use PVE::JSONSchema qw(get_standard_option);
use PVE::Firewall;
-
+use PVE::API2::Firewall::Rules;
use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
__PACKAGE__->register_method({
- name => 'list',
+ name => 'list_security_groups',
path => '',
method => 'GET',
description => "List security groups.",
- proxyto => 'node',
parameters => {
additionalProperties => 0,
- properties => {
- node => get_standard_option('pve-node'),
- },
},
returns => {
type => 'array',
items => {
type => "object",
properties => {
- name => {
- description => "Security group name.",
- type => 'string',
- },
+ name => get_standard_option('pve-security-group-name'),
},
},
links => [ { rel => 'child', href => "{name}" } ],
code => sub {
my ($param) = @_;
- my $groups_conf = PVE::Firewall::load_security_groups();
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $res = [];
- foreach my $group (keys %{$groups_conf->{rules}}) {
- push @$res, { name => $group, count => scalar(@{$groups_conf->{rules}->{$group}}) };
+ foreach my $group (keys %{$cluster_conf->{groups}}) {
+ push @$res, { name => $group, count => scalar(@{$cluster_conf->{groups}->{$group}}) };
}
return $res;
}});
__PACKAGE__->register_method({
- name => 'get_rules',
- path => '{group}',
- method => 'GET',
- description => "List security groups rules.",
- proxyto => 'node',
+ name => 'create_security_group',
+ path => '',
+ method => 'POST',
+ description => "Create new security group.",
+ protected => 1,
parameters => {
- additionalProperties => 0,
- properties => {
- node => get_standard_option('pve-node'),
- group => {
- description => "Security group name.",
- type => 'string',
- },
- },
- },
- returns => {
- type => 'array',
- items => {
- type => "object",
- properties => {
- pos => {
- type => 'integer',
- }
- },
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-security-group-name'),
+ rename => get_standard_option('pve-security-group-name', {
+ description => "Rename an existing security group.",
+ optional => 1,
+ }),
},
- links => [ { rel => 'child', href => "{pos}" } ],
},
+ returns => { type => 'null' },
code => sub {
my ($param) = @_;
- my $groups_conf = PVE::Firewall::load_security_groups();
-
- my $rules = $groups_conf->{rules}->{$param->{group}};
- die "no such security group\n" if !defined($rules);
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
- my $digest = $groups_conf->{digest};
-
- my $res = [];
-
- my $ind = 0;
- foreach my $rule (@$rules) {
- push @$res, PVE::Firewall::cleanup_fw_rule($rule, $digest, $ind++);
+ foreach my $name (keys %{$cluster_conf->{groups}}) {
+ raise_param_exc({ name => "Security group '$name' already exists" })
+ if $name eq $param->{name};
}
- return $res;
- }});
-
-__PACKAGE__->register_method({
- name => 'get_rule',
- path => '{group}/{pos}',
- method => 'GET',
- description => "Get single rule data.",
- proxyto => 'node',
- parameters => {
- additionalProperties => 0,
- properties => {
- node => get_standard_option('pve-node'),
- group => {
- description => "Security group name.",
- type => 'string',
- },
- pos => {
- description => "Return rule from position <pos>.",
- type => 'integer',
- minimum => 0,
- },
- },
- },
- returns => {
- type => "object",
- properties => {
- pos => {
- type => 'integer',
- }
- },
- },
- code => sub {
- my ($param) = @_;
-
- my $groups_conf = PVE::Firewall::load_security_groups();
-
- my $rules = $groups_conf->{rules}->{$param->{group}};
- die "no such security group\n" if !defined($rules);
+ if ($param->{rename}) {
+ raise_param_exc({ name => "Security group '$param->{rename}' does not exists" })
+ if !$cluster_conf->{groups}->{$param->{rename}};
+ my $data = delete $cluster_conf->{groups}->{$param->{rename}};
+ $cluster_conf->{groups}->{$param->{name}} = $data;
+ } else {
+ $cluster_conf->{groups}->{$param->{name}} = [];
+ }
- my $digest = $groups_conf->{digest};
- # fixme: check digest
-
- die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
+ PVE::Firewall::save_clusterfw_conf($cluster_conf);
- my $rule = $rules->[$param->{pos}];
-
- return PVE::Firewall::cleanup_fw_rule($rule, $digest, $param->{pos});
