- my ($ccsec_end, $cusec_end) = gettimeofday ();
- my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
-
- syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
- if ($cptime > 5);
-
- $cycle++;
-
- my $mem = PVE::ProcFSTools::read_memory_usage();
-
- if (!defined($initial_memory_usage) || ($cycle < 10)) {
- $initial_memory_usage = $mem->{resident};
- } else {
- my $diff = $mem->{resident} - $initial_memory_usage;
- if ($diff > 5*1024*1024) {
- syslog ('info', "restarting server after $cycle cycles to " .
- "reduce memory usage (free $mem->{resident} ($diff) bytes)");
- restart_server();
- }
- }
-
- my $wcount = 0;
- while ((time() < $next_update) &&
- ($wcount < $updatetime) && # protect against time wrap
- !$restart_request) { $wcount++; sleep (1); };
-
- restart_server() if $restart_request;
- };
-
- my $err = $@;
-
- if ($err) {
- syslog ('err', "ERROR: $err");
- restart_server(5);
- exit (0);
- }
- }
-}
-
-__PACKAGE__->register_method ({
- name => 'start',
- path => 'start',
- method => 'POST',
- description => "Start the Proxmox VE firewall service.",
- parameters => {
- additionalProperties => 0,
- properties => {
- debug => {
- description => "Debug mode - stay in foreground",
- type => "boolean",
- optional => 1,
- default => 0,
- },
- },
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- run_server($param);
-
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'stop',
- path => 'stop',
- method => 'POST',
- description => "Stop firewall. This removes all Proxmox VE related iptable rules. The host is unprotected afterwards.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
-
- if ($pid) {
- if (PVE::ProcFSTools::check_process_running($pid)) {
- kill(15, $pid); # send TERM signal
- # give max 5 seconds to shut down
- for (my $i = 0; $i < 5; $i++) {
- last if !PVE::ProcFSTools::check_process_running($pid);
- sleep (1);
- }
-
- # to be sure
- kill(9, $pid);
- waitpid($pid, 0);
- }
- if (-f $pve_firewall_pidfile) {
- # try to get the lock
- lockpidfile($pve_firewall_pidfile);
- cleanup();
- }
- }
-
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'status',
- path => 'status',
- method => 'GET',
- description => "Get firewall status.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => {
- type => 'object',
- additionalProperties => 0,
- properties => {
- status => {
- type => 'string',
- enum => ['unknown', 'stopped', 'active'],
- },
- changes => {
- description => "Set when there are pending changes.",
- type => 'boolean',
- optional => 1,
- }
- },
- },
- code => sub {
- my ($param) = @_;
-
- local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
-
- my $code = sub {
-
- my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
- my $running = PVE::ProcFSTools::check_process_running($pid);
-
- my $status = $running ? 'active' : 'stopped';
-
- my $res = { status => $status };
- if ($status eq 'active') {
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
-
- my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
-
- $res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
- }
-
- return $res;
- };
-
- return PVE::Firewall::run_locked($code);
- }});
-
-__PACKAGE__->register_method ({
- name => 'compile',
- path => 'compile',
- method => 'POST',
- description => "Compile and print firewall rules. This is useful for testing.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
-
- my $code = sub {
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
-
- my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
- if ($ipset_changes || $ruleset_changes) {
- print "detected changes\n";
- } else {
- print "no changes\n";
- }
- };
-
- PVE::Firewall::run_locked($code);
-
- return undef;
- }});
-
-my $nodename = PVE::INotify::nodename();
-
-my $cmddef = {
- start => [ __PACKAGE__, 'start', []],
- stop => [ __PACKAGE__, 'stop', []],
- compile => [ __PACKAGE__, 'compile', []],
- status => [ __PACKAGE__, 'status', [], undef, sub {
- my $res = shift;
- if ($res->{changes}) {
- print "Status: $res->{status} (pending changes)\n";
- } else {
- print "Status: $res->{status}\n";
- }
- }],
- };
-
-my $cmd = shift;
-
-PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0);
-
-exit (0);
-
-__END__
-
-=head1 NAME
-
-pve-firewall - PVE Firewall Daemon
-
-=head1 SYNOPSIS
-
-=include synopsis
-
-=head1 DESCRIPTION
-
-This service updates iptables rules periodically.