* [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases
@ 2023-06-13 12:06 Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
Changes since v1:
- fix adding entries to IPSets on the cluster level
- code style improvements
- adapt to the scoping change with 'guest/'
The GUI now just shows the scope "Datacenter/Guest", and returns
the concatenated value ('$scope/$value') automatically.
pve-firewall:
Leo Nunner (2):
api: fix scoping for ipset endpoint
fix #4556: api: return scoped IPSets and aliases
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/IPSet.pm | 2 ++
src/PVE/API2/Firewall/VM.pm | 46 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 39 +++++++++++++++++++++++++++
4 files changed, 54 insertions(+), 67 deletions(-)
pve-manager:
Leo Nunner (1):
firewall: add scope field to IPRefSelector
www/manager6/form/IPRefSelector.js | 35 +++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-15 7:42 ` Wolfgang Bumiller
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
in the cluster class, we save the cluster config into the 'fw_conf'
variable, and not into 'cluster_conf', which in turns is set to 'undef'
instead.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/IPSet.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index ed92d87..baa57ca 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -203,6 +203,8 @@ sub register_create_ip {
if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
my $scope = $1 // "";
my $alias = $2;
+ # on the cluster level
+ $cluster_conf = $fw_conf if (!$cluster_conf);
# make sure alias exists (if $cidr is an alias)
PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
} else {
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
src/PVE/API2/Firewall/VM.pm | 46 +++++++-------------------------
src/PVE/Firewall/Helpers.pm | 39 +++++++++++++++++++++++++++
3 files changed, 52 insertions(+), 67 deletions(-)
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
ref => {
type => 'string',
},
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- my $res = [];
-
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- push @$res, $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- push @$res, $data;
- }
- }
-
- return $res;
+ return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
}});
1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..4222103 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
name => {
type => 'string',
},
+ ref => {
+ type => 'string',
+ },
+ scope => {
+ type => 'string',
+ },
comment => {
type => 'string',
optional => 1,
@@ -275,44 +281,10 @@ sub register_handlers {
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
- my $ipsets = {};
- my $aliases = {};
-
- foreach my $conf (($cluster_conf, $fw_conf)) {
- next if !$conf;
- if (!$param->{type} || $param->{type} eq 'ipset') {
- foreach my $name (keys %{$conf->{ipset}}) {
- my $data = {
- type => 'ipset',
- name => $name,
- ref => "+$name",
- };
- if (my $comment = $conf->{ipset_comments}->{$name}) {
- $data->{comment} = $comment;
- }
- $ipsets->{$name} = $data;
- }
- }
-
- if (!$param->{type} || $param->{type} eq 'alias') {
- foreach my $name (keys %{$conf->{aliases}}) {
- my $e = $conf->{aliases}->{$name};
- my $data = {
- type => 'alias',
- name => $name,
- ref => $name,
- };
- $data->{comment} = $e->{comment} if $e->{comment};
- $aliases->{$name} = $data;
- }
- }
- }
-
- my $res = [];
- foreach my $e (values %$ipsets) { push @$res, $e; };
- foreach my $e (values %$aliases) { push @$res, $e; };
+ my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- return $res;
+ return [@$dc_refs, @$vm_refs];
}});
}
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..7dcbca3 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
lock_vmfw_conf
remove_vmfw_conf
clone_vmfw_conf
+collect_refs
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,42 @@ sub dump_fw_logfile {
return ($state{'count'}, $state{'lines'});
}
+sub collect_refs {
+ my ($conf, $type, $scope) = @_;
+
+
+ my $res = [];
+
+ if (!$type || $type eq 'ipset') {
+ foreach my $name (keys %{$conf->{ipset}}) {
+ my $data = {
+ type => 'ipset',
+ name => $name,
+ ref => "+$name",
+ scope => $scope,
+ };
+ if (my $comment = $conf->{ipset_comments}->{$name}) {
+ $data->{comment} = $comment;
+ }
+ push @$res, $data;
+ }
+ }
+
+ if (!$type || $type eq 'alias') {
+ foreach my $name (keys %{$conf->{aliases}}) {
+ my $e = $conf->{aliases}->{$name};
+ my $data = {
+ type => 'alias',
+ name => $name,
+ ref => $name,
+ scope => $scope,
+ };
+ $data->{comment} = $e->{comment} if $e->{comment};
+ push @$res, $data;
+ }
+ }
+
+ return $res;
+}
+
1;
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
@ 2023-06-13 12:06 ` Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Leo Nunner @ 2023-06-13 12:06 UTC (permalink / raw)
To: pve-devel
and send the scoped value to the firewall when choosing new values.
