]>
git.proxmox.com Git - pve-firewall.git/blob - src/pvefw
12 use PVE
::RPCEnvironment
;
14 use PVE
::JSONSchema
qw(get_standard_option);
17 use PVE
::API2
::Firewall
::Groups
;
19 use base
qw(PVE::CLIHandler);
23 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
27 die "please run as root\n" if $> != 0;
29 PVE
::INotify
::inotify_init
();
31 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
33 $rpcenv->init_request();
34 $rpcenv->set_language($ENV{LANG
});
35 $rpcenv->set_user('root@pam');
37 __PACKAGE__-
>register_method ({
41 description
=> "Compile amd print firewall rules. This is only for testing.",
43 additionalProperties
=> 0,
46 description
=> "Verbose output.",
52 returns
=> { type
=> 'null' },
57 my $rpcenv = PVE
::RPCEnvironment
::get
();
60 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
63 my ($ruleset, $ipset_ruleset) = PVE
::Firewall
::compile
();
65 if ($param->{verbose
}) {
66 my (undef, undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset, 1);
67 my (undef, $ruleset_changes) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset, 1);
68 if ($ipset_changes || $ruleset_changes) {
69 print "detected changes\n";
76 PVE
::Firewall
::run_locked
($code);
81 __PACKAGE__-
>register_method ({
85 description
=> "Get firewall status.",
87 additionalProperties
=> 0,
92 additionalProperties
=> 0,
96 enum
=> ['unknown', 'stopped', 'active'],
99 description
=> "Set when there are pending changes.",
108 my $rpcenv = PVE
::RPCEnvironment
::get
();
110 $param->{verbose
} = 1
111 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
114 my $status = PVE
::Firewall
::read_pvefw_status
();
116 my $res = { status
=> $status };
117 if ($status eq 'active') {
118 my ($ruleset, $ipset_ruleset) = PVE
::Firewall
::compile
();
120 my (undef, undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset);
121 my (undef, $ruleset_changes) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset);
122 # fixme: ipset changes
123 $res->{changes
} = ($ipset_changes || $ruleset_changes) ?
1 : 0;
129 return PVE
::Firewall
::run_locked
($code);
132 __PACKAGE__-
>register_method ({
136 description
=> "Start (or simply update if already active) firewall.",
138 additionalProperties
=> 0,
141 description
=> "Verbose output.",
148 returns
=> { type
=> 'null' },
153 PVE
::Firewall
::update
(1, $param->{verbose
});
158 __PACKAGE__-
>register_method ({
162 description
=> "Check firewall rules. Then update the rules if the firewall is active.",
164 additionalProperties
=> 0,
167 description
=> "Verbose output.",
174 returns
=> { type
=> 'null' },
179 PVE
::Firewall
::update
(0, $param->{verbose
});
184 __PACKAGE__-
>register_method ({
188 description
=> "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
190 additionalProperties
=> 0,
193 returns
=> { type
=> 'null' },
199 PVE
::Firewall
::remove_pvefw_chains
();
200 PVE
::Firewall
::save_pvefw_status
('stopped');
203 PVE
::Firewall
::run_locked
($code);
208 my $nodename = PVE
::INotify
::nodename
();
211 compile
=> [ __PACKAGE__
, 'compile', []],
212 start
=> [ __PACKAGE__
, 'start', []],
213 update
=> [ __PACKAGE__
, 'update', []],
214 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
216 if ($res->{changes
}) {
217 print "Status: $res->{status} (pending changes)\n";
219 print "Status: $res->{status}\n";
222 stop
=> [ __PACKAGE__
, 'stop', []],
224 # This is for debugging
225 listgroups
=> [ 'PVE::API2::Firewall::Groups', 'list', [],
226 { node
=> $nodename }, sub {
230 grouprules
=> [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'],
231 { node
=> $nodename }, sub {
239 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);