use strict;
use warnings;
+
+use PVE::Exception qw(raise_param_exc);
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::Firewall;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Aliases;
-use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
-my $option_properties = {
- enable => {
- description => "Enable host firewall rules.",
- type => 'boolean',
- optional => 1,
- },
- macfilter => {
- description => "Enable/disable MAC address filter.",
- type => 'boolean',
- optional => 1,
- },
- dhcp => {
- description => "Enable DHCP.",
- type => 'boolean',
- optional => 1,
- },
- policy_in => {
- description => "Input policy.",
- type => 'string',
- optional => 1,
- enum => ['ACCEPT', 'REJECT', 'DROP'],
- },
- policy_out => {
- description => "Output policy.",
- type => 'string',
- optional => 1,
- enum => ['ACCEPT', 'REJECT', 'DROP'],
- },
- log_level_in => get_standard_option('pve-fw-loglevel', {
- description => "Log level for incoming traffic." }),
- log_level_out => get_standard_option('pve-fw-loglevel', {
- description => "Log level for outgoing traffic." }),
-
-};
+my $option_properties = $PVE::Firewall::vm_option_properties;
my $add_option_properties = sub {
my ($properties) = @_;
my $result = [
{ name => 'rules' },
{ name => 'aliases' },
+ { name => 'ipset' },
+ { name => 'refs' },
{ name => 'options' },
];
method => 'GET',
description => "Get VM firewall options.",
proxyto => 'node',
+ permissions => {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
code => sub {
my ($param) = @_;
- my $vmfw_conf = PVE::Firewall::load_vmfw_conf($rule_env, $param->{vmid});
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
}});
description => "Set Firewall options.",
protected => 1,
proxyto => 'node',
+ permissions => {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+ },
parameters => {
additionalProperties => 0,
properties => &$add_option_properties({
code => sub {
my ($param) = @_;
- my $vmfw_conf = PVE::Firewall::load_vmfw_conf($rule_env, $param->{vmid});
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
PVE::Tools::assert_if_modified($digest, $param->{digest});
return $lines;
}});
+
+
+ $class->register_method({
+ name => 'refs',
+ path => 'refs',
+ method => 'GET',
+ description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+ permissions => {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ node => get_standard_option('pve-node'),
+ vmid => get_standard_option('pve-vmid'),
+ type => {
+ description => "Only list references of specified type.",
+ type => 'string',
+ enum => ['alias', 'ipset'],
+ optional => 1,
+ },
+ },
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => "object",
+ properties => {
+ type => {
+ type => 'string',
+ enum => ['alias', 'ipset'],
+ },
+ name => {
+ type => 'string',
+ },
+ comment => {
+ type => 'string',
+ optional => 1,
+ },
+ },
+ },
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
+
+ my $ipsets = {};
+ my $aliases = {};
+
+ foreach my $conf (($cluster_conf, $fw_conf)) {
+ next if !$conf;
+ if (!$param->{type} || $param->{type} eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ $ipsets->{$name} = $data;
+ }
+ }
+
+ if (!$param->{type} || $param->{type} eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ $aliases->{$name} = $data;
+ }
+ }
+ }
+
+ my $res = [];
+ foreach my $e (values %$ipsets) { push @$res, $e; };
+ foreach my $e (values %$aliases) { push @$res, $e; };
+
+ return $res;
+ }});
}
package PVE::API2::Firewall::VM;
path => 'aliases',
});
+__PACKAGE__->register_method ({
+ subclass => "PVE::API2::Firewall::VMIPSetList",
+ path => 'ipset',
+});
+
__PACKAGE__->register_handlers('vm');
package PVE::API2::Firewall::CT;
path => 'aliases',
});
+__PACKAGE__->register_method ({
+ subclass => "PVE::API2::Firewall::CTIPSetList",
+ path => 'ipset',
+});
+
__PACKAGE__->register_handlers('vm');
1;