#fixme: locking?
-use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
return $result;
}});
-my $option_properties = {
- enable => {
- type => 'integer',
- minimum => 0,
- optional => 1,
- },
- policy_in => {
- description => "Input policy.",
- type => 'string',
- optional => 1,
- enum => ['ACCEPT', 'REJECT', 'DROP'],
- },
- policy_out => {
- description => "Output policy.",
- type => 'string',
- optional => 1,
- enum => ['ACCEPT', 'REJECT', 'DROP'],
- },
-};
+my $option_properties = $PVE::Firewall::cluster_option_properties;
my $add_option_properties = sub {
my ($properties) = @_;
code => sub {
my ($param) = @_;
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ PVE::Firewall::lock_clusterfw_conf(10, sub {
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
- my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
- PVE::Tools::assert_if_modified($digest, $param->{digest});
+ my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
+ PVE::Tools::assert_if_modified($digest, $param->{digest});
- if ($param->{delete}) {
- foreach my $opt (PVE::Tools::split_list($param->{delete})) {
- raise_param_exc({ delete => "no such option '$opt'" })
- if !$option_properties->{$opt};
- delete $cluster_conf->{options}->{$opt};
+ if ($param->{delete}) {
+ foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+ raise_param_exc({ delete => "no such option '$opt'" })
+ if !$option_properties->{$opt};
+ delete $cluster_conf->{options}->{$opt};
+ }
}
- }
- if (defined($param->{enable}) && ($param->{enable} > 1)) {
- $param->{enable} = time();
- }
+ if (defined($param->{enable}) && ($param->{enable} > 1)) {
+ $param->{enable} = time();
+ }
- foreach my $k (keys %$option_properties) {
- next if !defined($param->{$k});
- $cluster_conf->{options}->{$k} = $param->{$k};
- }
+ foreach my $k (keys %$option_properties) {
+ next if !defined($param->{$k});
+ $cluster_conf->{options}->{$k} = $param->{$k};
+ }
- PVE::Firewall::save_clusterfw_conf($cluster_conf);
+ PVE::Firewall::save_clusterfw_conf($cluster_conf);
+ });
# instant firewall update when using double (anti-lockout) API call
# -> not waiting for a firewall update at the first (timestamp enable) set