]> git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/VM.pm
projects / pve-firewall.git / blob
? search:


6bfecf80154b9214ca548a1049ac01f3d0ff6fdf
[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm
1 package PVE::API2::Firewall::VM;
2
3 use strict;
4 use warnings;
5 use PVE::JSONSchema qw(get_standard_option);
6 use PVE::Cluster;
7 use PVE::Firewall;
8 use PVE::API2::Firewall::Rules;
9
10 use Data::Dumper; # fixme: remove
11
12 use base qw(PVE::RESTHandler);
13
14 __PACKAGE__->register_method ({
15 subclass => "PVE::API2::Firewall::VMRules",
16 path => 'rules',
17 });
18
19 __PACKAGE__->register_method({
20 name => 'index',
21 path => '',
22 method => 'GET',
23 permissions => { user => 'all' },
24 description => "Directory index.",
25 parameters => {
26 additionalProperties => 0,
27 properties => {
28 node => get_standard_option('pve-node'),
29 vmid => get_standard_option('pve-vmid'),
30 },
31 },
32 returns => {
33 type => 'array',
34 items => {
35 type => "object",
36 properties => {},
37 },
38 links => [ { rel => 'child', href => "{name}" } ],
39 },
40 code => sub {
41 my ($param) = @_;
42
43 my $result = [
44 { name => 'rules' },
45 { name => 'options' },
46 ];
47
48 return $result;
49 }});
50
51 my $option_properties = {
52 enable => {
53 description => "Enable host firewall rules.",
54 type => 'boolean',
55 optional => 1,
56 },
57 policy_in => {
58 description => "Input policy.",
59 type => 'string',
60 optional => 1,
61 enum => ['ACCEPT', 'REJECT', 'DROP'],
62 },
63 policy_out => {
64 description => "Output policy.",
65 type => 'string',
66 optional => 1,
67 enum => ['ACCEPT', 'REJECT', 'DROP'],
68 },
69 };
70
71 my $add_option_properties = sub {
72 my ($properties) = @_;
73
74 foreach my $k (keys %$option_properties) {
75 $properties->{$k} = $option_properties->{$k};
76 }
77
78 return $properties;
79 };
80 __PACKAGE__->register_method({
81 name => 'get_options',
82 path => 'options',
83 method => 'GET',
84 description => "Get VM firewall options.",
85 proxyto => 'node',
86 parameters => {
87 additionalProperties => 0,
88 properties => {
89 node => get_standard_option('pve-node'),
90 vmid => get_standard_option('pve-vmid'),
91 },
92 },
93 returns => {
94 type => "object",
95 #additionalProperties => 1,
96 properties => $option_properties,
97 },
98 code => sub {
99 my ($param) = @_;
100
101 my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
102
103 return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
104 }});
105
106 __PACKAGE__->register_method({
107 name => 'set_options',
108 path => 'options',
109 method => 'PUT',
110 description => "Set Firewall options.",
111 protected => 1,
112 proxyto => 'node',
113 parameters => {
114 additionalProperties => 0,
115 properties => &$add_option_properties({
116 node => get_standard_option('pve-node'),
117 vmid => get_standard_option('pve-vmid'),
118 delete => {
119 type => 'string', format => 'pve-configid-list',
120 description => "A list of settings you want to delete.",
121 optional => 1,
122 },
123 digest => get_standard_option('pve-config-digest'),
124 }),
125 },
126 returns => { type => "null" },
127 code => sub {
128 my ($param) = @_;
129
130 my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
131
132 my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
133 PVE::Tools::assert_if_modified($digest, $param->{digest});
134
135 if ($param->{delete}) {
136 foreach my $opt (PVE::Tools::split_list($param->{delete})) {
137 raise_param_exc({ delete => "no such option '$opt'" })
138 if !$option_properties->{$opt};
139 delete $vmfw_conf->{options}->{$opt};
140 }
141 }
142
143 if (defined($param->{enable})) {
144 $param->{enable} = $param->{enable} ? 1 : 0;
145 }
146
147 foreach my $k (keys %$option_properties) {
148 next if !defined($param->{$k});
149 $vmfw_conf->{options}->{$k} = $param->{$k};
150 }
151
152 PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
153
154 return undef;
155 }});
156
157 __PACKAGE__->register_method({
158 name => 'log',
159 path => 'log',
160 method => 'GET',
161 description => "Read firewall log",
162 proxyto => 'node',
163 permissions => {
164 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
165 },
166 protected => 1,
167 parameters => {
168 additionalProperties => 0,
169 properties => {
170 node => get_standard_option('pve-node'),
171 vmid => get_standard_option('pve-vmid'),
172 start => {
173 type => 'integer',
174 minimum => 0,
175 optional => 1,
176 },
177 limit => {
178 type => 'integer',
179 minimum => 0,
180 optional => 1,
181 },
182 },
183 },
184 returns => {
185 type => 'array',
186 items => {
187 type => "object",
188 properties => {
189 n => {
190 description=> "Line number",
191 type=> 'integer',
192 },
193 t => {
194 description=> "Line text",
195 type => 'string',
196 }
197 }
198 }
199 },
200 code => sub {
201 my ($param) = @_;
202
203 my $rpcenv = PVE::RPCEnvironment::get();
204 my $user = $rpcenv->get_user();
205 my $vmid = $param->{vmid};
206
207 my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
208 $param->{start}, $param->{limit},
209 "^$vmid ");
210
211 $rpcenv->set_result_attrib('total', $count);
212
213 return $lines;
214 }});
215
216 1;
Firewall test scripts