start cluster wide firewall API

[pve-firewall.git] / src / PVE / API2 / Firewall / Groups.pm

diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index 9ce6ce775ea971bd5f45c7c44f9a08ddc96f3ad8..6a07fd09d1a294c96deff43075ad937d4feab9d2 100644 (file)
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -16,12 +16,8 @@ __PACKAGE__->register_method({
     path => '',
     method => 'GET',
     description => "List security groups.",
-    proxyto => 'node',
     parameters => {
        additionalProperties => 0,
-       properties => {
-           node => get_standard_option('pve-node'),
-       },
     },
     returns => {
        type => 'array',
@@ -39,11 +35,11 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
        my $res = [];
-       foreach my $group (keys %{$groups_conf->{rules}}) {
-           push @$res, { name => $group, count => scalar(@{$groups_conf->{rules}->{$group}}) };
+       foreach my $group (keys %{$cluster_conf->{groups}}) {
+           push @$res, { name => $group, count => scalar(@{$cluster_conf->{groups}->{$group}}) };
        }
 
        return $res;
@@ -54,11 +50,9 @@ __PACKAGE__->register_method({
     path => '{group}',
     method => 'GET',
     description => "List security groups rules.",
-    proxyto => 'node',
     parameters => {
        additionalProperties => 0,
        properties => {
-           node => get_standard_option('pve-node'),
            group => {
                description => "Security group name.",
                type => 'string',
@@ -80,12 +74,12 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
+       my $rules = $cluster_conf->{groups}->{$param->{group}};
        die "no such security group\n" if !defined($rules);
 
-       my $digest = $groups_conf->{digest};
+       my $digest = $cluster_conf->{digest};
 
        my $res = [];
 
@@ -102,11 +96,9 @@ __PACKAGE__->register_method({
     path => '{group}/{pos}',
     method => 'GET',
     description => "Get single rule data.",
-    proxyto => 'node',
     parameters => {
        additionalProperties => 0,
        properties => {
-           node => get_standard_option('pve-node'),
            group => {
                description => "Security group name.",
                type => 'string',
@@ -129,12 +121,12 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
+       my $rules = $cluster_conf->{groups}->{$param->{group}};
        die "no such security group\n" if !defined($rules);
 
-       my $digest = $groups_conf->{digest};
+       my $digest = $cluster_conf->{digest};
        # fixme: check digest
        
        die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
@@ -150,12 +142,10 @@ __PACKAGE__->register_method({
     path => '{group}',
     method => 'POST',
     description => "Create new rule.",
-    proxyto => 'node',
     protected => 1,
     parameters => {
        additionalProperties => 0,
        properties => PVE::Firewall::add_rule_properties({
-           node => get_standard_option('pve-node'),
            group => {
                description => "Security group name.",
                type => 'string',
@@ -166,12 +156,12 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
+       my $rules = $cluster_conf->{groups}->{$param->{group}};
        die "no such security group\n" if !defined($rules);
 
-       my $digest = $groups_conf->{digest};
+       my $digest = $cluster_conf->{digest};
                
        my $rule = { type => 'out', action => 'ACCEPT', enable => 0};
 
@@ -179,7 +169,7 @@ __PACKAGE__->register_method({
 
        unshift @$rules, $rule;
 
-       PVE::Firewall::save_security_groups($groups_conf);
+       PVE::Firewall::save_clusterfw_conf($cluster_conf);
 
        return undef;
    }});
@@ -189,18 +179,16 @@ __PACKAGE__->register_method({
     path => '{group}/{pos}',
     method => 'PUT',
     description => "Modify rule data.",
-    proxyto => 'node',
     protected => 1,
     parameters => {
        additionalProperties => 0,
        properties => PVE::Firewall::add_rule_properties({
-           node => get_standard_option('pve-node'),
            group => {
                description => "Security group name.",
                type => 'string',
            },
            moveto => {
-               description => "Move rule to new position <moveto>.",
+               description => "Move rule to new position <moveto>. Other arguments are ignored.",
                type => 'integer',
                minimum => 0,
                optional => 1,
@@ -211,20 +199,18 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
+       my $rules = $cluster_conf->{groups}->{$param->{group}};
        die "no such security group\n" if !defined($rules);
 
-       my $digest = $groups_conf->{digest};
+       my $digest = $cluster_conf->{digest};
        # fixme: check digest
        
        die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
        
        my $rule = $rules->[$param->{pos}];
 
-       PVE::Firewall::copy_rule_data($rule, $param);
- 
        my $moveto = $param->{moveto};
        if (defined($moveto) && $moveto != $param->{pos}) {
            my $newrules = [];
@@ -237,10 +223,12 @@ __PACKAGE__->register_method({
            }
            push @$newrules, $rule if $moveto >= scalar(@$rules);
 
-           $groups_conf->{rules}->{$param->{group}} = $newrules;
-       }           
+           $cluster_conf->{groups}->{$param->{group}} = $newrules;
+       } else {
+           PVE::Firewall::copy_rule_data($rule, $param);
+       }
 
-       PVE::Firewall::save_security_groups($groups_conf);
+       PVE::Firewall::save_clusterfw_conf($cluster_conf);
 
        return undef;
    }});
@@ -250,12 +238,10 @@ __PACKAGE__->register_method({
     path => '{group}/{pos}',
     method => 'DELETE',
     description => "Delete rule.",
-    proxyto => 'node',
     protected => 1,
     parameters => {
        additionalProperties => 0,
        properties => {
-           node => get_standard_option('pve-node'),
            group => {
                description => "Security group name.",
                type => 'string',
@@ -271,19 +257,19 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
+       my $rules = $cluster_conf->{groups}->{$param->{group}};
        die "no such security group\n" if !defined($rules);
 
-       my $digest = $groups_conf->{digest};
+       my $digest = $cluster_conf->{digest};
        # fixme: check digest
        
        die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
        
        splice(@$rules, $param->{pos}, 1);
 
-       PVE::Firewall::save_security_groups($groups_conf);
+       PVE::Firewall::save_clusterfw_conf($cluster_conf);
 
        return undef;
    }});