use strict;
use warnings;
+
+use PVE::Exception qw(raise_param_exc);
use PVE::JSONSchema qw(get_standard_option);
use PVE::RPCEnvironment;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
-use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::HostRules",
+ subclass => "PVE::API2::Firewall::HostRules",
path => 'rules',
});
return $result;
}});
-my $option_properties = {
- enable => {
- description => "Enable host firewall rules.",
- type => 'boolean',
- optional => 1,
- },
- log_level_in => get_standard_option('pve-fw-loglevel', {
- description => "Log level for incoming traffic." }),
- log_level_out => get_standard_option('pve-fw-loglevel', {
- description => "Log level for outgoing traffic." }),
- tcp_flags_log_level => get_standard_option('pve-fw-loglevel', {
- description => "Log level for illegal tcp flags filter." }),
- smurf_log_level => get_standard_option('pve-fw-loglevel', {
- description => "Log level for SMURFS filter." }),
- nosmurfs => {
- description => "Enable SMURFS filter.",
- type => 'boolean',
- optional => 1,
- },
- tcpflags => {
- description => "Filter illegal combinations of TCP flags.",
- type => 'boolean',
- optional => 1,
- },
- allow_bridge_route => {
- description => "Enable firewall when bridges contains IP address. The firewall is not fully functional in that case, so you need to enable that explicitly",
- type => 'boolean',
- optional => 1,
- },
- optimize => {
- description => "Allow rules processing speed optimizations.",
- type => 'boolean',
- optional => 1,
- },
- nf_conntrack_max => {
- description => "Maximum number of tracked connections.",
- type => 'integer',
- optional => 1,
- minimum => 32768,
- },
- nf_conntrack_tcp_timeout_established => {
- description => "Conntrack established timeout.",
- type => 'integer',
- optional => 1,
- minimum => 7875,
- }
-};
+my $option_properties = $PVE::Firewall::host_option_properties;
my $add_option_properties = sub {
my ($properties) = @_;
foreach my $k (keys %$option_properties) {
$properties->{$k} = $option_properties->{$k};
}
-
+
return $properties;
};
method => 'GET',
description => "Get host firewall options.",
proxyto => 'node',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
code => sub {
my ($param) = @_;
- my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
}});
description => "Set Firewall options.",
protected => 1,
proxyto => 'node',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => &$add_option_properties({
code => sub {
my ($param) = @_;
- my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
+ PVE::Firewall::lock_hostfw_conf(undef, 10, sub {
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
- my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
- PVE::Tools::assert_if_modified($digest, $param->{digest});
+ my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
+ PVE::Tools::assert_if_modified($digest, $param->{digest});
- if ($param->{delete}) {
- foreach my $opt (PVE::Tools::split_list($param->{delete})) {
- raise_param_exc({ delete => "no such option '$opt'" })
- if !$option_properties->{$opt};
- delete $hostfw_conf->{options}->{$opt};
+ if ($param->{delete}) {
+ foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+ raise_param_exc({ delete => "no such option '$opt'" })
+ if !$option_properties->{$opt};
+ delete $hostfw_conf->{options}->{$opt};
+ }
}
- }
- if (defined($param->{enable})) {
- $param->{enable} = $param->{enable} ? 1 : 0;
- }
+ if (defined($param->{enable})) {
+ $param->{enable} = $param->{enable} ? 1 : 0;
+ }
- foreach my $k (keys %$option_properties) {
- next if !defined($param->{$k});
- $hostfw_conf->{options}->{$k} = $param->{$k};
- }
+ foreach my $k (keys %$option_properties) {
+ next if !defined($param->{$k});
+ $hostfw_conf->{options}->{$k} = $param->{$k};
+ }
- PVE::Firewall::save_hostfw_conf($hostfw_conf);
+ PVE::Firewall::save_hostfw_conf($hostfw_conf);
+ });
return undef;
}});
__PACKAGE__->register_method({
- name => 'log',
- path => 'log',
+ name => 'log',
+ path => 'log',
method => 'GET',
description => "Read firewall log",
proxyto => 'node',
minimum => 0,
optional => 1,
},
+ since => {
+ type => 'integer',
+ minimum => 0,
+ description => "Display log since this UNIX epoch.",
+ optional => 1,
+ },
+ until => {
+ type => 'integer',
+ minimum => 0,
+ description => "Display log until this UNIX epoch.",
+ optional => 1,
+ },
},
},
returns => {
type => 'array',
- items => {
+ items => {
type => "object",
properties => {
n => {
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
my $node = $param->{node};
+ my $filename = "/var/log/pve-firewall.log";
- my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", $param->{start}, $param->{limit});
+ my ($count, $lines) = PVE::Firewall::Helpers::dump_fw_logfile(
+ $filename, $param, undef);
$rpcenv->set_result_attrib('total', $count);
-
- return $lines;
+
+ return $lines;
}});
1;