From d1c53b3e0daad6891ad6a97b6e79d03d7e781a78 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Tue, 18 Mar 2014 10:36:46 +0100 Subject: [PATCH] improve security group API --- src/PVE/API2/Firewall/Groups.pm | 52 +++++++++++++++++++++++++++++++-- src/PVE/Firewall.pm | 25 ++++++++++++++++ src/pvefw | 5 ++++ 3 files changed, 80 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm index cd9199e..d7f33b8 100644 --- a/src/PVE/API2/Firewall/Groups.pm +++ b/src/PVE/API2/Firewall/Groups.pm @@ -27,7 +27,12 @@ __PACKAGE__->register_method({ type => 'array', items => { type => "object", - properties => {}, + properties => { + name => { + description => "Security group name.", + type => 'string', + }, + }, }, links => [ { rel => 'child', href => "{name}" } ], }, @@ -38,7 +43,50 @@ __PACKAGE__->register_method({ my $res = []; foreach my $group (keys %{$groups_conf->{rules}}) { - push @$res, { name => $group }; + push @$res, { name => $group, count => scalar(@{$groups_conf->{rules}->{$group}}) }; + } + + return $res; + }}); + +__PACKAGE__->register_method({ + name => 'get_rules', + path => '{group}', + method => 'GET', + description => "List security groups rules.", + proxyto => 'node', + parameters => { + additionalProperties => 0, + properties => { + node => get_standard_option('pve-node'), + group => { + description => "Security group name.", + type => 'string', + }, + }, + }, + returns => { + type => 'array', + items => { + type => "object", + properties => {}, + }, + }, + code => sub { + my ($param) = @_; + + my $groups_conf = PVE::Firewall::load_security_groups(); + + my $rules = $groups_conf->{rules}->{$param->{group}}; + die "no such security group\n" if !defined($rules); + + my $digest = $groups_conf->{digest}; + + my $res = []; + + my $ind = 0; + foreach my $rule (@$rules) { + push @$res, PVE::Firewall::cleanup_fw_rule($rule, $digest, $ind++); } return $res; diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index d4de6f6..7e3daad 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -635,6 +635,25 @@ sub parse_port_name_number_or_range { return ($nbports); } +# helper function for API +sub cleanup_fw_rule { + my ($rule, $digest, $pos) = @_; + + my $r = {}; + + foreach my $k (keys %$rule) { + next if $k eq 'nbdport'; + next if $k eq 'nbsport'; + my $v = $rule->{$k}; + next if !defined($v); + $r->{$k} = $v; + $r->{digest} = $digest; + $r->{pos} = $pos; + } + + return $r; +} + my $bridge_firewall_enabled = 0; sub enable_bridge_firewall { @@ -1478,7 +1497,11 @@ sub parse_group_fw_rules { my $res = { rules => {} }; + my $digest = Digest::SHA->new('sha1'); + while (defined(my $line = <$fh>)) { + $digest->add($line); + next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1505,6 +1528,8 @@ sub parse_group_fw_rules { push @{$res->{$section}->{$group}}, @$rules; } + $res->{digest} = $digest->b64digest; + return $res; } diff --git a/src/pvefw b/src/pvefw index 1671f55..4cc2fe2 100755 --- a/src/pvefw +++ b/src/pvefw @@ -244,6 +244,11 @@ my $cmddef = { my $res = shift; print Dumper($res); }], + grouprules => [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'], + { node => $nodename }, sub { + my $res = shift; + print Dumper($res); + }], }; my $cmd = shift; -- 2.39.2