]>
git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/VM.pm
f4834918b35212e270c359257311139150b698ef
1 package PVE
::API2
::Firewall
::VMBase
;
5 use PVE
::JSONSchema
qw(get_standard_option);
8 use PVE
::API2
::Firewall
::Rules
;
9 use PVE
::API2
::Firewall
::Aliases
;
11 use Data
::Dumper
; # fixme: remove
13 use base
qw(PVE::RESTHandler);
15 my $option_properties = {
17 description
=> "Enable host firewall rules.",
22 description
=> "Enable/disable MAC address filter.",
27 description
=> "Enable DHCP.",
32 description
=> "Input policy.",
35 enum
=> ['ACCEPT', 'REJECT', 'DROP'],
38 description
=> "Output policy.",
41 enum
=> ['ACCEPT', 'REJECT', 'DROP'],
43 log_level_in
=> get_standard_option
('pve-fw-loglevel', {
44 description
=> "Log level for incoming traffic." }),
45 log_level_out
=> get_standard_option
('pve-fw-loglevel', {
46 description
=> "Log level for outgoing traffic." }),
50 my $add_option_properties = sub {
51 my ($properties) = @_;
53 foreach my $k (keys %$option_properties) {
54 $properties->{$k} = $option_properties->{$k};
60 sub register_handlers
{
61 my ($class, $rule_env) = @_;
63 $class->register_method({
67 permissions
=> { user
=> 'all' },
68 description
=> "Directory index.",
70 additionalProperties
=> 0,
72 node
=> get_standard_option
('pve-node'),
73 vmid
=> get_standard_option
('pve-vmid'),
82 links
=> [ { rel
=> 'child', href
=> "{name}" } ],
89 { name
=> 'aliases' },
92 { name
=> 'options' },
99 $class->register_method({
100 name
=> 'get_options',
103 description
=> "Get VM firewall options.",
106 check
=> ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
109 additionalProperties
=> 0,
111 node
=> get_standard_option
('pve-node'),
112 vmid
=> get_standard_option
('pve-vmid'),
117 #additionalProperties => 1,
118 properties
=> $option_properties,
123 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
124 my $vmfw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, $rule_env, $param->{vmid
});
126 return PVE
::Firewall
::copy_opject_with_digest
($vmfw_conf->{options
});
129 $class->register_method({
130 name
=> 'set_options',
133 description
=> "Set Firewall options.",
137 check
=> ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
140 additionalProperties
=> 0,
141 properties
=> &$add_option_properties({
142 node
=> get_standard_option
('pve-node'),
143 vmid
=> get_standard_option
('pve-vmid'),
145 type
=> 'string', format
=> 'pve-configid-list',
146 description
=> "A list of settings you want to delete.",
149 digest
=> get_standard_option
('pve-config-digest'),
152 returns
=> { type
=> "null" },
157 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
158 my $vmfw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, $rule_env, $param->{vmid
});
160 my (undef, $digest) = PVE
::Firewall
::copy_opject_with_digest
($vmfw_conf->{options
});
161 PVE
::Tools
::assert_if_modified
($digest, $param->{digest
});
163 if ($param->{delete}) {
164 foreach my $opt (PVE
::Tools
::split_list
($param->{delete})) {
165 raise_param_exc
({ delete => "no such option '$opt'" })
166 if !$option_properties->{$opt};
167 delete $vmfw_conf->{options
}->{$opt};
171 if (defined($param->{enable
})) {
172 $param->{enable
} = $param->{enable
} ?
1 : 0;
175 foreach my $k (keys %$option_properties) {
176 next if !defined($param->{$k});
177 $vmfw_conf->{options
}->{$k} = $param->{$k};
180 PVE
::Firewall
::save_vmfw_conf
($param->{vmid
}, $vmfw_conf);
185 $class->register_method({
189 description
=> "Read firewall log",
192 check
=> ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
196 additionalProperties
=> 0,
198 node
=> get_standard_option
('pve-node'),
199 vmid
=> get_standard_option
('pve-vmid'),
218 description
=> "Line number",
222 description
=> "Line text",
231 my $rpcenv = PVE
::RPCEnvironment
::get
();
232 my $user = $rpcenv->get_user();
233 my $vmid = $param->{vmid
};
235 my ($count, $lines) = PVE
::Tools
::dump_logfile
("/var/log/pve-firewall.log",
236 $param->{start
}, $param->{limit
},
239 $rpcenv->set_result_attrib('total', $count);
245 $class->register_method({
249 description
=> "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
251 check
=> ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
254 additionalProperties
=> 0,
256 node
=> get_standard_option
('pve-node'),
257 vmid
=> get_standard_option
('pve-vmid'),
259 description
=> "Only list references of specified type.",
261 enum
=> ['alias', 'ipset'],
273 enum
=> ['alias', 'ipset'],
288 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
289 my $fw_conf = PVE
::Firewall
::load_vmfw_conf
($cluster_conf, $rule_env, $param->{vmid
});
294 foreach my $conf (($cluster_conf, $fw_conf)) {
296 if (!$param->{type
} || $param->{type
} eq 'ipset') {
297 foreach my $name (keys %{$conf->{ipset
}}) {
303 if (my $comment = $conf->{ipset_comments
}->{$name}) {
304 $data->{comment
} = $comment;
306 $ipsets->{$name} = $data;
310 if (!$param->{type
} || $param->{type
} eq 'alias') {
311 foreach my $name (keys %{$conf->{aliases
}}) {
312 my $e = $conf->{aliases
}->{$name};
318 $data->{comment
} = $e->{comment
} if $e->{comment
};
319 $aliases->{$name} = $data;
325 foreach my $e (values %$ipsets) { push @$res, $e; };
326 foreach my $e (values %$aliases) { push @$res, $e; };
332 package PVE
::API2
::Firewall
::VM
;
337 use base
qw(PVE::API2::Firewall::VMBase);
339 __PACKAGE__-
>register_method ({
340 subclass
=> "PVE::API2::Firewall::VMRules",
344 __PACKAGE__-
>register_method ({
345 subclass
=> "PVE::API2::Firewall::VMAliases",
349 __PACKAGE__-
>register_method ({
350 subclass
=> "PVE::API2::Firewall::VMIPSetList",
354 __PACKAGE__-
>register_handlers('vm');
356 package PVE
::API2
::Firewall
::CT
;
361 use base
qw(PVE::API2::Firewall::VMBase);
363 __PACKAGE__-
>register_method ({
364 subclass
=> "PVE::API2::Firewall::CTRules",
368 __PACKAGE__-
>register_method ({
369 subclass
=> "PVE::API2::Firewall::CTAliases",
373 __PACKAGE__-
>register_method ({
374 subclass
=> "PVE::API2::Firewall::CTIPSetList",
378 __PACKAGE__-
>register_handlers('vm');