bump version to 5.0.7

[pve-firewall.git] / src / PVE / API2 / Firewall / IPSet.pm

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 913dd86b4c58f83cfd711c0dbba32e7b2037fb4f..ed92d877ee0685726f69fc5f807c3a316a925dbe 100644 (file)
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -132,6 +132,11 @@ sub register_delete_ipset {
     my $properties = $class->additional_parameters();
 
     $properties->{name} = get_standard_option('ipset-name');
+    $properties->{force} = {
+       type => 'boolean',
+       optional => 1,
+       description => 'Delete all members of the IPSet, if there are any.',
+    };
 
     $class->register_method({
        name => 'delete_ipset',
@@ -154,7 +159,7 @@ sub register_delete_ipset {
                my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
 
                die "IPSet '$param->{name}' is not empty\n"
-                   if scalar(@$ipset);
+                   if scalar(@$ipset) && !$param->{force};
 
                $class->save_ipset($param, $fw_conf, undef);
 
@@ -195,6 +200,16 @@ sub register_create_ip {
                my ($cluster_conf, $fw_conf, $ipset) = $class->load_config($param);
 
                my $cidr = $param->{cidr};
+               if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
+                   my $scope = $1 // "";
+                   my $alias = $2;
+                   # make sure alias exists (if $cidr is an alias)
+                   PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
+               } else {
+                   $cidr = PVE::Firewall::clean_cidr($cidr);
+                   # normalize like config parser, otherwise duplicates might slip through
+                   $cidr = PVE::Firewall::parse_ip_or_cidr($cidr);
+               }
 
                foreach my $entry (@$ipset) {
                    raise_param_exc({ cidr => "address '$cidr' already exists" })
@@ -204,9 +219,6 @@ sub register_create_ip {
                raise_param_exc({ cidr => "a zero prefix is not allowed in ipset entries" })
                    if $cidr =~ m!/0+$!;
 
-               # make sure alias exists (if $cidr is an alias)
-               PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $cidr)
-                   if $cidr =~ m/^${PVE::Firewall::ip_alias_pattern}$/;
 
                my $data = { cidr => $cidr };