use base qw(PVE::RESTHandler);
-my $api_properties = {
+my $api_properties = {
cidr => {
description => "Network/IP specification in CIDR format.",
- type => 'string', format => 'IPv4orCIDRorAlias',
+ type => 'string', format => 'IPorCIDRorAlias',
},
name => get_standard_option('ipset-name'),
comment => {
},
};
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ die "implement this in subclass";
+}
+
sub load_config {
my ($class, $param) = @_;
die "implement this in subclass";
}
+sub rule_env {
+ my ($class, $param) = @_;
+
+ die "implement this in subclass";
+}
+
sub save_ipset {
my ($class, $param, $fw_conf, $ipset) = @_;
path => '',
method => 'GET',
description => "List IPSet content",
+ permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
type => 'boolean',
optional => 1,
},
- digest => get_standard_option('pve-config-digest', { optional => 0} ),
+ digest => get_standard_option('pve-config-digest', { optional => 0} ),
},
},
links => [ { rel => 'child', href => "{cidr}" } ],
method => 'DELETE',
description => "Delete IPSet",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
returns => { type => 'null' },
code => sub {
my ($param) = @_;
-
+
my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
- die "IPSet '$param->{name}' is not empty\n"
+ die "IPSet '$param->{name}' is not empty\n"
if scalar(@$ipset);
$class->save_ipset($param, $fw_conf, undef);
method => 'POST',
description => "Add IP or Network to IPSet.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
my $cidr = $param->{cidr};
-
+
foreach my $entry (@$ipset) {
- raise_param_exc({ cidr => "address '$cidr' already exists" })
+ raise_param_exc({ cidr => "address '$cidr' already exists" })
if $entry->{cidr} eq $cidr;
}
+ raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
+ if $cidr =~ m!/0+$!;
+
# make sure alias exists (if $cidr is an alias)
- PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr);
+ PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
+ if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
my $data = { cidr => $cidr };
$properties->{name} = $api_properties->{name};
$properties->{cidr} = $api_properties->{cidr};
-
+
$class->register_method({
name => 'read_ip',
path => '{cidr}',
method => 'GET',
description => "Read IP or Network settings from IPSet.",
+ permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
protected => 1,
parameters => {
additionalProperties => 0,
method => 'PUT',
description => "Update IP or Network settings",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
method => 'DELETE',
description => "Remove IP or Network from IPSet.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
PVE::Tools::assert_if_modified($digest, $param->{digest});
my $new = [];
-
+
foreach my $entry (@$ipset) {
push @$new, $entry if $entry->{cidr} ne $param->{cidr};
}
$class->save_ipset($param, $fw_conf, $new);
-
+
return undef;
}});
}
use base qw(PVE::API2::Firewall::IPSetBase);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'cluster';
+}
+
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
+}
+
sub load_config {
my ($class, $param) = @_;
use base qw(PVE::API2::Firewall::IPSetBase);
-__PACKAGE__->additional_parameters({
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'vm';
+}
+
+__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
- vmid => get_standard_option('pve-vmid'),
+ vmid => get_standard_option('pve-vmid'),
});
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
+}
+
sub load_config {
my ($class, $param) = @_;
use base qw(PVE::API2::Firewall::IPSetBase);
-__PACKAGE__->additional_parameters({
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'ct';
+}
+
+__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
- vmid => get_standard_option('pve-vmid'),
+ vmid => get_standard_option('pve-vmid'),
});
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
+}
+
sub load_config {
my ($class, $param) = @_;
use base qw(PVE::RESTHandler);
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ die "implement this in subclass";
+}
+
sub load_config {
my ($class, $param) = @_;
-
+
die "implement this in subclass";
#return ($cluster_conf, $fw_conf);
die "implement this in subclass";
}
+sub rule_env {
+ my ($class, $param) = @_;
+
+ die "implement this in subclass";
+}
+
my $additional_param_hash_list = {};
sub additional_parameters {
my ($fw_conf) = @_;
my $res = [];
- foreach my $name (keys %{$fw_conf->{ipset}}) {
- my $data = {
+ foreach my $name (sort keys %{$fw_conf->{ipset}}) {
+ my $data = {
name => $name,
};
