* [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases
@ 2023-06-13 12:06 Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
Changes since v1:
- fix adding entries to IPSets on the cluster level
- code style improvements
- adapt to the scoping change with 'guest/'
The GUI now just shows the scope "Datacenter/Guest", and returns
the concatenated value ('$scope/$value') automatically.
pve-firewall:
Leo Nunner (2):
api: fix scoping for ipset endpoint
fix #4556: api: return scoped IPSets and aliases
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/IPSet.pm | 2 ++
src/PVE/API2/Firewall/VM.pm | 46 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 39 +++++++++++++++++++++++++++
4 files changed, 54 insertions(+), 67 deletions(-)
pve-manager:
Leo Nunner (1):
firewall: add scope field to IPRefSelector
www/manager6/form/IPRefSelector.js | 35 +++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-15 7:42 ` Wolfgang Bumiller
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
in the cluster class, we save the cluster config into the 'fw_conf'
variable, and not into 'cluster_conf', which in turns is set to 'undef'
instead.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/IPSet.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index ed92d87..baa57ca 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -203,6 +203,8 @@ sub register_create_ip {
if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
my $scope = $1 // "";
my $alias = $2;
+ # on the cluster level
+ $cluster_conf = $fw_conf if (!$cluster_conf);
# make sure alias exists (if $cidr is an alias)
PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
} else {
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/VM.pm | 46 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 39 +++++++++++++++++++++++++++
3 files changed, 52 insertions(+), 67 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..4222103 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
name => {
type => 'string',
},
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -275,44 +281,10 @@ sub register_handlers {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
-
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- return $res;
+ return [@$dc_refs, @$vm_refs];
}});
}
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..7dcbca3 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
lock_vmfw_conf
remove_vmfw_conf
clone_vmfw_conf
+collect_refs
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,42 @@ sub dump_fw_logfile {
return ($state{'count'}, $state{'lines'});
}
+sub collect_refs {
+ my ($conf, $type, $scope) = @_;
+
+
+ my $res = [];
+
+ if (!$type || $type eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ scope => $scope,
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ push @$res, $data;
+ }
+ }
+
+ if (!$type || $type eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ scope => $scope,
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ push @$res, $data;
+ }
+ }
+
+ return $res;
+}
+
1;
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
and send the scoped value to the firewall when choosing new values.
This happens for both IPSets and aliases.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
www/manager6/form/IPRefSelector.js | 35 +++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/www/manager6/form/IPRefSelector.js b/www/manager6/form/IPRefSelector.js
index 9ccc2fe10..b50ac1e10 100644
--- a/www/manager6/form/IPRefSelector.js
+++ b/www/manager6/form/IPRefSelector.js
@@ -8,7 +8,7 @@ Ext.define('PVE.form.IPRefSelector', {
ref_type: undefined, // undefined = any [undefined, 'ipset' or 'alias']
- valueField: 'ref',
+ valueField: 'scopedref',
displayField: 'ref',
notFoundIsValid: true,
@@ -26,7 +26,23 @@ Ext.define('PVE.form.IPRefSelector', {
var store = Ext.create('Ext.data.Store', {
autoLoad: true,
- fields: ['type', 'name', 'ref', 'comment'],
+ fields: [
+ 'type',
+ 'name',
+ 'ref',
+ 'comment',
+ 'scope',
+ {
+ name: 'scopedref',
+ calculate: function(v) {
+ if (v.type === 'alias') {
+ return `${v.scope}/${v.name}`;
+ } else {
+ return `+${v.scope}/${v.name}`;
+ }
+ },
+ },
+ ],
idProperty: 'ref',
proxy: {
type: 'proxmox',
@@ -65,17 +81,30 @@ Ext.define('PVE.form.IPRefSelector', {
hideable: false,
width: 140,
},
+ {
+ header: gettext('Scope'),
+ dataIndex: 'scope',
+ hideable: false,
+ width: 140,
+ renderer: function(value) {
+ return value === 'dc' ? gettext("Datacenter") : gettext("Guest");
+ },
+ },
{
header: gettext('Comment'),
dataIndex: 'comment',
renderer: Ext.String.htmlEncode,
+ minWidth: 60,
flex: 1,
},
);
Ext.apply(me, {
store: store,
- listConfig: { columns: columns },
+ listConfig: {
+ columns: columns,
+ width: 500,
+ },
});
me.on('change', disable_query_for_ips);
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
` (2 preceding siblings ...)
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
@ 2023-06-15 7:41 ` Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Wolfgang Bumiller @ 2023-06-15 7:41 UTC (permalink / raw)
To: Leo Nunner; +Cc: pve-devel
applied series, thanks
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
@ 2023-06-15 7:42 ` Wolfgang Bumiller
0 siblings, 0 replies; 6+ messages in thread
From: Wolfgang Bumiller @ 2023-06-15 7:42 UTC (permalink / raw)
To: Leo Nunner; +Cc: pve-devel
picked this into stable-7 as well
On Tue, Jun 13, 2023 at 02:06:32PM +0200, Leo Nunner wrote:
> in the cluster class, we save the cluster config into the 'fw_conf'
> variable, and not into 'cluster_conf', which in turns is set to 'undef'
> instead.
>
> Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
> ---
> src/PVE/API2/Firewall/IPSet.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
> index ed92d87..baa57ca 100644
> --- a/src/PVE/API2/Firewall/IPSet.pm
> +++ b/src/PVE/API2/Firewall/IPSet.pm
> @@ -203,6 +203,8 @@ sub register_create_ip {
> if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
> my $scope = $1 // "";
> my $alias = $2;
> + # on the cluster level
> + $cluster_conf = $fw_conf if (!$cluster_conf);
> # make sure alias exists (if $cidr is an alias)
> PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
> } else {
> --
> 2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-15 7:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
2023-06-15 7:42 ` Wolfgang Bumiller
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal