X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FAPI2%2FFirewall%2FVM.pm;h=48b8c5fe2a974a02a0bb37d54fd4317b3d9f8cf6;hp=adb0655064c3e2b135344ac6f638a9b1c9367f2b;hb=HEAD;hpb=f6163c2e161167e0cef1a365b6c1aebc23bf3511

diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index adb0655..4222103 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -10,7 +10,6 @@ use PVE::Firewall;
 use PVE::API2::Firewall::Rules;
 use PVE::API2::Firewall::Aliases;
 
-use Data::Dumper; # fixme: remove
 
 use base qw(PVE::RESTHandler);
 
@@ -22,7 +21,7 @@ my $add_option_properties = sub {
     foreach my $k (keys %$option_properties) {
 	$properties->{$k} = $option_properties->{$k};
     }
-    
+
     return $properties;
 };
 
@@ -122,38 +121,39 @@ sub register_handlers {
 	code => sub {
 	    my ($param) = @_;
 
+	    PVE::Firewall::lock_vmfw_conf($param->{vmid}, 10, sub {
+		my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+		my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
-	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
-	    my $vmfw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
+		my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
+		PVE::Tools::assert_if_modified($digest, $param->{digest});
 
-	    my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vmfw_conf->{options});
-	    PVE::Tools::assert_if_modified($digest, $param->{digest});
+		if ($param->{delete}) {
+		    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+			raise_param_exc({ delete => "no such option '$opt'" })
+			    if !$option_properties->{$opt};
+			delete $vmfw_conf->{options}->{$opt};
+		    }
+		}
 
-	    if ($param->{delete}) {
-		foreach my $opt (PVE::Tools::split_list($param->{delete})) {
-		    raise_param_exc({ delete => "no such option '$opt'" }) 
-			if !$option_properties->{$opt};
-		    delete $vmfw_conf->{options}->{$opt};
+		if (defined($param->{enable})) {
+		    $param->{enable} = $param->{enable} ? 1 : 0;
 		}
-	    }
 
-	    if (defined($param->{enable})) {
-		$param->{enable} = $param->{enable} ? 1 : 0;
-	    }
+		foreach my $k (keys %$option_properties) {
+		    next if !defined($param->{$k});
+		    $vmfw_conf->{options}->{$k} = $param->{$k};
+		}
 
-	    foreach my $k (keys %$option_properties) {
-		next if !defined($param->{$k});
-		$vmfw_conf->{options}->{$k} = $param->{$k}; 
-	    }
+		PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
+	    });
 
-	    PVE::Firewall::save_vmfw_conf($param->{vmid}, $vmfw_conf);
-	    
 	    return undef;
 	}});
 
     $class->register_method({
-	name => 'log', 
-	path => 'log', 
+	name => 'log',
+	path => 'log',
 	method => 'GET',
 	description => "Read firewall log",
 	proxyto => 'node',
@@ -176,11 +176,23 @@ sub register_handlers {
 		    minimum => 0,
 		    optional => 1,
 		},
+		since => {
+		    type => 'integer',
+		    minimum => 0,
+		    description => "Display log since this UNIX epoch.",
+		    optional => 1,
+		},
+		until => {
+		    type => 'integer',
+		    minimum => 0,
+		    description => "Display log until this UNIX epoch.",
+		    optional => 1,
+		},
 	    },
 	},
 	returns => {
 	    type => 'array',
-	    items => { 
+	    items => {
 		type => "object",
 		properties => {
 		    n => {
@@ -199,15 +211,21 @@ sub register_handlers {
 
 	    my $rpcenv = PVE::RPCEnvironment::get();
 	    my $user = $rpcenv->get_user();
-	    my $vmid = $param->{vmid};
+	    my $filename = "/var/log/pve-firewall.log";
+	    my $vmid = $param->{'vmid'};
+
+	    my $callback = sub {
+		my ($line) = @_;
+		my $reg = "^$vmid ";
+		return $line =~ m/$reg/;
+	    };
+
+	    my ($count, $lines) = PVE::Firewall::Helpers::dump_fw_logfile(
+		$filename, $param, $callback);
 
-	    my ($count, $lines) = PVE::Tools::dump_logfile("/var/log/pve-firewall.log", 
-							   $param->{start}, $param->{limit},
-							   "^$vmid ");
-	    
 	    $rpcenv->set_result_attrib('total', $count);
-	    
-	    return $lines; 
+
+	    return $lines;
 	}});
 
 
@@ -236,7 +254,7 @@ sub register_handlers {
 	    type => 'array',
 	    items => {
 		type => "object",
-		properties => { 
+		properties => {
 		    type => {
 			type => 'string',
 			enum => ['alias', 'ipset'],
@@ -244,7 +262,13 @@ sub register_handlers {
 		    name => {
 			type => 'string',
 		    },
-		    comment => { 
+		    ref => {
+			type => 'string',
+		    },
+		    scope => {
+			type => 'string',
+		    },
+		    comment => {
 			type => 'string',
 			optional => 1,
 		    },
@@ -253,48 +277,14 @@ sub register_handlers {
 	},
 	code => sub {
 	    my ($param) = @_;
-	    
+
 	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 	    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
-	    my $ipsets = {};
-	    my $aliases = {};
-
-	    foreach my $conf (($cluster_conf, $fw_conf)) {
-		next if !$conf;
-		if (!$param->{type} || $param->{type} eq 'ipset') {
-		    foreach my $name (keys %{$conf->{ipset}}) {
-			my $data = { 
-			    type => 'ipset',
-			    name => $name,
-			    ref => "+$name",
-			};
-			if (my $comment = $conf->{ipset_comments}->{$name}) {
-			    $data->{comment} = $comment;
-			}
-			$ipsets->{$name} = $data;
-		    }
-		}
-
-		if (!$param->{type} || $param->{type} eq 'alias') {
-		    foreach my $name (keys %{$conf->{aliases}}) {
-			my $e = $conf->{aliases}->{$name};
-			my $data = { 
-			    type => 'alias',
-			    name => $name,
-			    ref => $name,
-			};
-			$data->{comment} = $e->{comment} if $e->{comment};
-			$aliases->{$name} = $data;
-		    }
-		}
-	    }
+	    my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+	    my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
 
-	    my $res = [];
-	    foreach my $e (values %$ipsets) { push @$res, $e; };
-	    foreach my $e (values %$aliases) { push @$res, $e; };
-	    
-	    return $res; 
+	    return [@$dc_refs, @$vm_refs];
 	}});
 }
 
@@ -306,17 +296,17 @@ use warnings;
 use base qw(PVE::API2::Firewall::VMBase);
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::VMRules",  
+    subclass => "PVE::API2::Firewall::VMRules",
     path => 'rules',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::VMAliases",  
+    subclass => "PVE::API2::Firewall::VMAliases",
     path => 'aliases',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::VMIPSetList",  
+    subclass => "PVE::API2::Firewall::VMIPSetList",
     path => 'ipset',
 });
 
@@ -330,17 +320,17 @@ use warnings;
 use base qw(PVE::API2::Firewall::VMBase);
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::CTRules",  
+    subclass => "PVE::API2::Firewall::CTRules",
     path => 'rules',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::CTAliases",  
+    subclass => "PVE::API2::Firewall::CTAliases",
     path => 'aliases',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::CTIPSetList",  
+    subclass => "PVE::API2::Firewall::CTIPSetList",
     path => 'ipset',
 });