fix #4556: api: return scoped IPSets and aliases

Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>

diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67a16c5212b1a4984c2081e4adf7fc07198..48ad90d40b2a6ebc8646678d9d0c917f84d08ecb 100644 (file)
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
                ref => {
                    type => 'string',
                },
+               scope => {
+                   type => 'string',
+               },
                comment => {
                    type => 'string',
                    optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
 
        my $conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $res = [];
-
-       if (!$param->{type} || $param->{type} eq 'ipset') {
-           foreach my $name (keys %{$conf->{ipset}}) {
-               my $data = {
-                   type => 'ipset',
-                   name => $name,
-                   ref => "+$name",
-               };
-               if (my $comment = $conf->{ipset_comments}->{$name}) {
-                   $data->{comment} = $comment;
-               }
-               push @$res, $data;
-           }
-       }
-
-       if (!$param->{type} || $param->{type} eq 'alias') {
-           foreach my $name (keys %{$conf->{aliases}}) {
-               my $e = $conf->{aliases}->{$name};
-               my $data = {
-                   type => 'alias',
-                   name => $name,
-                   ref => $name,
-               };
-               $data->{comment} = $e->{comment} if $e->{comment};
-               push @$res, $data;
-           }
-       }
-
-       return $res;
+       return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
     }});
 
 1;

diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0ccb6baeaee270610a1e6f9f34446ec34a..422210399bf43454fa6aa21d22b13135afb6e4ba 100644 (file)
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
                    name => {
                        type => 'string',
                    },
+                   ref => {
+                       type => 'string',
+                   },
+                   scope => {
+                       type => 'string',
+                   },
                    comment => {
                        type => 'string',
                        optional => 1,
@@ -275,44 +281,10 @@ sub register_handlers {
            my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
            my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
-           my $ipsets = {};
-           my $aliases = {};
-
-           foreach my $conf (($cluster_conf, $fw_conf)) {
-               next if !$conf;
-               if (!$param->{type} || $param->{type} eq 'ipset') {
-                   foreach my $name (keys %{$conf->{ipset}}) {
-                       my $data = {
-                           type => 'ipset',
-                           name => $name,
-                           ref => "+$name",
-                       };
-                       if (my $comment = $conf->{ipset_comments}->{$name}) {
-                           $data->{comment} = $comment;
-                       }
-                       $ipsets->{$name} = $data;
-                   }
-               }
-
-               if (!$param->{type} || $param->{type} eq 'alias') {
-                   foreach my $name (keys %{$conf->{aliases}}) {
-                       my $e = $conf->{aliases}->{$name};
-                       my $data = {
-                           type => 'alias',
-                           name => $name,
-                           ref => $name,
-                       };
-                       $data->{comment} = $e->{comment} if $e->{comment};
-                       $aliases->{$name} = $data;
-                   }
-               }
-           }
-
-           my $res = [];
-           foreach my $e (values %$ipsets) { push @$res, $e; };
-           foreach my $e (values %$aliases) { push @$res, $e; };
+           my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+           my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
 
-           return $res;
+           return [@$dc_refs, @$vm_refs];
        }});
 }
 

diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2b5e22593303d967126d4ffe32da6fe351..7dcbca377049612946d5f01ef366c9ede6db0430 100644 (file)
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
 lock_vmfw_conf
 remove_vmfw_conf
 clone_vmfw_conf
+collect_refs
 );
 
 my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,42 @@ sub dump_fw_logfile {
     return ($state{'count'}, $state{'lines'});
 }
 
+sub collect_refs {
+    my ($conf, $type, $scope) = @_;
+
+
+    my $res = [];
+
+    if (!$type || $type eq 'ipset') {
+       foreach my $name (keys %{$conf->{ipset}}) {
+           my $data = {
+               type => 'ipset',
+               name => $name,
+               ref => "+$name",
+               scope => $scope,
+           };
+           if (my $comment = $conf->{ipset_comments}->{$name}) {
+               $data->{comment} = $comment;
+           }
+           push @$res, $data;
+       }
+    }
+
+    if (!$type || $type eq 'alias') {
+       foreach my $name (keys %{$conf->{aliases}}) {
+           my $e = $conf->{aliases}->{$name};
+           my $data = {
+               type => 'alias',
+               name => $name,
+               ref => $name,
+               scope => $scope,
+           };
+           $data->{comment} = $e->{comment} if $e->{comment};
+           push @$res, $data;
+       }
+    }
+
+    return $res;
+}
+
 1;