my $properties = $class->additional_parameters();
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'get_rules',
path => '',
method => 'GET',
description => "List rules.",
+ permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
},
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => {
type => 'array',
items => {
$properties->{pos} = $api_properties->{pos};
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'get_rule',
path => '{pos}',
method => 'GET',
description => "Get single rule data.",
+ permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
},
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => {
type => "object",
properties => {
+ action => {
+ type => 'string',
+ },
+ comment => {
+ type => 'string',
+ optional => 1,
+ },
+ dest => {
+ type => 'string',
+ optional => 1,
+ },
+ dport => {
+ type => 'string',
+ optional => 1,
+ },
+ enable => {
+ type => 'integer',
+ optional => 1,
+ },
+ log => PVE::Firewall::get_standard_option('pve-fw-loglevel', {
+ description => 'Log level for firewall rule',
+ }),
+ iface => {
+ type => 'string',
+ optional => 1,
+ },
+ ipversion => {
+ type => 'integer',
+ optional => 1,
+ },
+ macro => {
+ type => 'string',
+ optional => 1,
+ },
pos => {
type => 'integer',
- }
+ },
+ proto => {
+ type => 'string',
+ optional => 1,
+ },
+ source => {
+ type => 'string',
+ optional => 1,
+ },
+ sport => {
+ type => 'string',
+ optional => 1,
+ },
+ type => {
+ type => 'string',
+ },
},
},
code => sub {
$create_rule_properties->{action}->{optional} = 0;
$create_rule_properties->{type}->{optional} = 0;
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'create_rule',
path => '',
method => 'POST',
description => "Create new rule.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $create_rule_properties,
},
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => { type => "null" },
code => sub {
my ($param) = @_;
$properties->{pos} = $api_properties->{pos};
+ my $rule_env = $class->rule_env();
+
$properties->{moveto} = {
description => "Move rule to new position <moveto>. Other arguments are ignored.",
type => 'integer',
method => 'PUT',
description => "Modify rule data.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $update_rule_properties,
},
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => { type => "null" },
code => sub {
my ($param) = @_;
$properties->{digest} = get_standard_option('pve-config-digest');
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'delete_rule',
path => '{pos}',
method => 'DELETE',
description => "Delete rule.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
},
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => { type => "null" },
code => sub {
my ($param) = @_;
__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });
+
sub rule_env {
my ($class, $param) = @_;
sub save_rules {
my ($class, $param, $fw_conf, $rules) = @_;
- $fw_conf->{groups}->{$param->{group}} = $rules;
+ if (!defined($rules)) {
+ delete $fw_conf->{groups}->{$param->{group}};
+ } else {
+ $fw_conf->{groups}->{$param->{group}} = $rules;
+ }
+
PVE::Firewall::save_clusterfw_conf($fw_conf);
}
+__PACKAGE__->register_method({
+ name => 'delete_security_group',
+ path => '',
+ method => 'DELETE',
+ description => "Delete security group.",
+ protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ group => get_standard_option('pve-security-group-name'),
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my (undef, $cluster_conf, $rules) = __PACKAGE__->load_config($param);
+
+ die "Security group '$param->{group}' is not empty\n"
+ if scalar(@$rules);
+
+ __PACKAGE__->save_rules($param, $cluster_conf, undef);
+
+ return undef;
+ }});
+
__PACKAGE__->register_handlers();
package PVE::API2::Firewall::ClusterRules;
projects / pve-firewall.git / blobdiff