foreach my $k (keys %$option_properties) {
$properties->{$k} = $option_properties->{$k};
}
-
+
return $properties;
};
code => sub {
my ($param) = @_;
+ PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, sub {
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+ my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
- my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
+ my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
+ PVE::Tools::assert_if_modified($digest, $param->{digest});
- my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
- PVE::Tools::assert_if_modified($digest, $param->{digest});
+ if ($param->{delete}) {
+ foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+ raise_param_exc({ delete => "no such option '$opt'" })
+ if !$option_properties->{$opt};
+ delete $vmfw_conf->{options}->{$opt};
+ }
+ }
- if ($param->{delete}) {
- foreach my $opt (PVE::Tools::split_list($param->{delete})) {
- raise_param_exc({ delete => "no such option '$opt'" })
- if !$option_properties->{$opt};
- delete $vmfw_conf->{options}->{$opt};
+ if (defined($param->{enable})) {
+ $param->{enable} = $param->{enable} ? 1 : 0;
}
- }
- if (defined($param->{enable})) {
- $param->{enable} = $param->{enable} ? 1 : 0;
- }
+ foreach my $k (keys %$option_properties) {
+ next if !defined($param->{$k});
+ $vmfw_conf->{options}->{$k} = $param->{$k};
+ }
- foreach my $k (keys %$option_properties) {
- next if !defined($param->{$k});
- $vmfw_conf->{options}->{$k} = $param->{$k};
- }
+ PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
+ });
- PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
-
return undef;
}});
$class->register_method({
- name => 'log',
- path => 'log',
+ name => 'log',
+ path => 'log',
method => 'GET',
description => "Read firewall log",
proxyto => 'node',
minimum => 0,
optional => 1,
},
+ since => {
+ type => 'integer',
+ minimum => 0,
+ description => "Display log since this UNIX epoch.",
+ optional => 1,
+ },
+ until => {
+ type => 'integer',
+ minimum => 0,
+ description => "Display log until this UNIX epoch.",
+ optional => 1,
+ },
},
},
returns => {
type => 'array',
- items => {
+ items => {
type => "object",
properties => {
n => {
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- my $vmid = $param->{vmid};
+ my $filename = "/var/log/pve-firewall.log";
+ my $vmid = $param->{'vmid'};
+
+ my $callback = sub {
+ my ($line) = @_;
+ my $reg = "^$vmid ";
+ return $line =~ m/$reg/;
+ };
+
+ my ($count, $lines) = PVE::Firewall::Helpers::dump_fw_logfile(
+ $filename, $param, $callback);
- my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log",
- $param->{start}, $param->{limit},
- "^$vmid ");
-
$rpcenv->set_result_attrib('total', $count);
-
- return $lines;
+
+ return $lines;
}});
type => 'array',
items => {
type => "object",
- properties => {
+ properties => {
type => {
type => 'string',
enum => ['alias', 'ipset'],
name => {
type => 'string',
},
- comment => {
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
+ comment => {
type => 'string',
optional => 1,
},
},
code => sub {
my ($param) = @_;
-
+
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
-
- return $res;
+ return [@$dc_refs, @$vm_refs];
}});
}
use base qw(PVE::API2::Firewall::VMBase);
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::VMRules",
+ subclass => "PVE::API2::Firewall::VMRules",
path => 'rules',
});
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::VMAliases",
+ subclass => "PVE::API2::Firewall::VMAliases",
path => 'aliases',
});
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::VMIPSetList",
+ subclass => "PVE::API2::Firewall::VMIPSetList",
path => 'ipset',
});
use base qw(PVE::API2::Firewall::VMBase);
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::CTRules",
+ subclass => "PVE::API2::Firewall::CTRules",
path => 'rules',
});
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::CTAliases",
+ subclass => "PVE::API2::Firewall::CTAliases",
path => 'aliases',
});
__PACKAGE__->register_method ({
- subclass => "PVE::API2::Firewall::CTIPSetList",
+ subclass => "PVE::API2::Firewall::CTIPSetList",
path => 'ipset',
});