[pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets
Stefan Hanreich
s.hanreich at proxmox.com
Fri Nov 15 13:09:34 CET 2024
Since the SDN configuration reads the IPAM config file, which resides
in /etc/pve/priv we need to add the protected flag to several
endpoints.
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Tested-By: Gabriel Goller <g.goller at proxmox.com>
Tested-By: Hannes Dürr <h.duerr at proxmox.com>
---
src/PVE/API2/Firewall/Aliases.pm | 2 ++
src/PVE/API2/Firewall/Cluster.pm | 7 ++++++-
src/PVE/API2/Firewall/Groups.pm | 1 +
src/PVE/API2/Firewall/Host.pm | 1 +
src/PVE/API2/Firewall/IPSet.pm | 2 ++
src/PVE/API2/Firewall/Rules.pm | 2 ++
src/PVE/API2/Firewall/VM.pm | 5 ++++-
7 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/Firewall/Aliases.pm b/src/PVE/API2/Firewall/Aliases.pm
index 33ac669..2f947aa 100644
--- a/src/PVE/API2/Firewall/Aliases.pm
+++ b/src/PVE/API2/Firewall/Aliases.pm
@@ -87,6 +87,7 @@ sub register_get_aliases {
path => '',
method => 'GET',
description => "List aliases",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
@@ -177,6 +178,7 @@ sub register_read_alias {
path => '{name}',
method => 'GET',
description => "Read alias.",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 48ad90d..e519ab9 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -88,6 +88,7 @@ __PACKAGE__->register_method({
path => 'options',
method => 'GET',
description => "Get Firewall options.",
+ protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit' ]],
},
@@ -214,6 +215,7 @@ __PACKAGE__->register_method({
permissions => {
check => ['perm', '/', [ 'Sys.Audit' ]],
},
+ protected => 1,
parameters => {
additionalProperties => 0,
properties => {
@@ -255,7 +257,10 @@ __PACKAGE__->register_method({
my $conf = PVE::Firewall::load_clusterfw_conf();
- return PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
+ my $cluster_refs = PVE::Firewall::Helpers::collect_refs($conf, $param->{type}, "dc");
+ my $sdn_refs = PVE::Firewall::Helpers::collect_refs($conf->{sdn}, $param->{type}, "sdn");
+
+ return [@$sdn_refs, @$cluster_refs];
}});
1;
diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index ffdc45c..98b0747 100644
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -44,6 +44,7 @@ __PACKAGE__->register_method({
path => '',
method => 'GET',
description => "List security groups.",
+ protected => 1,
permissions => { user => 'all' },
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
index 0432de2..8bd5da1 100644
--- a/src/PVE/API2/Firewall/Host.pm
+++ b/src/PVE/API2/Firewall/Host.pm
@@ -68,6 +68,7 @@ __PACKAGE__->register_method({
path => 'options',
method => 'GET',
description => "Get host firewall options.",
+ protected => 1,
proxyto => 'node',
permissions => {
check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index ed92d87..98c5443 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -91,6 +91,7 @@ sub register_get_ipset {
path => '',
method => 'GET',
description => "List IPSet content",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
@@ -586,6 +587,7 @@ sub register_index {
path => '',
method => 'GET',
description => "List IPSets",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 9fcfb20..9e903d4 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -72,6 +72,7 @@ sub register_get_rules {
path => '',
method => 'GET',
description => "List rules.",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
@@ -120,6 +121,7 @@ sub register_get_rule {
path => '{pos}',
method => 'GET',
description => "Get single rule data.",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 4222103..75b4345 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -69,6 +69,7 @@ sub register_handlers {
path => 'options',
method => 'GET',
description => "Get VM firewall options.",
+ protected => 1,
proxyto => 'node',
permissions => {
check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
@@ -234,6 +235,7 @@ sub register_handlers {
path => 'refs',
method => 'GET',
description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+ protected => 1,
permissions => {
check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
},
@@ -282,9 +284,10 @@ sub register_handlers {
my $fw_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $rule_env, $param->{vmid});
my $dc_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf, $param->{type}, 'dc');
+ my $sdn_refs = PVE::Firewall::Helpers::collect_refs($cluster_conf->{sdn}, $param->{type}, 'sdn');
my $vm_refs = PVE::Firewall::Helpers::collect_refs($fw_conf, $param->{type}, 'guest');
- return [@$dc_refs, @$vm_refs];
+ return [@$dc_refs, @$sdn_refs, @$vm_refs];
}});
}
--
2.39.5
More information about the pve-devel
mailing list