[pve-firewall.git] / pvefw

#!/usr/bin/perl -w

use strict;
use lib qw(.);
use PVE::Firewall;

use PVE::SafeSyslog;
use PVE::Cluster;
use PVE::INotify;
use PVE::RPCEnvironment;

use PVE::JSONSchema qw(get_standard_option);

use PVE::CLIHandler;

use base qw(PVE::CLIHandler);

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

initlog ('pvefw');

die "please run as root\n" if $> != 0;

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'POST',
    description => "Compile amd print firewall rules. This is only for testing.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => "boolean",
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $code = sub {
	    my $ruleset = PVE::Firewall::compile();
	    PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'start',
    path => 'start',
    method => 'POST',
    description => "Start (or restart if already active) firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => "boolean",
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $code = sub {
	    my $ruleset = PVE::Firewall::compile();
	    PVE::Firewall::apply_ruleset($ruleset, $param->{verbose});
	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'stop',
    path => 'stop',
    method => 'POST',
    description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $code = sub {
	    my $chash = PVE::Firewall::iptables_get_chains();
	    my $cmdlist = "*filter\n";
	    my $rule = "INPUT -j PVEFW-INPUT";
	    if (PVE::Firewall::iptables_rule_exist($rule)) {
		$cmdlist .= "-D $rule\n";
	    }
	    $rule = "OUTPUT -j PVEFW-OUTPUT";
	    if (PVE::Firewall::iptables_rule_exist($rule)) {
		$cmdlist .= "-D $rule\n";
	    }

	    $rule = "FORWARD -j PVEFW-FORWARD";
	    if (PVE::Firewall::iptables_rule_exist($rule)) {
		$cmdlist .= "-D $rule\n";
	    }

	    foreach my $chain (keys %$chash) {
		$cmdlist .= "-F $chain\n";
	    }
	    foreach my $chain (keys %$chash) {
		$cmdlist .= "-X $chain\n";
	    }
	    $cmdlist .= "COMMIT\n";

	    PVE::Firewall::iptables_restore_cmdlist($cmdlist);
	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

my $nodename = PVE::INotify::nodename();

my $cmddef = {
    compile => [ __PACKAGE__, 'compile', []],
    start => [ __PACKAGE__, 'start', []],
    stop => [ __PACKAGE__, 'stop', []],
};

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);

exit(0);
Commit	Line	Data
b6360c3f DM	1	#!/usr/bin/perl -w
	2
	3	use strict;
	4	use lib qw(.);
	5	use PVE::Firewall;
dddd9413	6
80bfe1ff DM	7	use PVE::SafeSyslog;
	8	use PVE::Cluster;
	9	use PVE::INotify;
	10	use PVE::RPCEnvironment;
b6360c3f	11
80bfe1ff DM	12	use PVE::JSONSchema qw(get_standard_option);
	13
	14	use PVE::CLIHandler;
	15
	16	use base qw(PVE::CLIHandler);
	17
	18	$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
	19
	20	initlog ('pvefw');
	21
	22	die "please run as root\n" if $> != 0;
	23
	24	PVE::INotify::inotify_init();
	25
	26	my $rpcenv = PVE::RPCEnvironment->init('cli');
	27
	28	$rpcenv->init_request();
	29	$rpcenv->set_language($ENV{LANG});
	30	$rpcenv->set_user('root@pam');
b6360c3f	31
80bfe1ff DM	32	__PACKAGE__->register_method ({
	33	name => 'compile',
	34	path => 'compile',
	35	method => 'POST',
3fa83edf	36	description => "Compile amd print firewall rules. This is only for testing.",
80bfe1ff DM	37	parameters => {
80bfe1ff DM	38	additionalProperties => 0,
3fa83edf DM	39	properties => {
	40	verbose => {
	41	description => "Verbose output.",
	42	type => "boolean",
	43	optional => 1,
	44	default => 0,
	45	},
	46	},
80bfe1ff DM	47	},
	48	returns => { type => 'null' },
	49
	50	code => sub {
	51	my ($param) = @_;
	52
06320eb0	53	my $code = sub {
3fa83edf DM	54	my $ruleset = PVE::Firewall::compile();
3fa83edf DM	55	PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
06320eb0 DM	56	};
	57
	58	PVE::Firewall::run_locked($code);
f789653a	59
5e1267a5 DM	60	return undef;
5e1267a5 DM	61	}});
80bfe1ff	62
5e1267a5 DM	63	__PACKAGE__->register_method ({
	64	name => 'start',
	65	path => 'start',
	66	method => 'POST',
a332200b	67	description => "Start (or restart if already active) firewall.",
5e1267a5 DM	68	parameters => {
5e1267a5 DM	69	additionalProperties => 0,
3fa83edf DM	70	properties => {
	71	verbose => {
	72	description => "Verbose output.",
	73	type => "boolean",
	74	optional => 1,
	75	default => 0,
	76	},
	77	},
5e1267a5 DM	78	},
5e1267a5 DM	79	returns => { type => 'null' },
80bfe1ff	80
5e1267a5 DM	81	code => sub {
5e1267a5 DM	82	my ($param) = @_;
80bfe1ff	83
06320eb0	84	my $code = sub {
a84f4d96 DM	85	my $ruleset = PVE::Firewall::compile();
a84f4d96 DM	86	PVE::Firewall::apply_ruleset($ruleset, $param->{verbose});
06320eb0 DM	87	};
	88
	89	PVE::Firewall::run_locked($code);
80bfe1ff DM	90
80bfe1ff DM	91	return undef;
80bfe1ff DM	92	}});
80bfe1ff DM	93
80bfe1ff DM	94	__PACKAGE__->register_method ({
	95	name => 'stop',
	96	path => 'stop',
	97	method => 'POST',
a332200b	98	description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
80bfe1ff DM	99	parameters => {
	100	additionalProperties => 0,
	101	properties => {},
	102	},
	103	returns => { type => 'null' },
	104
	105	code => sub {
	106	my ($param) = @_;
	107
06320eb0	108	my $code = sub {
b16e818e DM	109	my $chash = PVE::Firewall::iptables_get_chains();
b16e818e DM	110	my $cmdlist = "*filter\n";
dec84fcd	111	my $rule = "INPUT -j PVEFW-INPUT";
3fa83edf DM	112	if (PVE::Firewall::iptables_rule_exist($rule)) {
	113	$cmdlist .= "-D $rule\n";
	114	}
dec84fcd	115	$rule = "OUTPUT -j PVEFW-OUTPUT";
3fa83edf DM	116	if (PVE::Firewall::iptables_rule_exist($rule)) {
	117	$cmdlist .= "-D $rule\n";
	118	}
	119
dec84fcd	120	$rule = "FORWARD -j PVEFW-FORWARD";
3fa83edf DM	121	if (PVE::Firewall::iptables_rule_exist($rule)) {
	122	$cmdlist .= "-D $rule\n";
	123	}
	124
b16e818e DM	125	foreach my $chain (keys %$chash) {
	126	$cmdlist .= "-F $chain\n";
	127	}
	128	foreach my $chain (keys %$chash) {
	129	$cmdlist .= "-X $chain\n";
	130	}
	131	$cmdlist .= "COMMIT\n";
	132
	133	PVE::Firewall::iptables_restore_cmdlist($cmdlist);
06320eb0 DM	134	};
	135
	136	PVE::Firewall::run_locked($code);
80bfe1ff DM	137
	138	return undef;
	139	}});
	140
	141	my $nodename = PVE::INotify::nodename();
	142
	143	my $cmddef = {
	144	compile => [ __PACKAGE__, 'compile', []],
	145	start => [ __PACKAGE__, 'start', []],
	146	stop => [ __PACKAGE__, 'stop', []],
80bfe1ff DM	147	};
	148
	149	my $cmd = shift;
	150
	151	PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
b6360c3f DM	152
b6360c3f DM	153	exit(0);
80bfe1ff	154