This happens for both IPSets and aliases.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
---
www/manager6/form/IPRefSelector.js | 35 +++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/www/manager6/form/IPRefSelector.js b/www/manager6/form/IPRefSelector.js
index 9ccc2fe10..b50ac1e10 100644
--- a/www/manager6/form/IPRefSelector.js
+++ b/www/manager6/form/IPRefSelector.js
@@ -8,7 +8,7 @@ Ext.define('PVE.form.IPRefSelector', {
ref_type: undefined, // undefined = any [undefined, 'ipset' or 'alias']
- valueField: 'ref',
+ valueField: 'scopedref',
displayField: 'ref',
notFoundIsValid: true,
@@ -26,7 +26,23 @@ Ext.define('PVE.form.IPRefSelector', {
var store = Ext.create('Ext.data.Store', {
autoLoad: true,
- fields: ['type', 'name', 'ref', 'comment'],
+ fields: [
+ 'type',
+ 'name',
+ 'ref',
+ 'comment',
+ 'scope',
+ {
+ name: 'scopedref',
+ calculate: function(v) {
+ if (v.type === 'alias') {
+ return `${v.scope}/${v.name}`;
+ } else {
+ return `+${v.scope}/${v.name}`;
+ }
+ },
+ },
+ ],
idProperty: 'ref',
proxy: {
type: 'proxmox',
@@ -65,17 +81,30 @@ Ext.define('PVE.form.IPRefSelector', {
hideable: false,
width: 140,
},
+ {
+ header: gettext('Scope'),
+ dataIndex: 'scope',
+ hideable: false,
+ width: 140,
+ renderer: function(value) {
+ return value === 'dc' ? gettext("Datacenter") : gettext("Guest");
+ },
+ },
{
header: gettext('Comment'),
dataIndex: 'comment',
renderer: Ext.String.htmlEncode,
+ minWidth: 60,
flex: 1,
},
);
Ext.apply(me, {
store: store,
- listConfig: { columns: columns },
+ listConfig: {
+ columns: columns,
+ width: 500,
+ },
});
me.on('change', disable_query_for_ips);
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
` (2 preceding siblings ...)
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
@ 2023-06-15 7:41 ` Wolfgang Bumiller
3 siblings, 0 replies; 6+ messages in thread
From: Wolfgang Bumiller @ 2023-06-15 7:41 UTC (permalink / raw)
To: Leo Nunner; +Cc: pve-devel
applied series, thanks
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
@ 2023-06-15 7:42 ` Wolfgang Bumiller
0 siblings, 0 replies; 6+ messages in thread
From: Wolfgang Bumiller @ 2023-06-15 7:42 UTC (permalink / raw)
To: Leo Nunner; +Cc: pve-devel
picked this into stable-7 as well
On Tue, Jun 13, 2023 at 02:06:32PM +0200, Leo Nunner wrote:
> in the cluster class, we save the cluster config into the 'fw_conf'
> variable, and not into 'cluster_conf', which in turns is set to 'undef'
> instead.
>
> Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
> ---
> src/PVE/API2/Firewall/IPSet.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
> index ed92d87..baa57ca 100644
> --- a/src/PVE/API2/Firewall/IPSet.pm
> +++ b/src/PVE/API2/Firewall/IPSet.pm
> @@ -203,6 +203,8 @@ sub register_create_ip {
> if ($cidr =~ m@^(dc/|guest/)?(${PVE::Firewall::ip_alias_pattern})$@) {
> my $scope = $1 // "";
> my $alias = $2;
> + # on the cluster level
> + $cluster_conf = $fw_conf if (!$cluster_conf);
> # make sure alias exists (if $cidr is an alias)
> PVE::Firewall::resolve_alias($cluster_conf, $fw_conf, $alias, $scope);
> } else {
> --
> 2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-15 7:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-13 12:06 [pve-devel] [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 1/2] api: fix scoping for ipset endpoint Leo Nunner
2023-06-15 7:42 ` Wolfgang Bumiller
2023-06-13 12:06 ` [pve-devel] [PATCH v2 firewall 2/2] fix #4556: api: return scoped IPSets and aliases Leo Nunner
2023-06-13 12:06 ` [pve-devel] [PATCH v2 manager] firewall: add scope field to IPRefSelector Leo Nunner
2023-06-15 7:41 ` [pve-devel] applied-series: [PATCH v2 firewall manager] firewall: introduce scoping for ipsets/aliases Wolfgang Bumiller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox