public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Leo Nunner <l.nunner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall 3/3] fix #4556: api: return scoped IPSets and aliases
Date: Wed,  7 Jun 2023 12:17:50 +0200	[thread overview]
Message-ID: <20230607101751.87616-4-l.nunner@proxmox.com> (raw)
In-Reply-To: <20230607101751.87616-1-l.nunner@proxmox.com>

Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
 src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
 src/PVE/API2/Firewall/VM.pm      | 47 +++++++-------------------------
 src/PVE/Firewall/Helpers.pm      | 43 +++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 67 deletions(-)

diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
 		ref => {
 		    type => 'string',
 		},
+		scope => {
+		    type => 'string',
+		},
 		comment => {
 		    type => 'string',
 		    optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
 
 	my $conf = PVE::Firewall::load_clusterfw_conf();
 
-	my $res = [];
-
-	if (!$param->{type} || $param->{type} eq 'ipset') {
-	    foreach my $name (keys %{$conf->{ipset}}) {
-		my $data = {
-		    type => 'ipset',
-		    name => $name,
-		    ref => "+$name",
-		};
-		if (my $comment = $conf->{ipset_comments}->{$name}) {
-		    $data->{comment} = $comment;
-		}
-		push @$res, $data;
-	    }
-	}
-
-	if (!$param->{type} || $param->{type} eq 'alias') {
-	    foreach my $name (keys %{$conf->{aliases}}) {
-		my $e = $conf->{aliases}->{$name};
-		my $data = {
-		    type => 'alias',
-		    name => $name,
-		    ref => $name,
-		};
-		$data->{comment} = $e->{comment} if $e->{comment};
-		push @$res, $data;
-	    }
-	}
-
-	return $res;
+	return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
     }});
 
 1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..69cdf54 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
 		    name => {
 			type => 'string',
 		    },
+		    ref => {
+			type => 'string',
+		    },
+		    scope => {
+			type => 'string',
+		    },
 		    comment => {
 			type => 'string',
 			optional => 1,
@@ -275,44 +281,11 @@ sub register_handlers {
 	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 	    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
-	    my $ipsets = {};
-	    my $aliases = {};
-
-	    foreach my $conf (($cluster_conf, $fw_conf)) {
-		next if !$conf;
-		if (!$param->{type} || $param->{type} eq 'ipset') {
-		    foreach my $name (keys %{$conf->{ipset}}) {
-			my $data = {
-			    type => 'ipset',
-			    name => $name,
-			    ref => "+$name",
-			};
-			if (my $comment = $conf->{ipset_comments}->{$name}) {
-			    $data->{comment} = $comment;
-			}
-			$ipsets->{$name} = $data;
-		    }
-		}
-
-		if (!$param->{type} || $param->{type} eq 'alias') {
-		    foreach my $name (keys %{$conf->{aliases}}) {
-			my $e = $conf->{aliases}->{$name};
-			my $data = {
-			    type => 'alias',
-			    name => $name,
-			    ref => $name,
-			};
-			$data->{comment} = $e->{comment} if $e->{comment};
-			$aliases->{$name} = $data;
-		    }
-		}
-	    }
-
-	    my $res = [];
-	    foreach my $e (values %$ipsets) { push @$res, $e; };
-	    foreach my $e (values %$aliases) { push @$res, $e; };
+	    my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+	    my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'vm');
 
-	    return $res;
+	    my @ret = (@$dc_refs, @$vm_refs);
+	    return \@ret;
 	}});
 }
 
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..ca7d26f 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
 lock_vmfw_conf
 remove_vmfw_conf
 clone_vmfw_conf
+collect_refs
 );
 
 my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,46 @@ sub dump_fw_logfile {
     return ($state{'count'}, $state{'lines'});
 }
 
+sub collect_refs {
+    my ($conf, $type, $scope) = @_;
+
+    my $ipsets = {};
+    my $aliases = {};
+
+    if (!$type || $type eq 'ipset') {
+	foreach my $name (keys %{$conf->{ipset}}) {
+	    my $data = {
+		type => 'ipset',
+		name => $name,
+		ref => "+$name",
+		scope => "+$scope/$name",
+	    };
+	    if (my $comment = $conf->{ipset_comments}->{$name}) {
+		$data->{comment} = $comment;
+	    }
+	    $ipsets->{$name} = $data;
+	}
+    }
+
+    if (!$type || $type eq 'alias') {
+	foreach my $name (keys %{$conf->{aliases}}) {
+	    my $e = $conf->{aliases}->{$name};
+	    my $data = {
+		type => 'alias',
+		name => $name,
+		ref => $name,
+		scope => "$scope/$name",
+	    };
+	    $data->{comment} = $e->{comment} if $e->{comment};
+	    $aliases->{$name} = $data;
+	}
+    }
+
+    my $res = [];
+    foreach my $e (values %$ipsets) { push @$res, $e; };
+    foreach my $e (values %$aliases) { push @$res, $e; };
+
+    return $res;
+}
+
 1;
-- 
2.30.2





  parent reply	other threads:[~2023-06-07 10:18 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-07 10:17 [pve-devel] [PATCH firewall/manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-07 10:17 ` [pve-devel] [PATCH firewall 1/3] fix #4556: introduce 'dc' and 'vm' prefix for IPSets Leo Nunner
2023-06-07 10:17 ` [pve-devel] [PATCH firewall 2/3] fix #4556: introduce 'dc' and 'vm' prefix for aliases Leo Nunner
2023-06-07 13:14   ` Wolfgang Bumiller
2023-06-07 10:17 ` Leo Nunner [this message]
2023-06-07 10:17 ` [pve-devel] [PATCH manager] firewall: add scope field to IPRefSelector Leo Nunner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230607101751.87616-4-l.nunner@proxmox.com \
    --to=l.nunner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal