Add radv option to VM options.

[pve-firewall.git] / src / PVE / API2 / Firewall / VM.pm

diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 040f23edfa679accd8e002d96d1a55aabb0aa5b1..aad973bb33e2fe9bedeb886845d995be9725935f 100644 (file)
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -28,6 +28,16 @@ my $option_properties = {
        type => 'boolean',
        optional => 1,
     },
+    ndp => {
+       description => "Enable NDP.",
+       type => 'boolean',
+       optional => 1,
+    },
+    radv => {
+       description => "Allow sending Router Advertisement.",
+       type => 'boolean',
+       optional => 1,
+    },
     policy_in => {
        description => "Input policy.",
        type => 'string',
@@ -87,6 +97,8 @@ sub register_handlers {
            my $result = [
                { name => 'rules' },
                { name => 'aliases' },
+               { name => 'ipset' },
+               { name => 'refs' },
                { name => 'options' },
                ];
 
@@ -100,6 +112,9 @@ sub register_handlers {
        method => 'GET',
        description => "Get VM firewall options.",
        proxyto => 'node',
+       permissions => {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+       },
        parameters => {
            additionalProperties => 0,
            properties => {
@@ -115,7 +130,8 @@ sub register_handlers {
        code => sub {
            my ($param) = @_;
 
-           my $vmfw_conf = PVE::Firewall::load_vmfw_conf($rule_env, $param->{vmid});
+           my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+           my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
            return PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
        }});
@@ -127,6 +143,9 @@ sub register_handlers {
        description => "Set Firewall options.",
        protected => 1,
        proxyto => 'node',
+       permissions => {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+       },
        parameters => {
            additionalProperties => 0,
            properties => &$add_option_properties({
@@ -144,7 +163,9 @@ sub register_handlers {
        code => sub {
            my ($param) = @_;
 
-           my $vmfw_conf = PVE::Firewall::load_vmfw_conf($rule_env, $param->{vmid});
+
+           my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+           my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
            my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
            PVE::Tools::assert_if_modified($digest, $param->{digest});
@@ -229,6 +250,93 @@ sub register_handlers {
            
            return $lines; 
        }});
+
+
+    $class->register_method({
+       name => 'refs',
+       path => 'refs',
+       method => 'GET',
+       description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+       permissions => {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+       },
+       parameters => {
+           additionalProperties => 0,
+           properties => {
+               node => get_standard_option('pve-node'),
+               vmid => get_standard_option('pve-vmid'),
+               type => {
+                   description => "Only list references of specified type.",
+                   type => 'string',
+                   enum => ['alias', 'ipset'],
+                   optional => 1,
+               },
+           },
+       },
+       returns => {
+           type => 'array',
+           items => {
+               type => "object",
+               properties => { 
+                   type => {
+                       type => 'string',
+                       enum => ['alias', 'ipset'],
+                   },
+                   name => {
+                       type => 'string',
+                   },
+                   comment => { 
+                       type => 'string',
+                       optional => 1,
+                   },
+               },
+           },
+       },
+       code => sub {
+           my ($param) = @_;
+           
+           my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+           my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
+
+           my $ipsets = {};
+           my $aliases = {};
+
+           foreach my $conf (($cluster_conf, $fw_conf)) {
+               next if !$conf;
+               if (!$param->{type} || $param->{type} eq 'ipset') {
+                   foreach my $name (keys %{$conf->{ipset}}) {
+                       my $data = { 
+                           type => 'ipset',
+                           name => $name,
+                           ref => "+$name",
+                       };
+                       if (my $comment = $conf->{ipset_comments}->{$name}) {
+                           $data->{comment} = $comment;
+                       }
+                       $ipsets->{$name} = $data;
+                   }
+               }
+
+               if (!$param->{type} || $param->{type} eq 'alias') {
+                   foreach my $name (keys %{$conf->{aliases}}) {
+                       my $e = $conf->{aliases}->{$name};
+                       my $data = { 
+                           type => 'alias',
+                           name => $name,
+                           ref => $name,
+                       };
+                       $data->{comment} = $e->{comment} if $e->{comment};
+                       $aliases->{$name} = $data;
+                   }
+               }
+           }
+
+           my $res = [];
+           foreach my $e (values %$ipsets) { push @$res, $e; };
+           foreach my $e (values %$aliases) { push @$res, $e; };
+           
+           return $res; 
+       }});
 }
 
 package PVE::API2::Firewall::VM;