- }});
-
-
-__PACKAGE__->register_method({
- name => 'create_rule',
- path => '{group}',
- method => 'POST',
- description => "Create new rule.",
- proxyto => 'node',
- protected => 1,
- parameters => {
- additionalProperties => 0,
- properties => PVE::Firewall::add_rule_properties({
- node => get_standard_option('pve-node'),
- group => {
- description => "Security group name.",
- type => 'string',
- },
- }),
- },
- returns => { type => "null" },
- code => sub {
- my ($param) = @_;
-
- my $groups_conf = PVE::Firewall::load_security_groups();
-
- my $rules = $groups_conf->{rules}->{$param->{group}};
- die "no such security group\n" if !defined($rules);
-
- my $digest = $groups_conf->{digest};
-
- my $rule = { type => 'out', action => 'ACCEPT', enable => 0};
-
- PVE::Firewall::copy_rule_data($rule, $param);
-
- unshift @$rules, $rule;
-
- PVE::Firewall::save_security_groups($groups_conf);
-
return undef;
- }});
-
-__PACKAGE__->register_method({
- name => 'update_rule',
- path => '{group}/{pos}',
- method => 'PUT',
- description => "Modify rule data.",
- proxyto => 'node',
- protected => 1,
- parameters => {
- additionalProperties => 0,
- properties => PVE::Firewall::add_rule_properties({
- node => get_standard_option('pve-node'),
- group => {
- description => "Security group name.",
- type => 'string',
- },
- moveto => {
- description => "Move rule to new position <moveto>.",
- type => 'integer',
- minimum => 0,
- optional => 1,
- },
- }),
- },
- returns => { type => "null" },
- code => sub {
- my ($param) = @_;
-
- my $groups_conf = PVE::Firewall::load_security_groups();
-
- my $rules = $groups_conf->{rules}->{$param->{group}};
- die "no such security group\n" if !defined($rules);
-
- my $digest = $groups_conf->{digest};
- # fixme: check digest
-
- die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-
- my $rule = $rules->[$param->{pos}];
-
- PVE::Firewall::copy_rule_data($rule, $param);
-
- my $moveto = $param->{moveto};
- if (defined($moveto) && $moveto != $param->{pos}) {
- my $newrules = [];
- for (my $i = 0; $i < scalar(@$rules); $i++) {
- next if $i == $param->{pos};
- if ($i == $moveto) {
- push @$newrules, $rule;
- }
- push @$newrules, $rules->[$i];
- }
- push @$newrules, $rule if $moveto >= scalar(@$rules);
-
- $groups_conf->{rules}->{$param->{group}} = $newrules;
- }
+ }});
- PVE::Firewall::save_security_groups($groups_conf);
-
- return undef;
- }});
__PACKAGE__->register_method({
- name => 'delete_rule',
- path => '{group}/{pos}',
+ name => 'delete_security_group',
+ path => '{name}',
method => 'DELETE',
- description => "Delete rule.",
- proxyto => 'node',
+ description => "Delete security group.",
protected => 1,
parameters => {
- additionalProperties => 0,
- properties => {
- node => get_standard_option('pve-node'),
- group => {
- description => "Security group name.",
- type => 'string',
- },
- pos => {
- description => "Delete rule at position <pos>.",
- type => 'integer',
- minimum => 0,
- },
- },
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-security-group-name'),
+ }
},
- returns => { type => "null" },
+ returns => { type => 'null' },
code => sub {
my ($param) = @_;
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
- my $groups_conf = PVE::Firewall::load_security_groups();
+ return undef if !$cluster_conf->{groups}->{$param->{name}};
- my $rules = $groups_conf->{rules}->{$param->{group}};
- die "no such security group\n" if !defined($rules);
+ die "Security group '$param->{name}' is not empty\n"
+ if scalar(@{$cluster_conf->{groups}->{$param->{name}}});
- my $digest = $groups_conf->{digest};
- # fixme: check digest
-
- die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-
- splice(@$rules, $param->{pos}, 1);
+ delete $cluster_conf->{groups}->{$param->{name}};
- PVE::Firewall::save_security_groups($groups_conf);
+ PVE::Firewall::save_clusterfw_conf($cluster_conf);
return undef;
- }});
+ }});
+
+__PACKAGE__->register_method ({
+ subclass => "PVE::API2::Firewall::GroupRules",
+ path => '{group}',
+});
1;
projects / pve-firewall.git / blobdiff