X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FAPI2%2FFirewall%2FCluster.pm;h=c9c3e67a16c5212b1a4984c2081e4adf7fc07198;hp=c4e2b63bcf8d5e1b783d7552be9fa64a044b3c39;hb=HEAD;hpb=c05492d68d4e89f37b8f2082eaae0d884a3221f6 diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm index c4e2b63..48ad90d 100644 --- a/src/PVE/API2/Firewall/Cluster.pm +++ b/src/PVE/API2/Firewall/Cluster.pm @@ -13,7 +13,6 @@ use PVE::API2::Firewall::IPSet; #fixme: locking? -use Data::Dumper; # fixme: remove use base qw(PVE::RESTHandler); @@ -71,25 +70,7 @@ __PACKAGE__->register_method({ return $result; }}); -my $option_properties = { - enable => { - type => 'integer', - minimum => 0, - optional => 1, - }, - policy_in => { - description => "Input policy.", - type => 'string', - optional => 1, - enum => ['ACCEPT', 'REJECT', 'DROP'], - }, - policy_out => { - description => "Output policy.", - type => 'string', - optional => 1, - enum => ['ACCEPT', 'REJECT', 'DROP'], - }, -}; +my $option_properties = $PVE::Firewall::cluster_option_properties; my $add_option_properties = sub { my ($properties) = @_; @@ -151,29 +132,31 @@ __PACKAGE__->register_method({ code => sub { my ($param) = @_; - my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + PVE::Firewall::lock_clusterfw_conf(10, sub { + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); - my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options}); - PVE::Tools::assert_if_modified($digest, $param->{digest}); + my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options}); + PVE::Tools::assert_if_modified($digest, $param->{digest}); - if ($param->{delete}) { - foreach my $opt (PVE::Tools::split_list($param->{delete})) { - raise_param_exc({ delete => "no such option '$opt'" }) - if !$option_properties->{$opt}; - delete $cluster_conf->{options}->{$opt}; + if ($param->{delete}) { + foreach my $opt (PVE::Tools::split_list($param->{delete})) { + raise_param_exc({ delete => "no such option '$opt'" }) + if !$option_properties->{$opt}; + delete $cluster_conf->{options}->{$opt}; + } } - } - if (defined($param->{enable}) && ($param->{enable} > 1)) { - $param->{enable} = time(); - } + if (defined($param->{enable}) && ($param->{enable} > 1)) { + $param->{enable} = time(); + } - foreach my $k (keys %$option_properties) { - next if !defined($param->{$k}); - $cluster_conf->{options}->{$k} = $param->{$k}; - } + foreach my $k (keys %$option_properties) { + next if !defined($param->{$k}); + $cluster_conf->{options}->{$k} = $param->{$k}; + } - PVE::Firewall::save_clusterfw_conf($cluster_conf); + PVE::Firewall::save_clusterfw_conf($cluster_conf); + }); # instant firewall update when using double (anti-lockout) API call # -> not waiting for a firewall update at the first (timestamp enable) set @@ -257,6 +240,9 @@ __PACKAGE__->register_method({ ref => { type => 'string', }, + scope => { + type => 'string', + }, comment => { type => 'string', optional => 1, @@ -269,36 +255,7 @@ __PACKAGE__->register_method({ my $conf = PVE::Firewall::load_clusterfw_conf(); - my $res = []; - - if (!$param->{type} || $param->{type} eq 'ipset') { - foreach my $name (keys %{$conf->{ipset}}) { - my $data = { - type => 'ipset', - name => $name, - ref => "+$name", - }; - if (my $comment = $conf->{ipset_comments}->{$name}) { - $data->{comment} = $comment; - } - push @$res, $data; - } - } - - if (!$param->{type} || $param->{type} eq 'alias') { - foreach my $name (keys %{$conf->{aliases}}) { - my $e = $conf->{aliases}->{$name}; - my $data = { - type => 'alias', - name => $name, - ref => $name, - }; - $data->{comment} = $e->{comment} if $e->{comment}; - push @$res, $data; - } - } - - return $res; + return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc"); }}); 1;