]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/VM.pm
4fdf3da9a19d9172ee82c05163e2e6fbbe41a3a1
1 package PVE
::API2
::Firewall
::VMBase
;
5 use PVE
::JSONSchema
qw(get_standard_option);
8 use PVE
::API2
::Firewall
::Rules
;
9 use PVE
::API2
::Firewall
::Aliases
;
11 use Data
::Dumper
; # fixme: remove
13 use base
qw(PVE::RESTHandler);
15 my $option_properties = {
17 description
=> "Enable host firewall rules.",
22 description
=> "Enable/disable MAC address filter.",
27 description
=> "Enable DHCP.",
32 description
=> "Enable NDP.",
37 description
=> "Allow sending Router Advertisement.",
42 description
=> "Enable default IP filters. " .
43 "This is equivalent to adding an empty ipfilter-net<id> ipset " .
44 "for every interface. Such ipsets implicitly contain sane default " .
45 "restrictions such as restricting IPv6 link local addresses to " .
46 "the one derived from the interface's MAC address. For containers " .
47 "the configured IP addresses will be implicitly added.",
52 description
=> "Input policy.",
55 enum
=> ['ACCEPT', 'REJECT', 'DROP'],
58 description
=> "Output policy.",
61 enum
=> ['ACCEPT', 'REJECT', 'DROP'],
63 log_level_in
=> get_standard_option
('pve-fw-loglevel', {
64 description
=> "Log level for incoming traffic." }),
65 log_level_out
=> get_standard_option
('pve-fw-loglevel', {
66 description
=> "Log level for outgoing traffic." }),
70 my $add_option_properties = sub {
71 my ($properties) = @_;
73 foreach my $k (keys %$option_properties) {
74 $properties->{$k} = $option_properties->{$k};
80 sub register_handlers
{
81 my ($class, $rule_env) = @_;
83 $class->register_method({
87 permissions
=> { user
=> 'all' },
88 description
=> "Directory index.",
90 additionalProperties
=> 0,
92 node
=> get_standard_option
('pve-node'),
93 vmid
=> get_standard_option
('pve-vmid'),
102 links
=> [ { rel
=> 'child', href
=> "{name}" } ],
109 { name
=> 'aliases' },
112 { name
=> 'options' },
119 $class->register_method({
120 name
=> 'get_options',
123 description
=> "Get VM firewall options.",
126 check
=> ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
129 additionalProperties
=> 0,
131 node
=> get_standard_option
('pve-node'),
132 vmid
=> get_standard_option
('pve-vmid'),
137 #additionalProperties => 1,
138 properties
=> $option_properties,
143 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
144 my $vmfw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, $rule_env, $param->{vmid
});
146 return PVE
::Firewall
::copy_opject_with_digest
($vmfw_conf->{options
});
149 $class->register_method({
150 name
=> 'set_options',
153 description
=> "Set Firewall options.",
157 check
=> ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
160 additionalProperties
=> 0,
161 properties
=> &$add_option_properties({
162 node
=> get_standard_option
('pve-node'),
163 vmid
=> get_standard_option
('pve-vmid'),
165 type
=> 'string', format
=> 'pve-configid-list',
166 description
=> "A list of settings you want to delete.",
169 digest
=> get_standard_option
('pve-config-digest'),
172 returns
=> { type
=> "null" },
177 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
178 my $vmfw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, $rule_env, $param->{vmid
});
180 my (undef, $digest) = PVE
::Firewall
::copy_opject_with_digest
($vmfw_conf->{options
});
181 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
183 if ($param->{delete}) {
184 foreach my $opt (PVE
::Tools
::split_list
($param->{delete})) {
185 raise_param_exc
({ delete => "no such option '$opt'" })
186 if !$option_properties->{$opt};
187 delete $vmfw_conf->{options
}->{$opt};
191 if (defined($param->{enable
})) {
192 $param->{enable
} = $param->{enable
} ?
1 : 0;
195 foreach my $k (keys %$option_properties) {
196 next if !defined($param->{$k});
197 $vmfw_conf->{options
}->{$k} = $param->{$k};
200 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $vmfw_conf);
205 $class->register_method({
209 description
=> "Read firewall log",
212 check
=> ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
216 additionalProperties
=> 0,
218 node
=> get_standard_option
('pve-node'),
219 vmid
=> get_standard_option
('pve-vmid'),
238 description
=> "Line number",
242 description
=> "Line text",
251 my $rpcenv = PVE
::RPCEnvironment
::get
();
252 my $user = $rpcenv->get_user();
253 my $vmid = $param->{vmid
};
255 my ($count, $lines) = PVE
::Tools
::dump_logfile
("/var/log/pve-firewall.log",
256 $param->{start
}, $param->{limit
},
259 $rpcenv->set_result_attrib('total', $count);
265 $class->register_method({
269 description
=> "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
271 check
=> ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
274 additionalProperties
=> 0,
276 node
=> get_standard_option
('pve-node'),
277 vmid
=> get_standard_option
('pve-vmid'),
279 description
=> "Only list references of specified type.",
281 enum
=> ['alias', 'ipset'],
293 enum
=> ['alias', 'ipset'],
308 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
309 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, $rule_env, $param->{vmid
});
314 foreach my $conf (($cluster_conf, $fw_conf)) {
316 if (!$param->{type
} || $param->{type
} eq 'ipset') {
317 foreach my $name (keys %{$conf->{ipset
}}) {
323 if (my $comment = $conf->{ipset_comments
}->{$name}) {
324 $data->{comment
} = $comment;
326 $ipsets->{$name} = $data;
330 if (!$param->{type
} || $param->{type
} eq 'alias') {
331 foreach my $name (keys %{$conf->{aliases
}}) {
332 my $e = $conf->{aliases
}->{$name};
338 $data->{comment
} = $e->{comment
} if $e->{comment
};
339 $aliases->{$name} = $data;
345 foreach my $e (values %$ipsets) { push @$res, $e; };
346 foreach my $e (values %$aliases) { push @$res, $e; };
352 package PVE
::API2
::Firewall
::VM
;
357 use base
qw(PVE::API2::Firewall::VMBase);
359 __PACKAGE__-
>register_method ({
360 subclass
=> "PVE::API2::Firewall::VMRules",
364 __PACKAGE__-
>register_method ({
365 subclass
=> "PVE::API2::Firewall::VMAliases",
369 __PACKAGE__-
>register_method ({
370 subclass
=> "PVE::API2::Firewall::VMIPSetList",
374 __PACKAGE__-
>register_handlers('vm');
376 package PVE
::API2
::Firewall
::CT
;
381 use base
qw(PVE::API2::Firewall::VMBase);
383 __PACKAGE__-
>register_method ({
384 subclass
=> "PVE::API2::Firewall::CTRules",
388 __PACKAGE__-
>register_method ({
389 subclass
=> "PVE::API2::Firewall::CTAliases",
393 __PACKAGE__-
>register_method ({
394 subclass
=> "PVE::API2::Firewall::CTIPSetList",
398 __PACKAGE__-
>register_handlers('vm');