = $fw_conf->{rules
};
423 return ($cluster_conf, $fw_conf, $rules);
427 my ($class, $param, $fw_conf, $rules) = @_;
429 $fw_conf->{rules
} = $rules;
430 PVE
::Firewall
::save_hostfw_conf
($fw_conf);
433 __PACKAGE__-
>register_handlers();
435 package PVE
::API2
::Firewall
::VMRules
;
439 use PVE
::JSONSchema
qw(get_standard_option);
441 use base
qw(PVE::API2::Firewall::RulesBase);
443 __PACKAGE__-
>additional_parameters({
444 node
=> get_standard_option
('pve-node'),
445 vmid
=> get_standard_option
('pve-vmid'),
449 my ($class, $param) = @_;
455 my ($class, $param) = @_;
457 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
458 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'vm', $param->{vmid
});
459 my $rules = $fw_conf->{rules
};
461 return ($cluster_conf, $fw_conf, $rules);
465 my ($class, $param, $fw_conf, $rules) = @_;
467 $fw_conf->{rules
} = $rules;
468 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
471 __PACKAGE__-
>register_handlers();
473 package PVE
::API2
::Firewall
::CTRules
;
477 use PVE
::JSONSchema
qw(get_standard_option);
479 use base
qw(PVE::API2::Firewall::RulesBase);
481 __PACKAGE__-
>additional_parameters({
482 node
=> get_standard_option
('pve-node'),
483 vmid
=> get_standard_option
('pve-vmid'),
487 my ($class, $param) = @_;
493 my ($class, $param) = @_;
495 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
496 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, 'ct', $param->{vmid
});
497 my $rules = $fw_conf->{rules
};
499 return ($cluster_conf, $fw_conf, $rules);
503 my ($class, $param, $fw_conf, $rules) = @_;
505 $fw_conf->{rules
} = $rules;
506 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $fw_conf);
509 __PACKAGE__-
>register_handlers();