start VM firewall API

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d4de6f6eed702f84abd264b3307cb80dc34dcc96..44068249992b7a78b9b6acbb31ce3d1a0ea575f9 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -635,6 +635,25 @@ sub parse_port_name_number_or_range {
     return ($nbports);
 }
 
+# helper function for API
+sub cleanup_fw_rule {
+    my ($rule, $digest, $pos) = @_;
+
+    my $r = {};
+
+    foreach my $k (keys %$rule) {
+       next if $k eq 'nbdport';
+       next if $k eq 'nbsport';
+       my $v = $rule->{$k};
+       next if !defined($v);
+       $r->{$k} = $v;
+       $r->{digest} = $digest;
+       $r->{pos} = $pos;
+    }
+
+    return $r;
+}
+
 my $bridge_firewall_enabled = 0;
 
 sub enable_bridge_firewall {
@@ -1381,7 +1400,11 @@ sub parse_vm_fw_rules {
 
     my $section;
 
+    my $digest = Digest::SHA->new('sha1');
+
     while (defined(my $line = <$fh>)) {
+       $digest->add($line);
+
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;
 
@@ -1419,6 +1442,8 @@ sub parse_vm_fw_rules {
        push @{$res->{$section}}, @$rules;
     }
 
+    $res->{digest} = $digest->b64digest;
+
     return $res;
 }
 
@@ -1429,7 +1454,11 @@ sub parse_host_fw_rules {
 
     my $section;
 
+    my $digest = Digest::SHA->new('sha1');
+
     while (defined(my $line = <$fh>)) {
+       $digest->add($line);
+
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;
 
@@ -1467,6 +1496,8 @@ sub parse_host_fw_rules {
        push @{$res->{$section}}, @$rules;
     }
 
+    $res->{digest} = $digest->b64digest;
+
     return $res;
 }
 
@@ -1478,7 +1509,11 @@ sub parse_group_fw_rules {
 
     my $res = { rules => {} };
 
+    my $digest = Digest::SHA->new('sha1');
+
     while (defined(my $line = <$fh>)) {
+       $digest->add($line);
+
        next if $line =~ m/^#/;
        next if $line =~ m/^\s*$/;
 
@@ -1505,6 +1540,8 @@ sub parse_group_fw_rules {
        push @{$res->{$section}->{$group}}, @$rules;
     }
 
+    $res->{digest} = $digest->b64digest;
+
     return $res;
 }
 
@@ -1556,16 +1593,27 @@ sub read_local_vm_config {
     return $vmdata;
 };
 
+sub load_vmfw_conf {
+    my ($vmid) = @_;
+
+    my $vmfw_conf = {};
+
+    my $filename = "/etc/pve/firewall/$vmid.fw";
+    if (my $fh = IO::File->new($filename, O_RDONLY)) {
+       $vmfw_conf = parse_vm_fw_rules($filename, $fh);
+    }
+
+    return $vmfw_conf;
+}
+
 sub read_vm_firewall_configs {
     my ($vmdata) = @_;
     my $vmfw_configs = {};
 
     foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
-       my $filename = "/etc/pve/firewall/$vmid.fw";
-       my $fh = IO::File->new($filename, O_RDONLY);
-       next if !$fh;
-
-       $vmfw_configs->{$vmid} = parse_vm_fw_rules($filename, $fh);
+       my $vmfw_conf = load_vmfw_conf($vmid);
+       next if !$vmfw_conf->{options}; # skip if file does not exists
+       $vmfw_configs->{$vmid} = $vmfw_conf;
     }
 
     return $vmfw_configs;
@@ -1681,6 +1729,16 @@ sub load_security_groups {
     return $groups_conf;
 }
 
+sub load_hostfw_conf {
+
+    my $hostfw_conf = {};
+    my $filename = "/etc/pve/local/host.fw";
+    if (my $fh = IO::File->new($filename, O_RDONLY)) {
+       $hostfw_conf = parse_host_fw_rules($filename, $fh);
+    }
+    return $hostfw_conf;
+}
+
 sub compile {
     my $vmdata = read_local_vm_config();
     my $vmfw_configs = read_vm_firewall_configs($vmdata);
@@ -1696,14 +1754,8 @@ sub compile {
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-    my $hostfw_options = {};
-    my $hostfw_conf = {};
-
-    my $filename = "/etc/pve/local/host.fw";
-    if (my $fh = IO::File->new($filename, O_RDONLY)) {
-       $hostfw_conf = parse_host_fw_rules($filename, $fh);
-       $hostfw_options = $hostfw_conf->{options};
-    }
+    my $hostfw_conf = load_hostfw_conf();
+    my $hostfw_options = $hostfw_conf->{options} || {};
 
     generate_std_chains($ruleset, $hostfw_options);