From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id CD9959EBB7 for ; Wed, 7 Jun 2023 12:18:00 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B68613F7EB for ; Wed, 7 Jun 2023 12:18:00 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 7 Jun 2023 12:18:00 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id AE52641E41 for ; Wed, 7 Jun 2023 12:17:59 +0200 (CEST) From: Leo Nunner To: pve-devel@lists.proxmox.com Date: Wed, 7 Jun 2023 12:17:50 +0200 Message-Id: <20230607101751.87616-4-l.nunner@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230607101751.87616-1-l.nunner@proxmox.com> References: <20230607101751.87616-1-l.nunner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.105 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH firewall 3/3] fix #4556: api: return scoped IPSets and aliases X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2023 10:18:00 -0000 Introduce a new 'scope' field in the return values for the /ref endpoints. Also add the 'ref' field in the VM endpoint, since it has been missing up until now. Signed-off-by: Leo Nunner --- src/PVE/API2/Firewall/Cluster.pm | 34 +++-------------------- src/PVE/API2/Firewall/VM.pm | 47 +++++++------------------------- src/PVE/Firewall/Helpers.pm | 43 +++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 67 deletions(-) diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm index c9c3e67..48ad90d 100644 --- a/src/PVE/API2/Firewall/Cluster.pm +++ b/src/PVE/API2/Firewall/Cluster.pm @@ -240,6 +240,9 @@ __PACKAGE__->register_method({ ref => { type => 'string', }, + scope => { + type => 'string', + }, comment => { type => 'string', optional => 1, @@ -252,36 +255,7 @@ __PACKAGE__->register_method({ my $conf = PVE::Firewall::load_clusterfw_conf(); - my $res = []; - - if (!$param->{type} || $param->{type} eq 'ipset') { - foreach my $name (keys %{$conf->{ipset}}) { - my $data = { - type => 'ipset', - name => $name, - ref => "+$name", - }; - if (my $comment = $conf->{ipset_comments}->{$name}) { - $data->{comment} = $comment; - } - push @$res, $data; - } - } - - if (!$param->{type} || $param->{type} eq 'alias') { - foreach my $name (keys %{$conf->{aliases}}) { - my $e = $conf->{aliases}->{$name}; - my $data = { - type => 'alias', - name => $name, - ref => $name, - }; - $data->{comment} = $e->{comment} if $e->{comment}; - push @$res, $data; - } - } - - return $res; + return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc"); }}); 1; diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm index fb255e0..69cdf54 100644 --- a/src/PVE/API2/Firewall/VM.pm +++ b/src/PVE/API2/Firewall/VM.pm @@ -262,6 +262,12 @@ sub register_handlers { name => { type => 'string', }, + ref => { + type => 'string', + }, + scope => { + type => 'string', + }, comment => { type => 'string', optional => 1, @@ -275,44 +281,11 @@ sub register_handlers { my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid}); - my $ipsets = {}; - my $aliases = {}; - - foreach my $conf (($cluster_conf, $fw_conf)) { - next if !$conf; - if (!$param->{type} || $param->{type} eq 'ipset') { - foreach my $name (keys %{$conf->{ipset}}) { - my $data = { - type => 'ipset', - name => $name, - ref => "+$name", - }; - if (my $comment = $conf->{ipset_comments}->{$name}) { - $data->{comment} = $comment; - } - $ipsets->{$name} = $data; - } - } - - if (!$param->{type} || $param->{type} eq 'alias') { - foreach my $name (keys %{$conf->{aliases}}) { - my $e = $conf->{aliases}->{$name}; - my $data = { - type => 'alias', - name => $name, - ref => $name, - }; - $data->{comment} = $e->{comment} if $e->{comment}; - $aliases->{$name} = $data; - } - } - } - - my $res = []; - foreach my $e (values %$ipsets) { push @$res, $e; }; - foreach my $e (values %$aliases) { push @$res, $e; }; + my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc'); + my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'vm'); - return $res; + my @ret = (@$dc_refs, @$vm_refs); + return \@ret; }}); } diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm index a8e18e2..ca7d26f 100644 --- a/src/PVE/Firewall/Helpers.pm +++ b/src/PVE/Firewall/Helpers.pm @@ -15,6 +15,7 @@ our @EXPORT_OK = qw( lock_vmfw_conf remove_vmfw_conf clone_vmfw_conf +collect_refs ); my $pvefw_conf_dir = "/etc/pve/firewall"; @@ -130,4 +131,46 @@ sub dump_fw_logfile { return ($state{'count'}, $state{'lines'}); } +sub collect_refs { + my ($conf, $type, $scope) = @_; + + my $ipsets = {}; + my $aliases = {}; + + if (!$type || $type eq 'ipset') { + foreach my $name (keys %{$conf->{ipset}}) { + my $data = { + type => 'ipset', + name => $name, + ref => "+$name", + scope => "+$scope/$name", + }; + if (my $comment = $conf->{ipset_comments}->{$name}) { + $data->{comment} = $comment; + } + $ipsets->{$name} = $data; + } + } + + if (!$type || $type eq 'alias') { + foreach my $name (keys %{$conf->{aliases}}) { + my $e = $conf->{aliases}->{$name}; + my $data = { + type => 'alias', + name => $name, + ref => $name, + scope => "$scope/$name", + }; + $data->{comment} = $e->{comment} if $e->{comment}; + $aliases->{$name} = $data; + } + } + + my $res = []; + foreach my $e (values %$ipsets) { push @$res, $e; }; + foreach my $e (values %$aliases) { push @$res, $e; }; + + return $res; +} + 1; -- 2.30.2