if (my $comment = $fw_conf->{ipset_comments}->{$name}) {
path => '',
method => 'GET',
description => "List IPSets",
+ permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
type => 'array',
items => {
type => "object",
- properties => {
+ properties => {
name => get_standard_option('ipset-name'),
digest => get_standard_option('pve-config-digest', { optional => 0} ),
- comment => {
+ comment => {
type => 'string',
optional => 1,
}
},
code => sub {
my ($param) = @_;
-
+
my ($cluster_conf, $fw_conf) = $class->load_config($param);
- return &$get_ipset_list($fw_conf);
+ return &$get_ipset_list($fw_conf);
}});
}
method => 'POST',
description => "Create new IPSet",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
returns => { type => 'null' },
code => sub {
my ($param) = @_;
-
+
my ($cluster_conf, $fw_conf) = $class->load_config($param);
if ($param->{rename}) {
my (undef, $digest) = &$get_ipset_list($fw_conf);
PVE::Tools::assert_if_modified($digest, $param->{digest});
- raise_param_exc({ name => "IPSet '$param->{rename}' does not exists" })
+ raise_param_exc({ name => "IPSet '$param->{rename}' does not exist" })
if !$fw_conf->{ipset}->{$param->{rename}};
+ # prevent overwriting existing ipset
+ raise_param_exc({ name => "IPSet '$param->{name}' does already exist"})
+ if $fw_conf->{ipset}->{$param->{name}} &&
+ $param->{name} ne $param->{rename};
+
my $data = delete $fw_conf->{ipset}->{$param->{rename}};
$fw_conf->{ipset}->{$param->{name}} = $data;
if (my $comment = delete $fw_conf->{ipset_comments}->{$param->{rename}}) {
$fw_conf->{ipset_comments}->{$param->{name}} = $comment;
}
$fw_conf->{ipset_comments}->{$param->{name}} = $param->{comment} if defined($param->{comment});
- } else {
+ } else {
foreach my $name (keys %{$fw_conf->{ipset}}) {
- raise_param_exc({ name => "IPSet '$name' already exists" })
+ raise_param_exc({ name => "IPSet '$name' already exists" })
if $name eq $param->{name};
}
use base qw(PVE::API2::Firewall::BaseIPSetList);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'cluster';
+}
+
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ PVE::Firewall::lock_clusterfw_conf(10, $code, $param);
+}
+
sub load_config {
my ($class, $param) = @_;
-
+
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
return (undef, $cluster_conf);
}
__PACKAGE__->register_handlers();
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::ClusterIPset",
+ subclass => "PVE::API2::Firewall::ClusterIPset",
path => '{name}',
- # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
- fragmentDelimiter => '',
+ # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
+ fragmentDelimiter => '',
});
package PVE::API2::Firewall::VMIPSetList;
use base qw(PVE::API2::Firewall::BaseIPSetList);
-__PACKAGE__->additional_parameters({
+__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
- vmid => get_standard_option('pve-vmid'),
+ vmid => get_standard_option('pve-vmid'),
});
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'vm';
+}
+
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
+}
+
sub load_config {
my ($class, $param) = @_;
-
+
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
return ($cluster_conf, $fw_conf);
__PACKAGE__->register_handlers();
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::VMIPset",
+ subclass => "PVE::API2::Firewall::VMIPset",
path => '{name}',
- # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
- fragmentDelimiter => '',
+ # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
+ fragmentDelimiter => '',
});
package PVE::API2::Firewall::CTIPSetList;
use base qw(PVE::API2::Firewall::BaseIPSetList);
-__PACKAGE__->additional_parameters({
+__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
- vmid => get_standard_option('pve-vmid'),
+ vmid => get_standard_option('pve-vmid'),
});
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'ct';
+}
+
+sub lock_config {
+ my ($class, $param, $code) = @_;
+
+ PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, $code, $param);
+}
+
sub load_config {
my ($class, $param) = @_;
-
+
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
return ($cluster_conf, $fw_conf);
__PACKAGE__->register_handlers();
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::CTIPset",
+ subclass => "PVE::API2::Firewall::CTIPset",
path => '{name}',
- # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
- fragmentDelimiter => '',
+ # set fragment delimiter (no subdirs) - we need that, because CIDR address contain a slash '/'
+ fragmentDelimiter => '',
});
1;
projects / pve-firewall.git / blobdiff