public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-firewall v5 1/5] api: add protected flag to endpoints
Date: Mon, 18 Nov 2024 12:41:30 +0100	[thread overview]
Message-ID: <20241118114134.83882-2-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20241118114134.83882-1-s.hanreich@proxmox.com>

In preparation for loading the SDN configuration during
load_clusterfw_conf. Since we read /etc/pve/priv/ipam.db there, we
require the protected flag to be set.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/API2/Firewall/Aliases.pm | 2 ++
 src/PVE/API2/Firewall/Cluster.pm | 2 ++
 src/PVE/API2/Firewall/Groups.pm  | 1 +
 src/PVE/API2/Firewall/Host.pm    | 1 +
 src/PVE/API2/Firewall/IPSet.pm   | 2 ++
 src/PVE/API2/Firewall/Rules.pm   | 2 ++
 src/PVE/API2/Firewall/VM.pm      | 2 ++
 7 files changed, 12 insertions(+)

diff --git a/src/PVE/API2/Firewall/Aliases.pm b/src/PVE/API2/Firewall/Aliases.pm
index 33ac669..2f947aa 100644
--- a/src/PVE/API2/Firewall/Aliases.pm
+++ b/src/PVE/API2/Firewall/Aliases.pm
@@ -87,6 +87,7 @@ sub register_get_aliases {
 	path => '',
 	method => 'GET',
 	description => "List aliases",
+	protected => 1,
 	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
@@ -177,6 +178,7 @@ sub register_read_alias {
 	path => '{name}',
 	method => 'GET',
 	description => "Read alias.",
+	protected => 1,
 	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 48ad90d..f91257e 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -88,6 +88,7 @@ __PACKAGE__->register_method({
     path => 'options',
     method => 'GET',
     description => "Get Firewall options.",
+    protected => 1,
     permissions => {
 	check => ['perm', '/', [ 'Sys.Audit' ]],
     },
@@ -214,6 +215,7 @@ __PACKAGE__->register_method({
     permissions => {
 	check => ['perm', '/', [ 'Sys.Audit' ]],
     },
+    protected => 1,
     parameters => {
 	additionalProperties => 0,
 	properties => {
diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index ffdc45c..98b0747 100644
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -44,6 +44,7 @@ __PACKAGE__->register_method({
     path => '',
     method => 'GET',
     description => "List security groups.",
+    protected => 1,
     permissions => { user => 'all' },
     parameters => {
     	additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
index 0432de2..8bd5da1 100644
--- a/src/PVE/API2/Firewall/Host.pm
+++ b/src/PVE/API2/Firewall/Host.pm
@@ -68,6 +68,7 @@ __PACKAGE__->register_method({
     path => 'options',
     method => 'GET',
     description => "Get host firewall options.",
+    protected => 1,
     proxyto => 'node',
     permissions => {
 	check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index ed92d87..98c5443 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -91,6 +91,7 @@ sub register_get_ipset {
 	path => '',
 	method => 'GET',
 	description => "List IPSet content",
+	protected => 1,
 	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
@@ -586,6 +587,7 @@ sub register_index {
 	path => '',
 	method => 'GET',
 	description => "List IPSets",
+	protected => 1,
 	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 9fcfb20..9e903d4 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -72,6 +72,7 @@ sub register_get_rules {
 	path => '',
 	method => 'GET',
 	description => "List rules.",
+	protected => 1,
 	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
@@ -120,6 +121,7 @@ sub register_get_rule {
 	path => '{pos}',
 	method => 'GET',
 	description => "Get single rule data.",
+	protected => 1,
 	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 4222103..3400375 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -69,6 +69,7 @@ sub register_handlers {
 	path => 'options',
 	method => 'GET',
 	description => "Get VM firewall options.",
+	protected => 1,
 	proxyto => 'node',
 	permissions => {
 	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
@@ -234,6 +235,7 @@ sub register_handlers {
 	path => 'refs',
 	method => 'GET',
 	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+	protected => 1,
 	permissions => {
 	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
 	},
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2024-11-18 11:41 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-18 11:41 [pve-devel] [PATCH docs/firewall/manager v5 0/5] autogenerate ipsets for sdn objects Stefan Hanreich
2024-11-18 11:41 ` Stefan Hanreich [this message]
2024-11-18 16:10   ` [pve-devel] [PATCH pve-firewall v5 1/5] api: add protected flag to endpoints Thomas Lamprecht
2024-11-18 11:41 ` [pve-devel] [PATCH pve-firewall v5 2/5] add support for loading sdn firewall configuration Stefan Hanreich
2024-11-18 14:24   ` Stefan Hanreich
2024-11-18 16:09     ` Thomas Lamprecht
2024-11-18 16:11       ` Stefan Hanreich
2024-11-18 16:13         ` Thomas Lamprecht
2024-11-18 11:41 ` [pve-devel] [PATCH pve-firewall v5 3/5] ipsets: return sdn ipsets from api Stefan Hanreich
2024-11-18 11:41 ` [pve-devel] [PATCH pve-manager v5 4/5] firewall: add sdn scope to IPRefSelector Stefan Hanreich
2024-11-18 11:41 ` [pve-devel] [PATCH pve-docs v5 5/5] sdn: add documentation for firewall integration Stefan Hanreich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241118114134.83882-2-s.hanreich@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal