use Digest::SHA;
use PVE::INotify;
use PVE::Exception qw(raise raise_param_exc);
-use PVE::JSONSchema qw(get_standard_option);
+use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Cluster;
use PVE::ProcFSTools;
use PVE::Tools qw($IPV4RE);
die "value does not look like a valid IP address or CIDR network\n";
}
+PVE::JSONSchema::register_standard_option('ipset-name', {
+ description => "IP set name.",
+ type => 'string',
+ pattern => '[A-Za-z][A-Za-z0-9\-\_]+',
+ minLength => 2,
+ maxLength => 20,
+});
+
+my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
+
+PVE::JSONSchema::register_standard_option('pve-security-group-name', {
+ description => "Security Group name.",
+ type => 'string',
+ pattern => $security_group_pattern,
+ minLength => 2,
+ maxLength => 20,
+});
my $feature_ipset_nomatch = 0;
eval {
enum => ['in', 'out', 'group'],
},
action => {
+ description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.",
type => 'string',
optional => 1,
- enum => ['ACCEPT', 'DROP', 'REJECT'],
+ pattern => $security_group_pattern,
+ maxLength => 20,
+ minLength => 2,
},
macro => {
type => 'string',
raise_param_exc({ type => "security groups not allowed"})
if !$allow_groups;
raise_param_exc({ action => "invalid characters in security group name"})
- if $rule->{action} !~ m/^[A-Za-z0-9_\-]+$/;
+ if $rule->{action} !~ m/^${security_group_pattern}$/;
} else {
raise_param_exc({ type => "unknown rule type '$type'"});
}
die "wrong number of rule elements\n" if scalar(@data) != 3;
die "groups disabled\n" if !$allow_groups;
- die "invalid characters in group name\n" if $action !~ m/^[A-Za-z0-9_\-]+$/;
+ die "invalid characters in group name\n" if $action !~ m/^${security_group_pattern}$/;
} else {
die "unknown rule type '$type'\n";
}
if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) {
$section = 'groups';
$group = lc($1);
+ $res->{$section}->{$group} = [];
next;
}
if ($line =~ m/^\[ipset\s+(\S+)\]\s*$/i) {
$section = 'ipset';
$group = lc($1);
+ $res->{$section}->{$group} = [];
next;
}
my $raw = '';
foreach my $rule (@$rules) {
- if ($rule->{type} eq 'in' || $rule->{type} eq 'out') {
+ if ($rule->{type} eq 'in' || $rule->{type} eq 'out' || $rule->{type} eq 'group') {
$raw .= '|' if defined($rule->{enable}) && !$rule->{enable};
$raw .= uc($rule->{type});
if ($rule->{macro}) {
$raw .= " " . $rule->{action};
}
$raw .= " " . ($rule->{iface} || '-') if $need_iface;
- $raw .= " " . ($rule->{source} || '-');
- $raw .= " " . ($rule->{dest} || '-');
- $raw .= " " . ($rule->{proto} || '-');
- $raw .= " " . ($rule->{dport} || '-');
- $raw .= " " . ($rule->{sport} || '-');
+
+ if ($rule->{type} ne 'group') {
+ $raw .= " " . ($rule->{source} || '-');
+ $raw .= " " . ($rule->{dest} || '-');
+ $raw .= " " . ($rule->{proto} || '-');
+ $raw .= " " . ($rule->{dport} || '-');
+ $raw .= " " . ($rule->{sport} || '-');
+ }
+
$raw .= " # " . encode('utf8', $rule->{comment})
if $rule->{comment} && $rule->{comment} !~ m/^\s*$/;
$raw .= "\n";
} else {
- die "implement me '$rule->{type}'";
+ die "unknown rule type '$rule->{type}'";
}
}