die "implement this in subclass";
}
+sub rule_env {
+ my ($class, $param) = @_;
+
+ die "implement this in subclass";
+}
+
sub save_ipset {
my ($class, $param, $fw_conf, $ipset) = @_;
path => '',
method => 'GET',
description => "List IPSet content",
+ permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
method => 'DELETE',
description => "Delete IPSet",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
method => 'POST',
description => "Add IP or Network to IPSet.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
path => '{cidr}',
method => 'GET',
description => "Read IP or Network settings from IPSet.",
+ permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
protected => 1,
parameters => {
additionalProperties => 0,
method => 'PUT',
description => "Update IP or Network settings",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
method => 'DELETE',
description => "Remove IP or Network from IPSet.",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
use base qw(PVE::API2::Firewall::IPSetBase);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'cluster';
+}
+
sub load_config {
my ($class, $param) = @_;
use base qw(PVE::API2::Firewall::IPSetBase);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'vm';
+}
+
__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid'),
use base qw(PVE::API2::Firewall::IPSetBase);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'ct';
+}
+
__PACKAGE__->additional_parameters({
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid'),
die "implement this in subclass";
}
+sub rule_env {
+ my ($class, $param) = @_;
+
+ die "implement this in subclass";
+}
+
my $additional_param_hash_list = {};
sub additional_parameters {
path => '',
method => 'GET',
description => "List IPSets",
+ permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
method => 'POST',
description => "Create new IPSet",
protected => 1,
+ permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
properties => $properties,
use base qw(PVE::API2::Firewall::BaseIPSetList);
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'cluster';
+}
+
sub load_config {
my ($class, $param) = @_;
vmid => get_standard_option('pve-vmid'),
});
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'vm';
+}
+
sub load_config {
my ($class, $param) = @_;
vmid => get_standard_option('pve-vmid'),
});
+sub rule_env {
+ my ($class, $param) = @_;
+
+ return 'ct';
+}
+
sub load_config {
my ($class, $param) = @_;
return $copy;
}
-my $rules_modify_permissions = sub {
- my ($rule_env) = @_;
-
- if ($rule_env eq 'host') {
- return {
- check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
- };
- } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
- return {
- check => ['perm', '/', [ 'Sys.Modify' ]],
- };
- } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
- return {
- check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
- }
- }
-
- return undef;
-};
-
-my $rules_audit_permissions = sub {
- my ($rule_env) = @_;
-
- if ($rule_env eq 'host') {
- return {
- check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
- };
- } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
- return {
- check => ['perm', '/', [ 'Sys.Audit' ]],
- };
- } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
- return {
- check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
- }
- }
-
- return undef;
-};
-
sub register_get_rules {
my ($class) = @_;
path => '',
method => 'GET',
description => "List rules.",
- permissions => &$rules_audit_permissions($rule_env),
+ permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
path => '{pos}',
method => 'GET',
description => "Get single rule data.",
- permissions => &$rules_audit_permissions($rule_env),
+ permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
method => 'POST',
description => "Create new rule.",
protected => 1,
- permissions => &$rules_modify_permissions($rule_env),
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $create_rule_properties,
method => 'PUT',
description => "Modify rule data.",
protected => 1,
- permissions => &$rules_modify_permissions($rule_env),
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $update_rule_properties,
method => 'DELETE',
description => "Delete rule.",
protected => 1,
- permissions => &$rules_modify_permissions($rule_env),
+ permissions => PVE::Firewall::rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
return $rule;
}
+sub rules_modify_permissions {
+ my ($rule_env) = @_;
+
+ if ($rule_env eq 'host') {
+ return {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ };
+ } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+ return {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ };
+ } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
+ return {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+ }
+ }
+
+ return undef;
+}
+
+sub rules_audit_permissions {
+ my ($rule_env) = @_;
+
+ if ($rule_env eq 'host') {
+ return {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+ };
+ } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+ return {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ };
+ } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
+ return {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+ }
+ }
+
+ return undef;
+}
+
# core functions
my $bridge_firewall_enabled = 0;