From: Leo Nunner <l.nunner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall 3/3] fix #4556: api: return scoped IPSets and aliases
Date: Wed, 7 Jun 2023 12:17:50 +0200 [thread overview]
Message-ID: <20230607101751.87616-4-l.nunner@proxmox.com> (raw)
In-Reply-To: <20230607101751.87616-1-l.nunner@proxmox.com>
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/VM.pm | 47 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 43 +++++++++++++++++++++++++++++
3 files changed, 57 insertions(+), 67 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..69cdf54 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
name => {
type => 'string',
},
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -275,44 +281,11 @@ sub register_handlers {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
-
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'vm');
- return $res;
+ my @ret = (@$dc_refs, @$vm_refs);
+ return \@ret;
}});
}
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..ca7d26f 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
lock_vmfw_conf
remove_vmfw_conf
clone_vmfw_conf
+collect_refs
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,46 @@ sub dump_fw_logfile {
return ($state{'count'}, $state{'lines'});
}
+sub collect_refs {
+ my ($conf, $type, $scope) = @_;
+
+ my $ipsets = {};
+ my $aliases = {};
+
+ if (!$type || $type eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ scope => "+$scope/$name",
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ $ipsets->{$name} = $data;
+ }
+ }
+
+ if (!$type || $type eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ scope => "$scope/$name",
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ $aliases->{$name} = $data;
+ }
+ }
+
+ my $res = [];
+ foreach my $e (values %$ipsets) { push @$res, $e; };
+ foreach my $e (values %$aliases) { push @$res, $e; };
+
+ return $res;
+}
+
1;
--
2.30.2
next prev parent reply other threads:[~2023-06-07 10:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-07 10:17 [pve-devel] [PATCH firewall/manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-07 10:17 ` [pve-devel] [PATCH firewall 1/3] fix #4556: introduce 'dc' and 'vm' prefix for IPSets Leo Nunner
2023-06-07 10:17 ` [pve-devel] [PATCH firewall 2/3] fix #4556: introduce 'dc' and 'vm' prefix for aliases Leo Nunner
2023-06-07 13:14 ` Wolfgang Bumiller
2023-06-07 10:17 ` Leo Nunner [this message]
2023-06-07 10:17 ` [pve-devel] [PATCH manager] firewall: add scope field to IPRefSelector Leo Nunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230607101751.87616-4-l.nunner@proxmox.com \
--to=l.nunner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox