* [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/VM.pm | 46 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 39 +++++++++++++++++++++++++++
3 files changed, 52 insertions(+), 67 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..4222103 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
name => {
type => 'string',
},
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -275,44 +281,10 @@ sub register_handlers {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
-
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- return $res;
+ return [@$dc_refs, @$vm_refs];
}});
}
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..7dcbca3 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
lock_vmfw_conf
remove_vmfw_conf
clone_vmfw_conf
+collect_refs
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,42 @@ sub dump_fw_logfile {
return ($state{'count'}, $state{'lines'});
}
+sub collect_refs {
+ my ($conf, $type, $scope) = @_;
+
+
+ my $res = [];
+
+ if (!$type || $type eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ scope => $scope,
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ push @$res, $data;
+ }
+ }
+
+ if (!$type || $type eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ scope => $scope,
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ push @$res, $data;
+ }
+ }
+
+ return $res;
+}
+
1;
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
and send the scoped value to the firewall when choosing new values.
This happens for both IPSets and aliases.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
www/manager6/form/IPRefSelector.js | 35 +++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/www/manager6/form/IPRefSelector.js b/www/manager6/form/IPRefSelector.js
index 9ccc2fe10..b50ac1e10 100644
--- a/www/manager6/form/IPRefSelector.js
+++ b/www/manager6/form/IPRefSelector.js
@@ -8,7 +8,7 @@ Ext.define('PVE.form.IPRefSelector', {
ref_type: undefined, // undefined = any [undefined, 'ipset' or 'alias']
- valueField: 'ref',
+ valueField: 'scopedref',
displayField: 'ref',
notFoundIsValid: true,
@@ -26,7 +26,23 @@ Ext.define('PVE.form.IPRefSelector', {
var store = Ext.create('Ext.data.Store', {
autoLoad: true,
- fields: ['type', 'name', 'ref', 'comment'],
+ fields: [
+ 'type',
+ 'name',
+ 'ref',
+ 'comment',
+ 'scope',
+ {
+ name: 'scopedref',
+ calculate: function(v) {
+ if (v.type === 'alias') {
+ return `${v.scope}/${v.name}`;
+ } else {
+ return `+${v.scope}/${v.name}`;
+ }
+ },
+ },
+ ],
idProperty: 'ref',
proxy: {
type: 'proxmox',
@@ -65,17 +81,30 @@ Ext.define('PVE.form.IPRefSelector', {
hideable: false,
width: 140,
},
+ {
+ header: gettext('Scope'),
+ dataIndex: 'scope',
+ hideable: false,
+ width: 140,
+ renderer: function(value) {
+ return value === 'dc' ? gettext("Datacenter") : gettext("Guest");
+ },
+ },
{
header: gettext('Comment'),
dataIndex: 'comment',
renderer: Ext.String.htmlEncode,
+ minWidth: 60,
flex: 1,
},
);
Ext.apply(me, {
store: store,
- listConfig: { columns: columns },
+ listConfig: {
+ columns: columns,
+ width: 500,
+ },
});
me.on('change', disable_query_for_ips);
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread