[pve-firewall.git] / pvefw

#!/usr/bin/perl -w

use strict;
use lib qw(.);
use PVE::Firewall;

use PVE::SafeSyslog;
use PVE::Cluster;
use PVE::INotify;
use PVE::RPCEnvironment;

use PVE::JSONSchema qw(get_standard_option);

use PVE::CLIHandler;

use base qw(PVE::CLIHandler);

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

initlog ('pvefw');

die "please run as root\n" if $> != 0;

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');

__PACKAGE__->register_method({
    name => 'enablevmfw',
    path => 'enablevmfw',
    method => 'POST',
    parameters => {
        additionalProperties => 0,
        properties => {
            vmid => get_standard_option('pve-vmid'),
            netid => {
                type => 'string',
		optional => 1
            },
        },
    },
    returns => { type => 'null' },
    code => sub {
        my ($param) = @_;

        # test if VM exists
        my $vmid = $param->{vmid};
        my $netid = $param->{netid};

	my $conf = PVE::QemuServer::load_config($vmid);

	foreach my $opt (keys %$conf) {
            next if $opt !~ m/^net(\d+)$/;
            my $net = PVE::QemuServer::parse_net($conf->{$opt});
            next if !$net;
	    next if $netid && $opt != $netid;
	    PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
	}

        return undef;
    }});

__PACKAGE__->register_method({
    name => 'disablevmfw',
    path => 'disablevmfw',
    method => 'POST',
    parameters => {
        additionalProperties => 0,
        properties => {
            vmid => get_standard_option('pve-vmid'),
            netid => {
                type => 'string',
		optional => 1
            },

        },
    },
    returns => { type => 'null' },
    code => sub {
        my ($param) = @_;

        # test if VM exists
        my $vmid = $param->{vmid};
        my $netid = $param->{netid};

	my $conf = PVE::QemuServer::load_config($vmid);

	foreach my $opt (keys %$conf) {
            next if $opt !~ m/^net(\d+)$/;
            my $net = PVE::QemuServer::parse_net($conf->{$opt});
            next if !$net;
	    next if $netid && $opt != $netid;
	    PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
	}

        return undef;
    }});

__PACKAGE__->register_method({
    name => 'enablegroup',
    path => 'enablegroup',
    method => 'POST',
    parameters => {
        additionalProperties => 0,
        properties => {
            securitygroup => {
                type => 'string',
            },
        },
    },
    returns => { type => 'null' },
    code => sub {
        my ($param) = @_;

	my $group = $param->{securitygroup};
	PVE::Firewall::enable_group_rules($group);

        return undef;
    }});

__PACKAGE__->register_method({
    name => 'disablegroup',
    path => 'disablegroup',
    method => 'POST',
    parameters => {
        additionalProperties => 0,
        properties => {
            securitygroup => {
                type => 'string',
            },

        },
    },
    returns => { type => 'null' },
    code => sub {
        my ($param) = @_;

	my $group = $param->{securitygroup};
	PVE::Firewall::disable_group_rules($group);

        return undef;
    }});

__PACKAGE__->register_method({
    name => 'enablehostfw',
    path => 'enablehostfw',
    method => 'POST',
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::enablehostfw();

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'disablehostfw',
    path => 'disablehostfw',
    method => 'POST',
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::disablehostfw();

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'POST',
    description => "Compile firewall rules.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::compile();

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'start',
    path => 'start',
    method => 'POST',
    description => "Start (or restart if already active) firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Firewall::compile_and_start();

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'stop',
    path => 'stop',
    method => 'POST',
    description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	die "implement me";

	return undef;
    }});

my $nodename = PVE::INotify::nodename();

my $cmddef = {
    compile => [ __PACKAGE__, 'compile', []],
    start => [ __PACKAGE__, 'start', []],
    restart => [ __PACKAGE__, 'restart', []],
    stop => [ __PACKAGE__, 'stop', []],
    enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
    disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
    enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
    disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
    enablegroup => [ __PACKAGE__, 'enablegroup', []],
    disablegroup => [ __PACKAGE__, 'disablegroup', []],
};

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);

exit(0);
Commit	Line	Data
b6360c3f DM	1	#!/usr/bin/perl -w
	2
	3	use strict;
	4	use lib qw(.);
	5	use PVE::Firewall;
dddd9413	6
80bfe1ff DM	7	use PVE::SafeSyslog;
	8	use PVE::Cluster;
	9	use PVE::INotify;
	10	use PVE::RPCEnvironment;
b6360c3f	11
80bfe1ff DM	12	use PVE::JSONSchema qw(get_standard_option);
	13
	14	use PVE::CLIHandler;
	15
	16	use base qw(PVE::CLIHandler);
	17
	18	$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
	19
	20	initlog ('pvefw');
	21
	22	die "please run as root\n" if $> != 0;
	23
	24	PVE::INotify::inotify_init();
	25
	26	my $rpcenv = PVE::RPCEnvironment->init('cli');
	27
	28	$rpcenv->init_request();
	29	$rpcenv->set_language($ENV{LANG});
	30	$rpcenv->set_user('root@pam');
b6360c3f	31
3a616aa0	32	__PACKAGE__->register_method({
462a6553 AD	33	name => 'enablevmfw',
462a6553 AD	34	path => 'enablevmfw',
3a616aa0 AD	35	method => 'POST',
	36	parameters => {
	37	additionalProperties => 0,
	38	properties => {
	39	vmid => get_standard_option('pve-vmid'),
	40	netid => {
	41	type => 'string',
462a6553	42	optional => 1
3a616aa0	43	},
3a616aa0 AD	44	},
	45	},
	46	returns => { type => 'null' },
	47	code => sub {
	48	my ($param) = @_;
	49
	50	# test if VM exists
	51	my $vmid = $param->{vmid};
	52	my $netid = $param->{netid};
	53
	54	my $conf = PVE::QemuServer::load_config($vmid);
3a616aa0	55
462a6553 AD	56	foreach my $opt (keys %$conf) {
	57	next if $opt !~ m/^net(\d+)$/;
	58	my $net = PVE::QemuServer::parse_net($conf->{$opt});
	59	next if !$net;
	60	next if $netid && $opt != $netid;
	61	PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
	62	}
3a616aa0 AD	63
	64	return undef;
	65	}});
	66
	67	__PACKAGE__->register_method({
462a6553 AD	68	name => 'disablevmfw',
462a6553 AD	69	path => 'disablevmfw',
3a616aa0 AD	70	method => 'POST',
	71	parameters => {
	72	additionalProperties => 0,
	73	properties => {
	74	vmid => get_standard_option('pve-vmid'),
	75	netid => {
	76	type => 'string',
462a6553	77	optional => 1
3a616aa0 AD	78	},
	79
	80	},
	81	},
	82	returns => { type => 'null' },
	83	code => sub {
	84	my ($param) = @_;
	85
	86	# test if VM exists
	87	my $vmid = $param->{vmid};
	88	my $netid = $param->{netid};
	89
	90	my $conf = PVE::QemuServer::load_config($vmid);
3a616aa0	91
462a6553 AD	92	foreach my $opt (keys %$conf) {
	93	next if $opt !~ m/^net(\d+)$/;
	94	my $net = PVE::QemuServer::parse_net($conf->{$opt});
	95	next if !$net;
	96	next if $netid && $opt != $netid;
	97	PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
	98	}
3a616aa0 AD	99
	100	return undef;
	101	}});
9aab3127	102
9d31b418 AD	103	__PACKAGE__->register_method({
	104	name => 'enablegroup',
	105	path => 'enablegroup',
	106	method => 'POST',
	107	parameters => {
	108	additionalProperties => 0,
	109	properties => {
	110	securitygroup => {
	111	type => 'string',
	112	},
	113	},
	114	},
	115	returns => { type => 'null' },
	116	code => sub {
	117	my ($param) = @_;
	118
	119	my $group = $param->{securitygroup};
	120	PVE::Firewall::enable_group_rules($group);
	121
	122	return undef;
	123	}});
	124
	125	__PACKAGE__->register_method({
	126	name => 'disablegroup',
	127	path => 'disablegroup',
	128	method => 'POST',
	129	parameters => {
	130	additionalProperties => 0,
	131	properties => {
	132	securitygroup => {
	133	type => 'string',
	134	},
	135
	136	},
	137	},
	138	returns => { type => 'null' },
	139	code => sub {
	140	my ($param) = @_;
	141
	142	my $group = $param->{securitygroup};
	143	PVE::Firewall::disable_group_rules($group);
	144
	145	return undef;
	146	}});
	147
0bd5f137 AD	148	__PACKAGE__->register_method({
	149	name => 'enablehostfw',
	150	path => 'enablehostfw',
	151	method => 'POST',
	152	parameters => {
	153	additionalProperties => 0,
	154	properties => {},
	155	},
	156	returns => { type => 'null' },
	157
	158	code => sub {
	159	my ($param) = @_;
	160
	161	PVE::Firewall::enablehostfw();
	162
	163	return undef;
	164	}});
	165
	166	__PACKAGE__->register_method({
	167	name => 'disablehostfw',
	168	path => 'disablehostfw',
	169	method => 'POST',
	170	parameters => {
	171	additionalProperties => 0,
	172	properties => {},
	173	},
	174	returns => { type => 'null' },
	175
	176	code => sub {
	177	my ($param) = @_;
	178
	179	PVE::Firewall::disablehostfw();
	180
	181	return undef;
	182	}});
	183
80bfe1ff DM	184	__PACKAGE__->register_method ({
	185	name => 'compile',
	186	path => 'compile',
	187	method => 'POST',
	188	description => "Compile firewall rules.",
	189	parameters => {
	190	additionalProperties => 0,
	191	properties => {},
	192	},
	193	returns => { type => 'null' },
	194
	195	code => sub {
	196	my ($param) = @_;
	197
5e1267a5	198	PVE::Firewall::compile();
f789653a	199
5e1267a5 DM	200	return undef;
5e1267a5 DM	201	}});
80bfe1ff	202
5e1267a5 DM	203	__PACKAGE__->register_method ({
	204	name => 'start',
	205	path => 'start',
	206	method => 'POST',
a332200b	207	description => "Start (or restart if already active) firewall.",
5e1267a5 DM	208	parameters => {
	209	additionalProperties => 0,
	210	properties => {},
	211	},
	212	returns => { type => 'null' },
80bfe1ff	213
5e1267a5 DM	214	code => sub {
5e1267a5 DM	215	my ($param) = @_;
80bfe1ff	216
5e1267a5	217	PVE::Firewall::compile_and_start();
80bfe1ff DM	218
80bfe1ff DM	219	return undef;
80bfe1ff DM	220	}});
80bfe1ff DM	221
80bfe1ff DM	222	__PACKAGE__->register_method ({
	223	name => 'stop',
	224	path => 'stop',
	225	method => 'POST',
a332200b	226	description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
80bfe1ff DM	227	parameters => {
	228	additionalProperties => 0,
	229	properties => {},
	230	},
	231	returns => { type => 'null' },
	232
	233	code => sub {
	234	my ($param) = @_;
	235
a332200b	236	die "implement me";
80bfe1ff DM	237
	238	return undef;
	239	}});
	240
	241	my $nodename = PVE::INotify::nodename();
	242
	243	my $cmddef = {
	244	compile => [ __PACKAGE__, 'compile', []],
	245	start => [ __PACKAGE__, 'start', []],
5e1267a5	246	restart => [ __PACKAGE__, 'restart', []],
80bfe1ff	247	stop => [ __PACKAGE__, 'stop', []],
462a6553 AD	248	enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
462a6553 AD	249	disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
0bd5f137 AD	250	enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
0bd5f137 AD	251	disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
9d31b418 AD	252	enablegroup => [ __PACKAGE__, 'enablegroup', []],
9d31b418 AD	253	disablegroup => [ __PACKAGE__, 'disablegroup', []],
80bfe1ff DM	254	};
	255
	256	my $cmd = shift;
	257
	258	PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
b6360c3f DM	259
b6360c3f DM	260	exit(0);
80bfe1ff	261