From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 404701FF170 for ; Tue, 19 Nov 2024 16:36:37 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ECA842F2C0; Tue, 19 Nov 2024 16:36:43 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Tue, 19 Nov 2024 16:36:07 +0100 Message-Id: <20241119153610.228658-3-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241119153610.228658-1-s.hanreich@proxmox.com> References: <20241119153610.228658-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.233 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-firewall v8 2/5] ipsets: return sdn ipsets from api X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" In order for the new SDN ipsets to show up we need to adapt the existing API endpoints so they read the SDN configuration. We reload the SDN configuration explicitly, in order to return only the IPSets the user is allowed to see. Signed-off-by: Stefan Hanreich --- src/PVE/API2/Firewall/Cluster.pm | 12 +++++++++++- src/PVE/API2/Firewall/VM.pm | 10 +++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm index 48ad90d..4d51b34 100644 --- a/src/PVE/API2/Firewall/Cluster.pm +++ b/src/PVE/API2/Firewall/Cluster.pm @@ -9,6 +9,7 @@ use PVE::Firewall; use PVE::API2::Firewall::Aliases; use PVE::API2::Firewall::Rules; use PVE::API2::Firewall::Groups; +use PVE::API2::Firewall::Helpers; use PVE::API2::Firewall::IPSet; #fixme: locking? @@ -255,7 +256,16 @@ __PACKAGE__->register_method({ my $conf = PVE::Firewall::load_clusterfw_conf(); - return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc"); + # we are explicitly loading the SDN config here with the scope of the current + # API user, so we only return the IPSets that the user can actually use + my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms(); + my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets(); + my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets); + + my $cluster_refs = PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc"); + my $sdn_refs = PVE::Firewall::Helpers::collect_refs($sdn_conf, $param->{type}, "sdn"); + + return [@$sdn_refs, @$cluster_refs]; }}); 1; diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm index 4222103..2d25735 100644 --- a/src/PVE/API2/Firewall/VM.pm +++ b/src/PVE/API2/Firewall/VM.pm @@ -8,6 +8,7 @@ use PVE::JSONSchema qw(get_standard_option); use PVE::Cluster; use PVE::Firewall; use PVE::API2::Firewall::Rules; +use PVE::API2::Firewall::Helpers; use PVE::API2::Firewall::Aliases; @@ -281,10 +282,17 @@ sub register_handlers { my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid}); + # we are explicitly loading the SDN config here with the scope of the current + # API user, so we only return the IPSets that the user can actually use + my $allowed_vms = PVE::API2::Firewall::Helpers::get_allowed_vms(); + my $allowed_vnets = PVE::API2::Firewall::Helpers::get_allowed_vnets(); + my $sdn_conf = PVE::Firewall::load_sdn_conf($allowed_vms, $allowed_vnets); + my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc'); + my $sdn_refs = PVE::Firewall::Helpers::collect_refs($sdn_conf, $param->{type}, "sdn"); my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest'); - return [@$dc_refs, @$vm_refs]; + return [@$dc_refs, @$sdn_refs, @$vm_refs]; }}); } -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel