From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 15 Apr 2014 10:28:05 +0000 (+0200)
Subject: complete options API for host.fw
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=6302c41f8549239554d2192612b1af70c51d579f

complete options API for host.fw
---

diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
index 4ae0d0f..d696455 100644
--- a/src/PVE/API2/Firewall/Host.pm
+++ b/src/PVE/API2/Firewall/Host.pm
@@ -49,6 +49,65 @@ __PACKAGE__->register_method({
 	return $result;
     }});
 
+my $option_properties = {
+    enable => {
+	description => "Enable host firewall rules.",
+	type => 'boolean',
+	optional => 1,
+    },
+    log_level_in =>  get_standard_option('pve-fw-loglevel', {
+	description => "Log level for incoming traffic." }),
+    log_level_out =>  get_standard_option('pve-fw-loglevel', {
+	description => "Log level for outgoing traffic." }),
+    tcp_flags_log_level =>  get_standard_option('pve-fw-loglevel', {
+	description => "Log level for illegal tcp flags filter." }),
+    smurf_log_level =>  get_standard_option('pve-fw-loglevel', {
+	description => "Log level for SMURFS filter." }),
+    nosmurfs => {
+	description => "Enable SMURFS filter.",
+	type => 'boolean',
+	optional => 1,
+    },
+    tcpflags => {
+	description => "Filter illegal combinations of TCP flags.",
+	type => 'boolean',
+	optional => 1,
+    },
+    allow_bridge_route => {
+	description => "Enable firewall when bridges contains IP address. The firewall is not fully functional in that case, so you need to enable that explicitly",
+	type => 'boolean',
+	optional => 1,
+    },
+    optimize => {
+	description => "Allow rules processing speed optimizations.",
+	type => 'boolean',
+	optional => 1,
+    },
+    nf_conntrack_max => {
+	description => "Maximum number of tracked connections.",
+	type => 'integer',
+	optional => 1,
+	minimum => 32768,
+    },
+    nf_conntrack_tcp_timeout_established => {
+ 	description => "Conntrack established timeout.",
+	type => 'integer',
+	optional => 1,
+	minimum => 7875,
+    }
+};
+
+my $add_option_properties = sub {
+    my ($properties) = @_;
+
+    foreach my $k (keys %$option_properties) {
+	$properties->{$k} = $option_properties->{$k};
+    }
+    
+    return $properties;
+};
+
+
 __PACKAGE__->register_method({
     name => 'get_options',
     path => 'options',
@@ -63,7 +122,8 @@ __PACKAGE__->register_method({
     },
     returns => {
 	type => "object",
-	properties => {},
+    	#additionalProperties => 1,
+	properties => $option_properties,
     },
     code => sub {
 	my ($param) = @_;
@@ -73,6 +133,56 @@ __PACKAGE__->register_method({
 	return PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
     }});
 
+__PACKAGE__->register_method({
+    name => 'set_options',
+    path => 'options',
+    method => 'PUT',
+    description => "Set Firewall options.",
+    protected => 1,
+    proxyto => 'node',
+    parameters => {
+    	additionalProperties => 0,
+	properties => &$add_option_properties({
+	    node => get_standard_option('pve-node'),
+	    delete => {
+		type => 'string', format => 'pve-configid-list',
+		description => "A list of settings you want to delete.",
+		optional => 1,
+	    },
+	    digest => get_standard_option('pve-config-digest'),
+	}),
+    },
+    returns => { type => "null" },
+    code => sub {
+	my ($param) = @_;
+
+	my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
+
+	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($hostfw_conf->{options});
+	PVE::Tools::assert_if_modified($digest, $param->{digest});
+
+	if ($param->{delete}) {
+	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
+		raise_param_exc({ delete => "no such option '$opt'" }) 
+		    if !$option_properties->{$opt};
+		delete $hostfw_conf->{options}->{$opt};
+	    }
+	}
+
+	if (defined($param->{enable})) {
+	    $param->{enable} = $param->{enable} ? 1 : 0;
+	}
+
+	foreach my $k (keys %$option_properties) {
+	    next if !defined($param->{$k});
+	    $hostfw_conf->{options}->{$k} = $param->{$k}; 
+	}
+
+	PVE::Firewall::save_hostfw_conf($hostfw_conf);
+
+	return undef;
+    }});
+
 __PACKAGE__->register_method({
     name => 'log', 
     path => 'log', 
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8ddd468..ecbbeaa 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -56,6 +56,13 @@ PVE::JSONSchema::register_standard_option('ipset-name', {
     maxLength => 20,			  
 });
 
+PVE::JSONSchema::register_standard_option('pve-fw-loglevel' => {
+    description => "Log level.",
+    type => 'string', 
+    enum => ['emerg', 'alert', 'crit', 'err', 'warning', 'notice', 'info', 'debug', 'nolog'],
+    optional => 1,
+});
+
 my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
 
 PVE::JSONSchema::register_standard_option('pve-security-group-name', {