use Data::Dumper;
use Digest::SHA;
use PVE::INotify;
+use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster;
use PVE::ProcFSTools;
use PVE::Tools;
'address-mask-reply' => 1,
};
-sub get_firewall_macros {
-
- return $pve_fw_parsed_macros if $pve_fw_parsed_macros;
+sub init_firewall_macros {
$pve_fw_parsed_macros = {};
$pve_fw_preferred_macro_names->{$lc_name} = $k;
$pve_fw_parsed_macros->{$k} = $macro;
}
-
- return $pve_fw_parsed_macros;
}
+init_firewall_macros();
+
my $etc_services;
sub get_etc_services {
return ($nbports);
}
+PVE::JSONSchema::register_format('pve-fw-port-spec', \&pve_fw_verify_port_spec);
+sub pve_fw_verify_port_spec {
+ my ($portstr) = @_;
+
+ parse_port_name_number_or_range($portstr);
+
+ return $portstr;
+}
+
+PVE::JSONSchema::register_format('pve-fw-v4addr-spec', \&pve_fw_verify_v4addr_spec);
+sub pve_fw_verify_v4addr_spec {
+ my ($list) = @_;
+
+ parse_address_list($list);
+
+ return $list;
+}
+
+PVE::JSONSchema::register_format('pve-fw-protocol-spec', \&pve_fw_verify_protocol_spec);
+sub pve_fw_verify_protocol_spec {
+ my ($proto) = @_;
+
+ my $protocols = get_etc_protocols();
+
+ die "unknown protocol '$proto'\n" if $proto &&
+ !(defined($protocols->{byname}->{$proto}) ||
+ defined($protocols->{byid}->{$proto}));
+
+ return $proto;
+}
+
+
# helper function for API
my $rule_properties = {
digest => {
type => 'string',
optional => 1,
+ maxLength => 27,
+ minLength => 27,
},
type => {
type => 'string',
action => {
type => 'string',
optional => 1,
+ enum => ['ACCEPT', 'DROP', 'REJECT'],
},
macro => {
type => 'string',
optional => 1,
+ maxLength => 128,
},
+ iface => get_standard_option('pve-iface', { optional => 1 }),
source => {
- type => 'string',
+ type => 'string', format => 'pve-fw-v4addr-spec',
optional => 1,
},
dest => {
- type => 'string',
+ type => 'string', format => 'pve-fw-v4addr-spec',
optional => 1,
},
proto => {
- type => 'string',
+ type => 'string', format => 'pve-fw-protocol-spec',
optional => 1,
},
enable => {
optional => 1,
},
sport => {
- type => 'string',
+ type => 'string', format => 'pve-fw-port-spec',
optional => 1,
},
dport => {
- type => 'string',
+ type => 'string', format => 'pve-fw-port-spec',
optional => 1,
},
comment => {
sub parse_fw_rule {
my ($line, $need_iface, $allow_groups) = @_;
- my $macros = get_firewall_macros();
- my $protocols = get_etc_protocols();
-
my ($type, $action, $iface, $source, $dest, $proto, $dport, $sport);
# we can add single line comments to the end of the rule
}
$proto = undef if $proto && $proto eq '-';
- die "unknown protokol '$proto'\n" if $proto &&
- !(defined($protocols->{byname}->{$proto}) ||
- defined($protocols->{byid}->{$proto}));
+ pve_fw_verify_protocol_spec($proto) if $proto;
$source = undef if $source && $source eq '-';
$dest = undef if $dest && $dest eq '-';