[pve-firewall.git] / pvefw

#!/usr/bin/perl -w

use strict;
use lib qw(.);
use PVE::Firewall;

use PVE::SafeSyslog;
use PVE::Cluster;
use PVE::INotify;
use PVE::RPCEnvironment;

use PVE::JSONSchema qw(get_standard_option);

use PVE::CLIHandler;

use base qw(PVE::CLIHandler);

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

initlog ('pvefw');

die "please run as root\n" if $> != 0;

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');

__PACKAGE__->register_method({
    name => 'enabletaprules',
    path => 'enabletaprules',
    method => 'POST',
    parameters => {
        additionalProperties => 0,
        properties => {
            vmid => get_standard_option('pve-vmid'),
            netid => {
                type => 'string',
            },

        },
    },
    returns => { type => 'null' },
    code => sub {
        my ($param) = @_;

        # test if VM exists
        my $vmid = $param->{vmid};
        my $netid = $param->{netid};

	my $conf = PVE::QemuServer::load_config($vmid);
	my $net = PVE::QemuServer::parse_net($conf->{$netid});

	PVE::Firewall::generate_tap_rules($net, $netid, $vmid);

        return undef;
    }});

__PACKAGE__->register_method({
    name => 'disabletaprules',
    path => 'disabletaprules',
    method => 'POST',
    parameters => {
        additionalProperties => 0,
        properties => {
            vmid => get_standard_option('pve-vmid'),
            netid => {
                type => 'string',
            },

        },
    },
    returns => { type => 'null' },
    code => sub {
        my ($param) = @_;

        # test if VM exists
        my $vmid = $param->{vmid};
        my $netid = $param->{netid};

	my $conf = PVE::QemuServer::load_config($vmid);
	my $net = PVE::QemuServer::parse_net($conf->{$netid});

	PVE::Firewall::flush_tap_rules($net, $netid, $vmid);

        return undef;
    }});

__PACKAGE__->register_method({
    name => 'enablehostfw',
    path => 'enablehostfw',
    method => 'POST',
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::enablehostfw();

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'disablehostfw',
    path => 'disablehostfw',
    method => 'POST',
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::disablehostfw();

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'POST',
    description => "Compile firewall rules.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::compile();

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'start',
    path => 'start',
    method => 'POST',
    description => "Start firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::compile_and_start();

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'restart',
    path => 'restart',
    method => 'POST',
    description => "Restart firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::compile_and_start(1);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'stop',
    path => 'stop',
    method => 'POST',
    description => "Stop firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Tools::run_command(['shorewall', 'stop']);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'clear',
    path => 'clear',
    method => 'POST',
    description => "Clear will remove all rules installed by this script. The host is then unprotected.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Tools::run_command(['shorewall', 'clear']);

	return undef;
    }});

my $nodename = PVE::INotify::nodename();

my $cmddef = {
    compile => [ __PACKAGE__, 'compile', []],
    start => [ __PACKAGE__, 'start', []],
    restart => [ __PACKAGE__, 'restart', []],
    stop => [ __PACKAGE__, 'stop', []],
    clear => [ __PACKAGE__, 'clear', []],
    enabletaprules => [ __PACKAGE__, 'enabletaprules', []],
    disabletaprules => [ __PACKAGE__, 'disabletaprules', []],
    enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
    disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
};

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);

exit(0);
Commit	Line	Data
b6360c3f DM	1	#!/usr/bin/perl -w
	2
	3	use strict;
	4	use lib qw(.);
	5	use PVE::Firewall;
dddd9413	6
80bfe1ff DM	7	use PVE::SafeSyslog;
	8	use PVE::Cluster;
	9	use PVE::INotify;
	10	use PVE::RPCEnvironment;
b6360c3f	11
80bfe1ff DM	12	use PVE::JSONSchema qw(get_standard_option);
	13
	14	use PVE::CLIHandler;
	15
	16	use base qw(PVE::CLIHandler);
	17
	18	$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
	19
	20	initlog ('pvefw');
	21
	22	die "please run as root\n" if $> != 0;
	23
	24	PVE::INotify::inotify_init();
	25
	26	my $rpcenv = PVE::RPCEnvironment->init('cli');
	27
	28	$rpcenv->init_request();
	29	$rpcenv->set_language($ENV{LANG});
	30	$rpcenv->set_user('root@pam');
b6360c3f	31
3a616aa0 AD	32	__PACKAGE__->register_method({
	33	name => 'enabletaprules',
	34	path => 'enabletaprules',
	35	method => 'POST',
	36	parameters => {
	37	additionalProperties => 0,
	38	properties => {
	39	vmid => get_standard_option('pve-vmid'),
	40	netid => {
	41	type => 'string',
	42	},
	43
	44	},
	45	},
	46	returns => { type => 'null' },
	47	code => sub {
	48	my ($param) = @_;
	49
	50	# test if VM exists
	51	my $vmid = $param->{vmid};
	52	my $netid = $param->{netid};
	53
	54	my $conf = PVE::QemuServer::load_config($vmid);
	55	my $net = PVE::QemuServer::parse_net($conf->{$netid});
	56
	57	PVE::Firewall::generate_tap_rules($net, $netid, $vmid);
	58
	59	return undef;
	60	}});
	61
	62	__PACKAGE__->register_method({
	63	name => 'disabletaprules',
	64	path => 'disabletaprules',
	65	method => 'POST',
	66	parameters => {
	67	additionalProperties => 0,
	68	properties => {
	69	vmid => get_standard_option('pve-vmid'),
	70	netid => {
	71	type => 'string',
	72	},
	73
	74	},
	75	},
	76	returns => { type => 'null' },
	77	code => sub {
	78	my ($param) = @_;
	79
	80	# test if VM exists
	81	my $vmid = $param->{vmid};
	82	my $netid = $param->{netid};
	83
	84	my $conf = PVE::QemuServer::load_config($vmid);
	85	my $net = PVE::QemuServer::parse_net($conf->{$netid});
	86
	87	PVE::Firewall::flush_tap_rules($net, $netid, $vmid);
	88
	89	return undef;
	90	}});
9aab3127	91
0bd5f137 AD	92	__PACKAGE__->register_method({
	93	name => 'enablehostfw',
	94	path => 'enablehostfw',
	95	method => 'POST',
	96	parameters => {
	97	additionalProperties => 0,
	98	properties => {},
	99	},
	100	returns => { type => 'null' },
	101
	102	code => sub {
	103	my ($param) = @_;
	104
	105	PVE::Firewall::enablehostfw();
	106
	107	return undef;
	108	}});
	109
	110	__PACKAGE__->register_method({
	111	name => 'disablehostfw',
	112	path => 'disablehostfw',
	113	method => 'POST',
	114	parameters => {
	115	additionalProperties => 0,
	116	properties => {},
	117	},
	118	returns => { type => 'null' },
	119
	120	code => sub {
	121	my ($param) = @_;
	122
	123	PVE::Firewall::disablehostfw();
	124
	125	return undef;
	126	}});
	127
80bfe1ff DM	128	__PACKAGE__->register_method ({
	129	name => 'compile',
	130	path => 'compile',
	131	method => 'POST',
	132	description => "Compile firewall rules.",
	133	parameters => {
	134	additionalProperties => 0,
	135	properties => {},
	136	},
	137	returns => { type => 'null' },
	138
	139	code => sub {
	140	my ($param) = @_;
	141
5e1267a5	142	PVE::Firewall::compile();
f789653a	143
5e1267a5 DM	144	return undef;
5e1267a5 DM	145	}});
80bfe1ff	146
5e1267a5 DM	147	__PACKAGE__->register_method ({
	148	name => 'start',
	149	path => 'start',
	150	method => 'POST',
	151	description => "Start firewall.",
	152	parameters => {
	153	additionalProperties => 0,
	154	properties => {},
	155	},
	156	returns => { type => 'null' },
80bfe1ff	157
5e1267a5 DM	158	code => sub {
5e1267a5 DM	159	my ($param) = @_;
80bfe1ff	160
5e1267a5	161	PVE::Firewall::compile_and_start();
80bfe1ff DM	162
80bfe1ff DM	163	return undef;
80bfe1ff DM	164	}});
	165
	166	__PACKAGE__->register_method ({
5e1267a5 DM	167	name => 'restart',
5e1267a5 DM	168	path => 'restart',
80bfe1ff	169	method => 'POST',
5e1267a5	170	description => "Restart firewall.",
80bfe1ff DM	171	parameters => {
	172	additionalProperties => 0,
	173	properties => {},
	174	},
	175	returns => { type => 'null' },
	176
	177	code => sub {
	178	my ($param) = @_;
	179
5e1267a5	180	PVE::Firewall::compile_and_start(1);
80bfe1ff DM	181
	182	return undef;
	183	}});
	184
	185	__PACKAGE__->register_method ({
	186	name => 'stop',
	187	path => 'stop',
	188	method => 'POST',
	189	description => "Stop firewall.",
	190	parameters => {
	191	additionalProperties => 0,
	192	properties => {},
	193	},
	194	returns => { type => 'null' },
	195
	196	code => sub {
	197	my ($param) = @_;
	198
	199	PVE::Tools::run_command(['shorewall', 'stop']);
	200
	201	return undef;
	202	}});
	203
	204	__PACKAGE__->register_method ({
	205	name => 'clear',
	206	path => 'clear',
	207	method => 'POST',
	208	description => "Clear will remove all rules installed by this script. The host is then unprotected.",
	209	parameters => {
	210	additionalProperties => 0,
	211	properties => {},
	212	},
	213	returns => { type => 'null' },
	214
	215	code => sub {
	216	my ($param) = @_;
	217
	218	PVE::Tools::run_command(['shorewall', 'clear']);
	219
	220	return undef;
	221	}});
	222
	223	my $nodename = PVE::INotify::nodename();
	224
	225	my $cmddef = {
	226	compile => [ __PACKAGE__, 'compile', []],
	227	start => [ __PACKAGE__, 'start', []],
5e1267a5	228	restart => [ __PACKAGE__, 'restart', []],
80bfe1ff DM	229	stop => [ __PACKAGE__, 'stop', []],
80bfe1ff DM	230	clear => [ __PACKAGE__, 'clear', []],
3a616aa0 AD	231	enabletaprules => [ __PACKAGE__, 'enabletaprules', []],
3a616aa0 AD	232	disabletaprules => [ __PACKAGE__, 'disabletaprules', []],
0bd5f137 AD	233	enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
0bd5f137 AD	234	disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
80bfe1ff DM	235	};
	236
	237	my $cmd = shift;
	238
	239	PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
b6360c3f DM	240
b6360c3f DM	241	exit(0);
80bfe1ff	242