From e76a9f539565cad56781f3c72ff9aae9f5e60639 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 20 May 2014 11:56:06 +0200
Subject: [PATCH] start alias support for VMs

implement config parser/writer and API. iptables functionatity is missing.
---
 src/PVE/API2/Firewall/Aliases.pm | 32 +++++++++++++++++++++++++++++++-
 src/PVE/API2/Firewall/VM.pm      |  6 ++++++
 src/PVE/Firewall.pm              | 22 +++++++++++++++++++---
 src/PVE/FirewallSimulator.pm     | 12 +++++++-----
 4 files changed, 63 insertions(+), 9 deletions(-)

diff --git a/src/PVE/API2/Firewall/Aliases.pm b/src/PVE/API2/Firewall/Aliases.pm
index a3a3794..736ad62 100644
--- a/src/PVE/API2/Firewall/Aliases.pm
+++ b/src/PVE/API2/Firewall/Aliases.pm
@@ -242,7 +242,6 @@ sub register_delete_alias {
     my $properties = $class->additional_parameters();
 
     $properties->{name} = $api_properties->{name};
-    $properties->{cidr} = $api_properties->{cidr};
     $properties->{digest} = get_standard_option('pve-config-digest');
 
     $class->register_method({
@@ -309,4 +308,35 @@ sub save_aliases {
 
 __PACKAGE__->register_handlers();
 
+package PVE::API2::Firewall::VMAliases;
+
+use strict;
+use warnings;
+use PVE::JSONSchema qw(get_standard_option);
+
+use base qw(PVE::API2::Firewall::AliasesBase);
+
+__PACKAGE__->additional_parameters({ 
+    node => get_standard_option('pve-node'),
+    vmid => get_standard_option('pve-vmid'),				   
+});
+
+sub load_config {
+    my ($class, $param) = @_;
+
+    my $fw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
+    my $aliases = $fw_conf->{aliases};
+
+    return ($fw_conf, $aliases);
+}
+
+sub save_aliases {
+    my ($class, $param, $fw_conf, $aliases) = @_;
+
+    $fw_conf->{aliases} = $aliases;
+    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
+}
+
+__PACKAGE__->register_handlers();
+
 1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 75b8518..b38ca24 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -6,6 +6,7 @@ use PVE::JSONSchema qw(get_standard_option);
 use PVE::Cluster;
 use PVE::Firewall;
 use PVE::API2::Firewall::Rules;
+use PVE::API2::Firewall::Aliases;
 
 use Data::Dumper; # fixme: remove
 
@@ -16,6 +17,11 @@ __PACKAGE__->register_method ({
     path => 'rules',
 });
 
+__PACKAGE__->register_method ({
+    subclass => "PVE::API2::Firewall::VMAliases",  
+    path => 'aliases',
+});
+
 __PACKAGE__->register_method({
     name => 'index',
     path => '',
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 3affb2a..eea47f2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,7 +1971,7 @@ sub parse_clusterfw_option {
     return ($opt, $value);
 }
 
-sub parse_clusterfw_alias {
+sub parse_alias {
     my ($line) = @_;
 
     # we can add single line comments to the end of the line
@@ -1995,7 +1995,11 @@ sub parse_clusterfw_alias {
 sub parse_vm_fw_rules {
     my ($filename, $fh) = @_;
 
-    my $res = { rules => [], options => {}};
+    my $res = { 
+	rules => [], 
+	options => {},
+	aliases => {},
+    };
 
     my $section;
 
@@ -2027,6 +2031,15 @@ sub parse_vm_fw_rules {
 	    next;
 	}
 
+	if ($section eq 'aliases') {
+	    eval {
+		my $data = parse_alias($line);
+		$res->{aliases}->{lc($data->{name})} = $data;
+	    };
+	    warn "$prefix: $@" if $@;
+	    next;
+	}
+
 	my $rule;
 	eval { $rule = parse_fw_rule($line, 1, 1); };
 	if (my $err = $@) {
@@ -2159,7 +2172,7 @@ sub parse_cluster_fw_rules {
 	    warn "$prefix: $@" if $@;
 	} elsif ($section eq 'aliases') {
 	    eval {
-		my $data = parse_clusterfw_alias($line);
+		my $data = parse_alias($line);
 		$res->{aliases}->{lc($data->{name})} = $data;
 	    };
 	    warn "$prefix: $@" if $@;
@@ -2370,6 +2383,9 @@ sub save_vmfw_conf {
     my $options = $vmfw_conf->{options};
     $raw .= &$format_options($options) if scalar(keys %$options);
 
+    my $aliases = $vmfw_conf->{aliases};
+    $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+
     my $rules = $vmfw_conf->{rules} || [];
     if (scalar(@$rules)) {
 	$raw .= "[RULES]\n\n";
diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
index 73f01d3..22ddee4 100644
--- a/src/PVE/FirewallSimulator.pm
+++ b/src/PVE/FirewallSimulator.pm
@@ -80,31 +80,33 @@ sub rule_match {
 	    
 	    next if $cstate =~ m/NEW/;
 	    
-	    die "please implement cstate test '$cstate'";
+	    die "cstate test '$cstate' not implemented\n";
 	}
 
 	if ($rule =~ s/^-m addrtype --src-type (\S+)\s*//) {
 	    my $atype = $1;
-	    die "missing srctype" if !$pkg->{srctype};
+	    die "missing source address type (srctype)\n" 
+		if !$pkg->{srctype};
 	    return undef if $atype ne $pkg->{srctype};
 	}
 
 	if ($rule =~ s/^-m addrtype --dst-type (\S+)\s*//) {
 	    my $atype = $1;
-	    die "missing dsttype" if !$pkg->{dsttype};
+	    die "missing destination address type (dsttype)\n" 
+		if !$pkg->{dsttype};
 	    return undef if $atype ne $pkg->{dsttype};
 	}
 
 	if ($rule =~ s/^-i (\S+)\s*//) {
 	    my $devre = $1;
-	    die "missing iface_in" if !$pkg->{iface_in};
+	    die "missing interface (iface_in)\n" if !$pkg->{iface_in};
 	    return undef if !nf_dev_match($devre, $pkg->{iface_in});
 	    next;
 	}
 
 	if ($rule =~ s/^-o (\S+)\s*//) {
 	    my $devre = $1;
-	    die "missing iface_out" if !$pkg->{iface_out};
+	    die "missing interface (iface_out)\n" if !$pkg->{iface_out};
 	    return undef if !nf_dev_match($devre, $pkg->{iface_out});
 	    next;
 	}
-- 
2.39.2