[pve-firewall.git] / pvefw

#!/usr/bin/perl -w

use strict;
use lib qw(.);
use PVE::Firewall;

use PVE::SafeSyslog;
use PVE::Cluster;
use PVE::INotify;
use PVE::RPCEnvironment;

use PVE::JSONSchema qw(get_standard_option);

use PVE::CLIHandler;

use base qw(PVE::CLIHandler);

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

initlog ('pvefw');

die "please run as root\n" if $> != 0;

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'POST',
    description => "Compile amd print firewall rules. This is only for testing.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => "boolean",
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();

	$param->{verbose} = 1 
	    if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');

	my $code = sub {
	    my $ruleset = PVE::Firewall::compile();
	    PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'status',
    path => 'status',
    method => 'GET',
    description => "Get firewall status.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { 
	type => 'object',
	additionalProperties => 0,
	properties => {
	    status => {
		type => 'string',
		enum => ['unknown', 'stopped', 'active'],
	    },
	    changes => {
		description => "Set when there are pending changes.",
		type => 'boolean',
		optional => 1,
	    }
	},
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();

	$param->{verbose} = 1 
	    if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');

	my $code = sub {
	    my $status = PVE::Firewall::read_pvefw_status();

	    my $res = { status => $status };
	    if ($status eq 'active') {
		my $ruleset = PVE::Firewall::compile();
		my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);

		if ($cmdlist ne "*filter\nCOMMIT\n") {
		    $res->{changes} = 1;
		}
	    } 

	    return $res;
	};

	return PVE::Firewall::run_locked($code);
    }});

__PACKAGE__->register_method ({
    name => 'start',
    path => 'start',
    method => 'POST',
    description => "Start (or simply update if already active) firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => "boolean",
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::update(1, $param->{verbose});

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update',
    path => 'update',
    method => 'POST',
    description => "Check firewall rules. Then update the rules if the firewall is active.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => "boolean",
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::update(0, $param->{verbose});

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'stop',
    path => 'stop',
    method => 'POST',
    description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $code = sub {

	    my $chash = PVE::Firewall::iptables_get_chains();
	    my $cmdlist = "*filter\n";
	    my $rule = "INPUT -j PVEFW-INPUT";
	    if (PVE::Firewall::iptables_rule_exist($rule)) {
		$cmdlist .= "-D $rule\n";
	    }
	    $rule = "OUTPUT -j PVEFW-OUTPUT";
	    if (PVE::Firewall::iptables_rule_exist($rule)) {
		$cmdlist .= "-D $rule\n";
	    }

	    $rule = "FORWARD -j PVEFW-FORWARD";
	    if (PVE::Firewall::iptables_rule_exist($rule)) {
		$cmdlist .= "-D $rule\n";
	    }

	    foreach my $chain (keys %$chash) {
		$cmdlist .= "-F $chain\n";
	    }
	    foreach my $chain (keys %$chash) {
		$cmdlist .= "-X $chain\n";
	    }
	    $cmdlist .= "COMMIT\n";

	    PVE::Firewall::iptables_restore_cmdlist($cmdlist);

	    PVE::Firewall::save_pvefw_status('stopped');
	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

my $nodename = PVE::INotify::nodename();

my $cmddef = {
    compile => [ __PACKAGE__, 'compile', []],
    start => [ __PACKAGE__, 'start', []],
    update => [ __PACKAGE__, 'update', []],
    status => [ __PACKAGE__, 'status', [], undef, sub {
	my $res = shift;
	if ($res->{changes}) {
	    print "Status: $res->{status} (pending changes)\n";
	} else {
	    print "Status: $res->{status}\n";
	}
    }],
    stop => [ __PACKAGE__, 'stop', []],
};

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);

exit(0);
Commit	Line	Data
b6360c3f DM	1	#!/usr/bin/perl -w
	2
	3	use strict;
	4	use lib qw(.);
	5	use PVE::Firewall;
dddd9413	6
80bfe1ff DM	7	use PVE::SafeSyslog;
	8	use PVE::Cluster;
	9	use PVE::INotify;
	10	use PVE::RPCEnvironment;
b6360c3f	11
80bfe1ff DM	12	use PVE::JSONSchema qw(get_standard_option);
	13
	14	use PVE::CLIHandler;
	15
	16	use base qw(PVE::CLIHandler);
	17
	18	$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
	19
	20	initlog ('pvefw');
	21
	22	die "please run as root\n" if $> != 0;
	23
	24	PVE::INotify::inotify_init();
	25
	26	my $rpcenv = PVE::RPCEnvironment->init('cli');
	27
	28	$rpcenv->init_request();
	29	$rpcenv->set_language($ENV{LANG});
	30	$rpcenv->set_user('root@pam');
b6360c3f	31
80bfe1ff DM	32	__PACKAGE__->register_method ({
	33	name => 'compile',
	34	path => 'compile',
	35	method => 'POST',
3fa83edf	36	description => "Compile amd print firewall rules. This is only for testing.",
80bfe1ff DM	37	parameters => {
80bfe1ff DM	38	additionalProperties => 0,
3fa83edf DM	39	properties => {
	40	verbose => {
	41	description => "Verbose output.",
	42	type => "boolean",
	43	optional => 1,
3fa83edf DM	44	},
3fa83edf DM	45	},
80bfe1ff DM	46	},
	47	returns => { type => 'null' },
	48
	49	code => sub {
	50	my ($param) = @_;
	51
e0809a95 DM	52	my $rpcenv = PVE::RPCEnvironment::get();
	53
	54	$param->{verbose} = 1
	55	if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
	56
06320eb0	57	my $code = sub {
3fa83edf DM	58	my $ruleset = PVE::Firewall::compile();
3fa83edf DM	59	PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
06320eb0 DM	60	};
	61
	62	PVE::Firewall::run_locked($code);
f789653a	63
5e1267a5 DM	64	return undef;
5e1267a5 DM	65	}});
80bfe1ff	66
6b9f68a2 DM	67	__PACKAGE__->register_method ({
	68	name => 'status',
	69	path => 'status',
	70	method => 'GET',
	71	description => "Get firewall status.",
	72	parameters => {
	73	additionalProperties => 0,
	74	properties => {},
	75	},
	76	returns => {
	77	type => 'object',
	78	additionalProperties => 0,
	79	properties => {
	80	status => {
	81	type => 'string',
	82	enum => ['unknown', 'stopped', 'active'],
	83	},
	84	changes => {
	85	description => "Set when there are pending changes.",
	86	type => 'boolean',
	87	optional => 1,
	88	}
	89	},
	90	},
	91	code => sub {
	92	my ($param) = @_;
	93
	94	my $rpcenv = PVE::RPCEnvironment::get();
	95
	96	$param->{verbose} = 1
	97	if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
	98
	99	my $code = sub {
	100	my $status = PVE::Firewall::read_pvefw_status();
	101
	102	my $res = { status => $status };
	103	if ($status eq 'active') {
	104	my $ruleset = PVE::Firewall::compile();
	105	my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);
	106
	107	if ($cmdlist ne "*filter\nCOMMIT\n") {
	108	$res->{changes} = 1;
	109	}
	110	}
	111
	112	return $res;
	113	};
	114
	115	return PVE::Firewall::run_locked($code);
	116	}});
	117
5e1267a5 DM	118	__PACKAGE__->register_method ({
	119	name => 'start',
	120	path => 'start',
	121	method => 'POST',
6b9f68a2	122	description => "Start (or simply update if already active) firewall.",
5e1267a5 DM	123	parameters => {
5e1267a5 DM	124	additionalProperties => 0,
3fa83edf DM	125	properties => {
	126	verbose => {
	127	description => "Verbose output.",
	128	type => "boolean",
	129	optional => 1,
	130	default => 0,
	131	},
	132	},
5e1267a5 DM	133	},
5e1267a5 DM	134	returns => { type => 'null' },
80bfe1ff	135
5e1267a5 DM	136	code => sub {
5e1267a5 DM	137	my ($param) = @_;
80bfe1ff	138
6b9f68a2	139	PVE::Firewall::update(1, $param->{verbose});
06320eb0	140
6b9f68a2 DM	141	return undef;
	142	}});
	143
	144	__PACKAGE__->register_method ({
	145	name => 'update',
	146	path => 'update',
	147	method => 'POST',
	148	description => "Check firewall rules. Then update the rules if the firewall is active.",
	149	parameters => {
	150	additionalProperties => 0,
	151	properties => {
	152	verbose => {
	153	description => "Verbose output.",
	154	type => "boolean",
	155	optional => 1,
	156	default => 0,
	157	},
	158	},
	159	},
	160	returns => { type => 'null' },
	161
	162	code => sub {
	163	my ($param) = @_;
	164
	165	PVE::Firewall::update(0, $param->{verbose});
80bfe1ff DM	166
80bfe1ff DM	167	return undef;
80bfe1ff DM	168	}});
80bfe1ff DM	169
80bfe1ff DM	170	__PACKAGE__->register_method ({
	171	name => 'stop',
	172	path => 'stop',
	173	method => 'POST',
a332200b	174	description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
80bfe1ff DM	175	parameters => {
	176	additionalProperties => 0,
	177	properties => {},
	178	},
	179	returns => { type => 'null' },
	180
	181	code => sub {
	182	my ($param) = @_;
	183
06320eb0	184	my $code = sub {
6b9f68a2	185
b16e818e DM	186	my $chash = PVE::Firewall::iptables_get_chains();
b16e818e DM	187	my $cmdlist = "*filter\n";
dec84fcd	188	my $rule = "INPUT -j PVEFW-INPUT";
3fa83edf DM	189	if (PVE::Firewall::iptables_rule_exist($rule)) {
	190	$cmdlist .= "-D $rule\n";
	191	}
dec84fcd	192	$rule = "OUTPUT -j PVEFW-OUTPUT";
3fa83edf DM	193	if (PVE::Firewall::iptables_rule_exist($rule)) {
	194	$cmdlist .= "-D $rule\n";
	195	}
	196
dec84fcd	197	$rule = "FORWARD -j PVEFW-FORWARD";
3fa83edf DM	198	if (PVE::Firewall::iptables_rule_exist($rule)) {
	199	$cmdlist .= "-D $rule\n";
	200	}
	201
b16e818e DM	202	foreach my $chain (keys %$chash) {
	203	$cmdlist .= "-F $chain\n";
	204	}
	205	foreach my $chain (keys %$chash) {
	206	$cmdlist .= "-X $chain\n";
	207	}
	208	$cmdlist .= "COMMIT\n";
	209
	210	PVE::Firewall::iptables_restore_cmdlist($cmdlist);
6b9f68a2 DM	211
6b9f68a2 DM	212	PVE::Firewall::save_pvefw_status('stopped');
06320eb0 DM	213	};
	214
	215	PVE::Firewall::run_locked($code);
80bfe1ff DM	216
	217	return undef;
	218	}});
	219
	220	my $nodename = PVE::INotify::nodename();
	221
	222	my $cmddef = {
	223	compile => [ __PACKAGE__, 'compile', []],
	224	start => [ __PACKAGE__, 'start', []],
6b9f68a2 DM	225	update => [ __PACKAGE__, 'update', []],
	226	status => [ __PACKAGE__, 'status', [], undef, sub {
	227	my $res = shift;
	228	if ($res->{changes}) {
	229	print "Status: $res->{status} (pending changes)\n";
	230	} else {
	231	print "Status: $res->{status}\n";
	232	}
	233	}],
80bfe1ff	234	stop => [ __PACKAGE__, 'stop', []],
80bfe1ff DM	235	};
	236
	237	my $cmd = shift;
	238
	239	PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
b6360c3f DM	240
b6360c3f DM	241	exit(0);
80bfe1ff	242