From: Leo Nunner <l.nunner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall 3/3] fix #4556: api: return scoped IPSets and aliases
Date: Wed, 7 Jun 2023 12:17:50 +0200 [thread overview]
Message-ID: <20230607101751.87616-4-l.nunner@proxmox.com> (raw)
In-Reply-To: <20230607101751.87616-1-l.nunner@proxmox.com>
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/VM.pm | 47 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 43 +++++++++++++++++++++++++++++
3 files changed, 57 insertions(+), 67 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..69cdf54 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
name => {
type => 'string',
},
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -275,44 +281,11 @@ sub register_handlers {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
-
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'vm');
- return $res;
+ my @ret = (@$dc_refs, @$vm_refs);
+ return \@ret;
}});
}
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..ca7d26f 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
lock_vmfw_conf
remove_vmfw_conf
clone_vmfw_conf
+collect_refs
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,46 @@ sub dump_fw_logfile {
return ($state{'count'}, $state{'lines'});
}
+sub collect_refs {
+ my ($conf, $type, $scope) = @_;
+
+ my $ipsets = {};
+ my $aliases = {};
+
+ if (!$type || $type eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ scope => "+$scope/$name",
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ $ipsets->{$name} = $data;
+ }
+ }
+
+ if (!$type || $type eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ scope => "$scope/$name",
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ $aliases->{$name} = $data;
+ }
+ }
+
+ my $res = [];
+ foreach my $e (values %$ipsets) { push @$res, $e; };
+ foreach my $e (values %$aliases) { push @$res, $e; };
+
+ return $res;
+}
+
1;
--
2.30.2
next prev parent reply other threads:[~2023-06-07 10:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-07 10:17 [pve-devel] [PATCH firewall/manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-07 10:17 ` [pve-devel] [PATCH firewall 1/3] fix #4556: introduce 'dc' and 'vm' prefix for IPSets Leo Nunner
2023-06-07 10:17 ` [pve-devel] [PATCH firewall 2/3] fix #4556: introduce 'dc' and 'vm' prefix for aliases Leo Nunner
2023-06-07 13:14 ` Wolfgang Bumiller
2023-06-07 10:17 ` Leo Nunner [this message]
2023-06-07 10:17 ` [pve-devel] [PATCH manager] firewall: add scope field to IPRefSelector Leo Nunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230607101751.87616-4-l.nunner@proxmox.com \
--to=l.nunner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal