use PVE::JSONSchema qw(get_standard_option);
use PVE::CLIHandler;
+use PVE::API2::Firewall::Groups;
use base qw(PVE::CLIHandler);
+use Data::Dumper;
+
$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
initlog ('pvefw');
if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
my $code = sub {
- my $ruleset = PVE::Firewall::compile();
- PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
+ my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE::Firewall::compile();
+
+ if ($param->{verbose}) {
+ my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
+ my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
+ if ($ipset_changes || $ruleset_changes) {
+ print "detected changes\n";
+ } else {
+ print "no changes\n";
+ }
+ }
};
PVE::Firewall::run_locked($code);
my $res = { status => $status };
if ($status eq 'active') {
- my $ruleset = PVE::Firewall::compile();
- my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);
+ my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE::Firewall::compile();
- if ($cmdlist ne "*filter\nCOMMIT\n") {
- $res->{changes} = 1;
- }
+ my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
+ my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
+ # fixme: ipset changes
+ $res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
}
return $res;
my ($param) = @_;
my $code = sub {
-
- my $chash = PVE::Firewall::iptables_get_chains();
- my $cmdlist = "*filter\n";
- my $rule = "INPUT -j PVEFW-INPUT";
- if (PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-D $rule\n";
- }
- $rule = "OUTPUT -j PVEFW-OUTPUT";
- if (PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-D $rule\n";
- }
-
- $rule = "FORWARD -j PVEFW-FORWARD";
- if (PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-D $rule\n";
- }
-
- foreach my $chain (keys %$chash) {
- $cmdlist .= "-F $chain\n";
- }
- foreach my $chain (keys %$chash) {
- $cmdlist .= "-X $chain\n";
- }
- $cmdlist .= "COMMIT\n";
-
- PVE::Firewall::iptables_restore_cmdlist($cmdlist);
-
+ PVE::Firewall::remove_pvefw_chains();
PVE::Firewall::save_pvefw_status('stopped');
};
}
}],
stop => [ __PACKAGE__, 'stop', []],
+
+ # This is for debugging
+ listgroups => [ 'PVE::API2::Firewall::Groups', 'list', [],
+ { node => $nodename }, sub {
+ my $res = shift;
+ print Dumper($res);
+ }],
+ grouprules => [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'],
+ { node => $nodename }, sub {
+ my $res = shift;
+ print Dumper($res);
+ }],
};
my $cmd = shift;