[pve-devel] [PATCH firewall 3/3] fix #4556: api: return scoped IPSets and aliases

Leo Nunner l.nunner at proxmox.com
Wed Jun 7 12:17:50 CEST 2023


Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.

Signed-off-by: Leo Nunner <l.nunner at proxmox.com>
---
 src/PVE/API2/Firewall/Cluster.pm | 34 +++--------------------
 src/PVE/API2/Firewall/VM.pm      | 47 +++++++-------------------------
 src/PVE/Firewall/Helpers.pm      | 43 +++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 67 deletions(-)

diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index c9c3e67..48ad90d 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -240,6 +240,9 @@ __PACKAGE__->register_method({
 		ref => {
 		    type => 'string',
 		},
+		scope => {
+		    type => 'string',
+		},
 		comment => {
 		    type => 'string',
 		    optional => 1,
@@ -252,36 +255,7 @@ __PACKAGE__->register_method({
 
 	my $conf = PVE::Firewall::load_clusterfw_conf();
 
-	my $res = [];
-
-	if (!$param->{type} || $param->{type} eq 'ipset') {
-	    foreach my $name (keys %{$conf->{ipset}}) {
-		my $data = {
-		    type => 'ipset',
-		    name => $name,
-		    ref => "+$name",
-		};
-		if (my $comment = $conf->{ipset_comments}->{$name}) {
-		    $data->{comment} = $comment;
-		}
-		push @$res, $data;
-	    }
-	}
-
-	if (!$param->{type} || $param->{type} eq 'alias') {
-	    foreach my $name (keys %{$conf->{aliases}}) {
-		my $e = $conf->{aliases}->{$name};
-		my $data = {
-		    type => 'alias',
-		    name => $name,
-		    ref => $name,
-		};
-		$data->{comment} = $e->{comment} if $e->{comment};
-		push @$res, $data;
-	    }
-	}
-
-	return $res;
+	return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
     }});
 
 1;
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index fb255e0..69cdf54 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -262,6 +262,12 @@ sub register_handlers {
 		    name => {
 			type => 'string',
 		    },
+		    ref => {
+			type => 'string',
+		    },
+		    scope => {
+			type => 'string',
+		    },
 		    comment => {
 			type => 'string',
 			optional => 1,
@@ -275,44 +281,11 @@ sub register_handlers {
 	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 	    my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
 
-	    my $ipsets = {};
-	    my $aliases = {};
-
-	    foreach my $conf (($cluster_conf, $fw_conf)) {
-		next if !$conf;
-		if (!$param->{type} || $param->{type} eq 'ipset') {
-		    foreach my $name (keys %{$conf->{ipset}}) {
-			my $data = {
-			    type => 'ipset',
-			    name => $name,
-			    ref => "+$name",
-			};
-			if (my $comment = $conf->{ipset_comments}->{$name}) {
-			    $data->{comment} = $comment;
-			}
-			$ipsets->{$name} = $data;
-		    }
-		}
-
-		if (!$param->{type} || $param->{type} eq 'alias') {
-		    foreach my $name (keys %{$conf->{aliases}}) {
-			my $e = $conf->{aliases}->{$name};
-			my $data = {
-			    type => 'alias',
-			    name => $name,
-			    ref => $name,
-			};
-			$data->{comment} = $e->{comment} if $e->{comment};
-			$aliases->{$name} = $data;
-		    }
-		}
-	    }
-
-	    my $res = [];
-	    foreach my $e (values %$ipsets) { push @$res, $e; };
-	    foreach my $e (values %$aliases) { push @$res, $e; };
+	    my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+	    my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'vm');
 
-	    return $res;
+	    my @ret = (@$dc_refs, @$vm_refs);
+	    return \@ret;
 	}});
 }
 
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index a8e18e2..ca7d26f 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -15,6 +15,7 @@ our @EXPORT_OK = qw(
 lock_vmfw_conf
 remove_vmfw_conf
 clone_vmfw_conf
+collect_refs
 );
 
 my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -130,4 +131,46 @@ sub dump_fw_logfile {
     return ($state{'count'}, $state{'lines'});
 }
 
+sub collect_refs {
+    my ($conf, $type, $scope) = @_;
+
+    my $ipsets = {};
+    my $aliases = {};
+
+    if (!$type || $type eq 'ipset') {
+	foreach my $name (keys %{$conf->{ipset}}) {
+	    my $data = {
+		type => 'ipset',
+		name => $name,
+		ref => "+$name",
+		scope => "+$scope/$name",
+	    };
+	    if (my $comment = $conf->{ipset_comments}->{$name}) {
+		$data->{comment} = $comment;
+	    }
+	    $ipsets->{$name} = $data;
+	}
+    }
+
+    if (!$type || $type eq 'alias') {
+	foreach my $name (keys %{$conf->{aliases}}) {
+	    my $e = $conf->{aliases}->{$name};
+	    my $data = {
+		type => 'alias',
+		name => $name,
+		ref => $name,
+		scope => "$scope/$name",
+	    };
+	    $data->{comment} = $e->{comment} if $e->{comment};
+	    $aliases->{$name} = $data;
+	}
+    }
+
+    my $res = [];
+    foreach my $e (values %$ipsets) { push @$res, $e; };
+    foreach my $e (values %$aliases) { push @$res, $e; };
+
+    return $res;
+}
+
 1;
-- 
2.30.2






More information about the pve-devel mailing list