]> git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/VM.pm
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add remaining options to VM API
[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm
1 package PVE::API2::Firewall::VM;
2
3 use strict;
4 use warnings;
5 use PVE::JSONSchema qw(get_standard_option);
6 use PVE::Cluster;
7 use PVE::Firewall;
8 use PVE::API2::Firewall::Rules;
9
10 use Data::Dumper; # fixme: remove
11
12 use base qw(PVE::RESTHandler);
13
14 __PACKAGE__->register_method ({
15 subclass => "PVE::API2::Firewall::VMRules",
16 path => 'rules',
17 });
18
19 __PACKAGE__->register_method({
20 name => 'index',
21 path => '',
22 method => 'GET',
23 permissions => { user => 'all' },
24 description => "Directory index.",
25 parameters => {
26 additionalProperties => 0,
27 properties => {
28 node => get_standard_option('pve-node'),
29 vmid => get_standard_option('pve-vmid'),
30 },
31 },
32 returns => {
33 type => 'array',
34 items => {
35 type => "object",
36 properties => {},
37 },
38 links => [ { rel => 'child', href => "{name}" } ],
39 },
40 code => sub {
41 my ($param) = @_;
42
43 my $result = [
44 { name => 'rules' },
45 { name => 'options' },
46 ];
47
48 return $result;
49 }});
50
51 my $option_properties = {
52 enable => {
53 description => "Enable host firewall rules.",
54 type => 'boolean',
55 optional => 1,
56 },
57 macfilter => {
58 description => "Enable/disable MAC address filter.",
59 type => 'boolean',
60 optional => 1,
61 },
62 dhcp => {
63 description => "Enable DHCP.",
64 type => 'boolean',
65 optional => 1,
66 },
67 policy_in => {
68 description => "Input policy.",
69 type => 'string',
70 optional => 1,
71 enum => ['ACCEPT', 'REJECT', 'DROP'],
72 },
73 policy_out => {
74 description => "Output policy.",
75 type => 'string',
76 optional => 1,
77 enum => ['ACCEPT', 'REJECT', 'DROP'],
78 },
79 log_level_in => get_standard_option('pve-fw-loglevel', {
80 description => "Log level for incoming traffic." }),
81 log_level_out => get_standard_option('pve-fw-loglevel', {
82 description => "Log level for outgoing traffic." }),
83
84 };
85
86 my $add_option_properties = sub {
87 my ($properties) = @_;
88
89 foreach my $k (keys %$option_properties) {
90 $properties->{$k} = $option_properties->{$k};
91 }
92
93 return $properties;
94 };
95 __PACKAGE__->register_method({
96 name => 'get_options',
97 path => 'options',
98 method => 'GET',
99 description => "Get VM firewall options.",
100 proxyto => 'node',
101 parameters => {
102 additionalProperties => 0,
103 properties => {
104 node => get_standard_option('pve-node'),
105 vmid => get_standard_option('pve-vmid'),
106 },
107 },
108 returns => {
109 type => "object",
110 #additionalProperties => 1,
111 properties => $option_properties,
112 },
113 code => sub {
114 my ($param) = @_;
115
116 my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
117
118 return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
119 }});
120
121 __PACKAGE__->register_method({
122 name => 'set_options',
123 path => 'options',
124 method => 'PUT',
125 description => "Set Firewall options.",
126 protected => 1,
127 proxyto => 'node',
128 parameters => {
129 additionalProperties => 0,
130 properties => &$add_option_properties({
131 node => get_standard_option('pve-node'),
132 vmid => get_standard_option('pve-vmid'),
133 delete => {
134 type => 'string', format => 'pve-configid-list',
135 description => "A list of settings you want to delete.",
136 optional => 1,
137 },
138 digest => get_standard_option('pve-config-digest'),
139 }),
140 },
141 returns => { type => "null" },
142 code => sub {
143 my ($param) = @_;
144
145 my $vmfw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
146
147 my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
148 PVE::Tools::assert_if_modified($digest, $param->{digest});
149
150 if ($param->{delete}) {
151 foreach my $opt (PVE::Tools::split_list($param->{delete})) {
152 raise_param_exc({ delete => "no such option '$opt'" })
153 if !$option_properties->{$opt};
154 delete $vmfw_conf->{options}->{$opt};
155 }
156 }
157
158 if (defined($param->{enable})) {
159 $param->{enable} = $param->{enable} ? 1 : 0;
160 }
161
162 foreach my $k (keys %$option_properties) {
163 next if !defined($param->{$k});
164 $vmfw_conf->{options}->{$k} = $param->{$k};
165 }
166
167 PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
168
169 return undef;
170 }});
171
172 __PACKAGE__->register_method({
173 name => 'log',
174 path => 'log',
175 method => 'GET',
176 description => "Read firewall log",
177 proxyto => 'node',
178 permissions => {
179 check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
180 },
181 protected => 1,
182 parameters => {
183 additionalProperties => 0,
184 properties => {
185 node => get_standard_option('pve-node'),
186 vmid => get_standard_option('pve-vmid'),
187 start => {
188 type => 'integer',
189 minimum => 0,
190 optional => 1,
191 },
192 limit => {
193 type => 'integer',
194 minimum => 0,
195 optional => 1,
196 },
197 },
198 },
199 returns => {
200 type => 'array',
201 items => {
202 type => "object",
203 properties => {
204 n => {
205 description=> "Line number",
206 type=> 'integer',
207 },
208 t => {
209 description=> "Line text",
210 type => 'string',
211 }
212 }
213 }
214 },
215 code => sub {
216 my ($param) = @_;
217
218 my $rpcenv = PVE::RPCEnvironment::get();
219 my $user = $rpcenv->get_user();
220 my $vmid = $param->{vmid};
221
222 my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
223 $param->{start}, $param->{limit},
224 "^$vmid ");
225
226 $rpcenv->set_result_attrib('total', $count);
227
228 return $lines;
229 }});
230
231 1;
Firewall test scripts