From 141ed82589a34ce5e9473fe397e79180c8b929ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 1 May 2017 02:48:23 +0200
Subject: [PATCH] mgmt1: rethink firewall Admin API

Handling each rule separately makes sense on from qvm-firewall tool
point of view, but not from overall configuration integrity. If multiple
tools try to configure firewall simultaneously, doing it at individual
rules level can end very badly.
So, get/set the whole firewall at once. If some race condition happen
here, it will end up with one firewall rules set being overwritten by
the other one. But it will still be a consistent rules set.
---
 services/mgmt1.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/services/mgmt1.md b/services/mgmt1.md
index 1dee9a5c..274a7a90 100644
--- a/services/mgmt1.md
+++ b/services/mgmt1.md
@@ -51,10 +51,12 @@ to set the policy using current mechanism.
 | `mgmt.vm.tag.Get`                     | vm        | tag       | -                                         | `0` or `1`                                                | retcode? |
 | `mgmt.vm.tag.Remove`                  | vm        | tag       | -                                         | -                                                         |
 | `mgmt.vm.tag.Set`                     | vm        | tag       | -                                         | -                                                         |
-| `mgmt.vm.firewall.List`               | vm        | -         | -                                         | `<rule id> <rule>\n`                                      |
-| `mgmt.vm.firewall.InsertRule`         | vm        | rule id   | rule                                      | rule id                                                   | insert before given rule, use `END` as rule id to add rule at the end
-| `mgmt.vm.firewall.RemoveRule`         | vm        | rule id   | -                                         | -                                                         |
+| `mgmt.vm.firewall.Get`                | vm        | -         | -                                         | `<rule>\n`                                                | rules syntax as in [firewall interface](/doc/vm-interface/#firewall-rules-in-4x) with addition of `expire=` and `comment=` options; `comment=` (if present) must be the last option
+| `mgmt.vm.firewall.Set`                | vm        | -         | `<rule>\n`                                | -                                                         | set firewall rules, see `mgmt.vm.firewall.Get` for syntax
 | `mgmt.vm.firewall.Flush`              | vm        | -         | -                                         | -                                                         |
+| `mgmt.vm.firewall.SetPolicy`          | vm        | -         | `accept|drop`                             | -                                                         |
+| `mgmt.vm.firewall.GetPolicy`          | vm        | -         | -                                         | `accept|drop`                                             |
+| `mgmt.vm.firewall.Reload`             | vm        | -         | -                                         | -                                                         | force reload firewall without changing any rule
 | `mgmt.vm.device.<class>.Attach`       | vm        | device    | options                                   | -                                                         | optional options given in `key=value` format, separated with spaces
 | `mgmt.vm.device.<class>.Detach`       | vm        | device    | -                                         | -                                                         |
 | `mgmt.vm.device.<class>.List`         | vm        | -         | -                                         | `<device> <options>\n`                                    |