X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FAPI2%2FFirewall%2FHost.pm;h=b66ca55e553e981af0161802a578ed6c6434a116;hp=130ca023b6ad9022e45918534fb74c88d526b48f;hb=HEAD;hpb=a83abe93f49928bbb1738bb7f9bdd704c46536a6 diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm index 130ca02..0432de2 100644 --- a/src/PVE/API2/Firewall/Host.pm +++ b/src/PVE/API2/Firewall/Host.pm @@ -2,18 +2,19 @@ package PVE::API2::Firewall::Host; use strict; use warnings; + +use PVE::Exception qw(raise_param_exc); use PVE::JSONSchema qw(get_standard_option); use PVE::RPCEnvironment; use PVE::Firewall; use PVE::API2::Firewall::Rules; -use Data::Dumper; # fixme: remove use base qw(PVE::RESTHandler); __PACKAGE__->register_method ({ - subclass => "PVE::API2::Firewall::HostRules", + subclass => "PVE::API2::Firewall::HostRules", path => 'rules', }); @@ -49,48 +50,7 @@ __PACKAGE__->register_method({ return $result; }}); -my $option_properties = { - enable => { - description => "Enable host firewall rules.", - type => 'boolean', - optional => 1, - }, - log_level_in => get_standard_option('pve-fw-loglevel', { - description => "Log level for incoming traffic." }), - log_level_out => get_standard_option('pve-fw-loglevel', { - description => "Log level for outgoing traffic." }), - tcp_flags_log_level => get_standard_option('pve-fw-loglevel', { - description => "Log level for illegal tcp flags filter." }), - smurf_log_level => get_standard_option('pve-fw-loglevel', { - description => "Log level for SMURFS filter." }), - nosmurfs => { - description => "Enable SMURFS filter.", - type => 'boolean', - optional => 1, - }, - tcpflags => { - description => "Filter illegal combinations of TCP flags.", - type => 'boolean', - optional => 1, - }, - nf_conntrack_max => { - description => "Maximum number of tracked connections.", - type => 'integer', - optional => 1, - minimum => 32768, - }, - nf_conntrack_tcp_timeout_established => { - description => "Conntrack established timeout.", - type => 'integer', - optional => 1, - minimum => 7875, - }, - ndp => { - description => "Enable NDP.", - type => 'boolean', - optional => 1, - }, -}; +my $option_properties = $PVE::Firewall::host_option_properties; my $add_option_properties = sub { my ($properties) = @_; @@ -98,7 +58,7 @@ my $add_option_properties = sub { foreach my $k (keys %$option_properties) { $properties->{$k} = $option_properties->{$k}; } - + return $properties; }; @@ -126,7 +86,8 @@ __PACKAGE__->register_method({ code => sub { my ($param) = @_; - my $hostfw_conf = PVE::Firewall::load_hostfw_conf(); + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf); return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); }}); @@ -157,36 +118,39 @@ __PACKAGE__->register_method({ code => sub { my ($param) = @_; - my $hostfw_conf = PVE::Firewall::load_hostfw_conf(); + PVE::Firewall::lock_hostfw_conf(undef, 10, sub { + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); + my $hostfw_conf = PVE::Firewall::load_hostfw_conf($cluster_conf); - my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); - PVE::Tools::assert_if_modified($digest, $param->{digest}); + my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options}); + PVE::Tools::assert_if_modified($digest, $param->{digest}); - if ($param->{delete}) { - foreach my $opt (PVE::Tools::split_list($param->{delete})) { - raise_param_exc({ delete => "no such option '$opt'" }) - if !$option_properties->{$opt}; - delete $hostfw_conf->{options}->{$opt}; + if ($param->{delete}) { + foreach my $opt (PVE::Tools::split_list($param->{delete})) { + raise_param_exc({ delete => "no such option '$opt'" }) + if !$option_properties->{$opt}; + delete $hostfw_conf->{options}->{$opt}; + } } - } - if (defined($param->{enable})) { - $param->{enable} = $param->{enable} ? 1 : 0; - } + if (defined($param->{enable})) { + $param->{enable} = $param->{enable} ? 1 : 0; + } - foreach my $k (keys %$option_properties) { - next if !defined($param->{$k}); - $hostfw_conf->{options}->{$k} = $param->{$k}; - } + foreach my $k (keys %$option_properties) { + next if !defined($param->{$k}); + $hostfw_conf->{options}->{$k} = $param->{$k}; + } - PVE::Firewall::save_hostfw_conf($hostfw_conf); + PVE::Firewall::save_hostfw_conf($hostfw_conf); + }); return undef; }}); __PACKAGE__->register_method({ - name => 'log', - path => 'log', + name => 'log', + path => 'log', method => 'GET', description => "Read firewall log", proxyto => 'node', @@ -208,11 +172,23 @@ __PACKAGE__->register_method({ minimum => 0, optional => 1, }, + since => { + type => 'integer', + minimum => 0, + description => "Display log since this UNIX epoch.", + optional => 1, + }, + until => { + type => 'integer', + minimum => 0, + description => "Display log until this UNIX epoch.", + optional => 1, + }, }, }, returns => { type => 'array', - items => { + items => { type => "object", properties => { n => { @@ -232,12 +208,14 @@ __PACKAGE__->register_method({ my $rpcenv = PVE::RPCEnvironment::get(); my $user = $rpcenv->get_user(); my $node = $param->{node}; + my $filename = "/var/log/pve-firewall.log"; - my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", $param->{start}, $param->{limit}); + my ($count, $lines) = PVE::Firewall::Helpers::dump_fw_logfile( + $filename, $param, undef); $rpcenv->set_result_attrib('total', $count); - - return $lines; + + return $lines; }}); 1;