die "implement this in subclass";
- #return ($fw_conf, $rules);
+ #return ($cluster_conf, $fw_conf, $rules);
}
sub save_rules {
my $additional_param_hash = {};
-sub allow_groups {
- return 1;
+sub rule_env {
+ my ($class, $param) = @_;
+
+ die "implement this in subclass";
}
sub additional_parameters {
code => sub {
my ($param) = @_;
- my ($fw_conf, $rules) = $class->load_config($param);
+ my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
code => sub {
my ($param) = @_;
- my ($fw_conf, $rules) = $class->load_config($param);
+ my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
code => sub {
my ($param) = @_;
- my ($fw_conf, $rules) = $class->load_config($param);
+ my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
my $rule = {};
PVE::Firewall::copy_rule_data($rule, $param);
- PVE::Firewall::verify_rule($rule, $class->allow_groups());
+ PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
$rule->{enable} = 0 if !defined($param->{enable});
code => sub {
my ($param) = @_;
- my ($fw_conf, $rules) = $class->load_config($param);
+ my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
PVE::Tools::assert_if_modified($digest, $param->{digest});
push @$newrules, $rule if $moveto >= scalar(@$rules);
$rules = $newrules;
} else {
- raise_param_exc({ type => "property is missing"})
- if !defined($param->{type});
- raise_param_exc({ action => "property is missing"})
- if !defined($param->{action});
-
PVE::Firewall::copy_rule_data($rule, $param);
PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
- PVE::Firewall::verify_rule($rule, $class->allow_groups());
+ PVE::Firewall::verify_rule($rule, $cluster_conf, $fw_conf, $class->rule_env());
}
$class->save_rules($param, $fw_conf, $rules);
code => sub {
my ($param) = @_;
- my ($fw_conf, $rules) = $class->load_config($param);
+ my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
PVE::Tools::assert_if_modified($digest, $param->{digest});
__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });
-sub allow_groups {
- return 0;
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'group';
}
sub load_config {
my $rules = $fw_conf->{groups}->{$param->{group}};
die "no such security group '$param->{group}'\n" if !defined($rules);
- return ($fw_conf, $rules);
+ return (undef, $fw_conf, $rules);
}
sub save_rules {
use base qw(PVE::API2::Firewall::RulesBase);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'cluster';
+}
+
sub load_config {
my ($class, $param) = @_;
my $fw_conf = PVE::Firewall::load_clusterfw_conf();
my $rules = $fw_conf->{rules};
- return ($fw_conf, $rules);
+ return (undef, $fw_conf, $rules);
}
sub save_rules {
__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'host';
+}
+
sub load_config {
my ($class, $param) = @_;
- my $fw_conf = PVE::Firewall::load_hostfw_conf();
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $fw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf);
my $rules = $fw_conf->{rules};
- return ($fw_conf, $rules);
+ return ($cluster_conf, $fw_conf, $rules);
}
sub save_rules {
vmid => get_standard_option('pve-vmid'),
});
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'vm';
+}
+
+sub load_config {
+ my ($class, $param) = @_;
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'vm', $param->{vmid});
+ my $rules = $fw_conf->{rules};
+
+ return ($cluster_conf, $fw_conf, $rules);
+}
+
+sub save_rules {
+ my ($class, $param, $fw_conf, $rules) = @_;
+
+ $fw_conf->{rules} = $rules;
+ PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
+}
+
+__PACKAGE__->register_handlers();
+
+package PVE::API2::Firewall::CTRules;
+
+use strict;
+use warnings;
+use PVE::JSONSchema qw(get_standard_option);
+
+use base qw(PVE::API2::Firewall::RulesBase);
+
+__PACKAGE__->additional_parameters({
+ node => get_standard_option('pve-node'),
+ vmid => get_standard_option('pve-vmid'),
+});
+
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'ct';
+}
+
sub load_config {
my ($class, $param) = @_;
- my $fw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, 'ct', $param->{vmid});
my $rules = $fw_conf->{rules};
- return ($fw_conf, $rules);
+ return ($cluster_conf, $fw_conf, $rules);
}
sub save_rules {