implement API to get list of possible refs (aliases + ipsets)

diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 5f6d77db308fb9aaf2cd7936ab499f7fca7ace84..8f1deefece76041d065f58e72dcadaaa1b7ff792 100644 (file)
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -18,22 +18,22 @@ use Data::Dumper; # fixme: remove
 use base qw(PVE::RESTHandler);
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::Groups",  
+    subclass => "PVE::API2::Firewall::Groups",
     path => 'groups',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::ClusterRules",  
+    subclass => "PVE::API2::Firewall::ClusterRules",
     path => 'rules',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::ClusterIPSetList",  
+    subclass => "PVE::API2::Firewall::ClusterIPSetList",
     path => 'ipset',
 });
 
 __PACKAGE__->register_method ({
-    subclass => "PVE::API2::Firewall::ClusterAliases",  
+    subclass => "PVE::API2::Firewall::ClusterAliases",
     path => 'aliases',
 });
 
@@ -65,6 +65,7 @@ __PACKAGE__->register_method({
            { name => 'groups' },
            { name => 'ipset' },
            { name => 'macros' },
+           { name => 'refs' },
            ];
 
        return $result;
@@ -81,7 +82,7 @@ my $option_properties = {
        optional => 1,
        enum => ['ACCEPT', 'REJECT', 'DROP'],
     },
-    policy_out => { 
+    policy_out => {
        description => "Output policy.",
        type => 'string',
        optional => 1,
@@ -95,7 +96,7 @@ my $add_option_properties = sub {
     foreach my $k (keys %$option_properties) {
        $properties->{$k} = $option_properties->{$k};
     }
-    
+
     return $properties;
 };
 
@@ -150,7 +151,7 @@ __PACKAGE__->register_method({
 
        if ($param->{delete}) {
            foreach my $opt (PVE::Tools::split_list($param->{delete})) {
-               raise_param_exc({ delete => "no such option '$opt'" }) 
+               raise_param_exc({ delete => "no such option '$opt'" })
                    if !$option_properties->{$opt};
                delete $cluster_conf->{options}->{$opt};
            }
@@ -162,7 +163,7 @@ __PACKAGE__->register_method({
 
        foreach my $k (keys %$option_properties) {
            next if !defined($param->{$k});
-           $cluster_conf->{options}->{$k} = $param->{$k}; 
+           $cluster_conf->{options}->{$k} = $param->{$k};
        }
 
        PVE::Firewall::save_clusterfw_conf($cluster_conf);
@@ -208,4 +209,68 @@ __PACKAGE__->register_method({
        return $res;
     }});
 
+__PACKAGE__->register_method({
+    name => 'refs',
+    path => 'refs',
+    method => 'GET',
+    description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+    parameters => {
+       additionalProperties => 0,
+       properties => {},
+    },
+    returns => {
+       type => 'array',
+       items => {
+           type => "object",
+           properties => {
+               type => {
+                   type => 'string',
+                   enum => ['alias', 'ipset'],
+               },
+               name => {
+                   type => 'string',
+               },
+               ref => {
+                   type => 'string',
+               },
+               comment => {
+                   type => 'string',
+                   optional => 1,
+               },
+           },
+       },
+    },
+    code => sub {
+       my ($param) = @_;
+
+       my $conf = PVE::Firewall::load_clusterfw_conf();
+
+       my $res = [];
+
+       foreach my $name (keys %{$conf->{ipset}}) {
+           my $data = {
+               type => 'ipset',
+               name => $name,
+               ref => "+$name",
+           };
+           if (my $comment = $conf->{ipset_comments}->{$name}) {
+               $data->{comment} = $comment;
+           }
+           push @$res, $data;
+       }
+
+       foreach my $name (keys %{$conf->{aliases}}) {
+           my $e = $conf->{aliases}->{$name};
+           my $data = {
+               type => 'alias',
+               name => $name,
+               ref => $name,
+           };
+           $data->{comment} = $e->{comment} if $e->{comment};
+           push @$res, $data;
+       }
+
+       return $res;
+    }});
+
 1;

diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 732f6bf84cffb223e159f25f2a38e70ff8b3144a..3e49e8887c93aa6838ee6ec296d41ca31114fac2 100644 (file)
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -87,6 +87,8 @@ sub register_handlers {
            my $result = [
                { name => 'rules' },
                { name => 'aliases' },
+               { name => 'ipset' },
+               { name => 'refs' },
                { name => 'options' },
                ];
 
@@ -232,6 +234,80 @@ sub register_handlers {
            
            return $lines; 
        }});
+
+
+    $class->register_method({
+       name => 'refs',
+       path => 'refs',
+       method => 'GET',
+       description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+       parameters => {
+           additionalProperties => 0,
+           properties => {
+               node => get_standard_option('pve-node'),
+               vmid => get_standard_option('pve-vmid'),
+           },
+       },
+       returns => {
+           type => 'array',
+           items => {
+               type => "object",
+               properties => { 
+                   type => {
+                       type => 'string',
+                       enum => ['alias', 'ipset'],
+                   },
+                   name => {
+                       type => 'string',
+                   },
+                   comment => { 
+                       type => 'string',
+                       optional => 1,
+                   },
+               },
+           },
+       },
+       code => sub {
+           my ($param) = @_;
+           
+           my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+           my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
+
+           my $ipsets = {};
+           my $aliases = {};
+
+           foreach my $conf (($cluster_conf, $fw_conf)) {
+               next if !$conf;
+               foreach my $name (keys %{$conf->{ipset}}) {
+                   my $data = { 
+                       type => 'ipset',
+                       name => $name,
+                       ref => "+$name",
+                   };
+                   if (my $comment = $conf->{ipset_comments}->{$name}) {
+                       $data->{comment} = $comment;
+                   }
+                   $ipsets->{$name} = $data;
+               }
+
+               foreach my $name (keys %{$conf->{aliases}}) {
+                   my $e = $conf->{aliases}->{$name};
+                   my $data = { 
+                       type => 'alias',
+                       name => $name,
+                       ref => $name,
+                   };
+                   $data->{comment} = $e->{comment} if $e->{comment};
+                   $aliases->{$name} = $data;
+               }
+           }
+
+           my $res = [];
+           foreach my $e (values %$ipsets) { push @$res, $e; };
+           foreach my $e (values %$aliases) { push @$res, $e; };
+           
+           return $res; 
+       }});
 }
 
 package PVE::API2::Firewall::VM;