test if BRIDGEFW-OUT and BRIDGEFW-IN exist
[pve-firewall.git] / pvefw
CommitLineData
b6360c3f
DM
1#!/usr/bin/perl -w
2
3use strict;
4use lib qw(.);
5use PVE::Firewall;
dddd9413 6
80bfe1ff
DM
7use PVE::SafeSyslog;
8use PVE::Cluster;
9use PVE::INotify;
10use PVE::RPCEnvironment;
b6360c3f 11
80bfe1ff
DM
12use PVE::JSONSchema qw(get_standard_option);
13
14use PVE::CLIHandler;
15
16use base qw(PVE::CLIHandler);
17
18$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20initlog ('pvefw');
21
22die "please run as root\n" if $> != 0;
23
24PVE::INotify::inotify_init();
25
26my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28$rpcenv->init_request();
29$rpcenv->set_language($ENV{LANG});
30$rpcenv->set_user('root@pam');
b6360c3f 31
80bfe1ff
DM
32__PACKAGE__->register_method ({
33 name => 'compile',
34 path => 'compile',
35 method => 'POST',
3fa83edf 36 description => "Compile amd print firewall rules. This is only for testing.",
80bfe1ff
DM
37 parameters => {
38 additionalProperties => 0,
3fa83edf
DM
39 properties => {
40 verbose => {
41 description => "Verbose output.",
42 type => "boolean",
43 optional => 1,
44 default => 0,
45 },
46 },
80bfe1ff
DM
47 },
48 returns => { type => 'null' },
49
50 code => sub {
51 my ($param) = @_;
52
06320eb0 53 my $code = sub {
3fa83edf
DM
54 my $ruleset = PVE::Firewall::compile();
55 PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
06320eb0
DM
56 };
57
58 PVE::Firewall::run_locked($code);
f789653a 59
5e1267a5
DM
60 return undef;
61 }});
80bfe1ff 62
5e1267a5
DM
63__PACKAGE__->register_method ({
64 name => 'start',
65 path => 'start',
66 method => 'POST',
a332200b 67 description => "Start (or restart if already active) firewall.",
5e1267a5
DM
68 parameters => {
69 additionalProperties => 0,
3fa83edf
DM
70 properties => {
71 verbose => {
72 description => "Verbose output.",
73 type => "boolean",
74 optional => 1,
75 default => 0,
76 },
77 },
5e1267a5
DM
78 },
79 returns => { type => 'null' },
80bfe1ff 80
5e1267a5
DM
81 code => sub {
82 my ($param) = @_;
80bfe1ff 83
06320eb0 84 my $code = sub {
3fa83edf 85 PVE::Firewall::compile_and_start($param->{verbose});
06320eb0
DM
86 };
87
88 PVE::Firewall::run_locked($code);
80bfe1ff
DM
89
90 return undef;
80bfe1ff
DM
91 }});
92
80bfe1ff
DM
93__PACKAGE__->register_method ({
94 name => 'stop',
95 path => 'stop',
96 method => 'POST',
a332200b 97 description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
80bfe1ff
DM
98 parameters => {
99 additionalProperties => 0,
100 properties => {},
101 },
102 returns => { type => 'null' },
103
104 code => sub {
105 my ($param) = @_;
106
06320eb0 107 my $code = sub {
b16e818e
DM
108 my $chash = PVE::Firewall::iptables_get_chains();
109 my $cmdlist = "*filter\n";
3fa83edf
DM
110 my $rule = "INPUT -j proxmoxfw-INPUT";
111 if (PVE::Firewall::iptables_rule_exist($rule)) {
112 $cmdlist .= "-D $rule\n";
113 }
114 $rule = "OUTPUT -j proxmoxfw-OUTPUT";
115 if (PVE::Firewall::iptables_rule_exist($rule)) {
116 $cmdlist .= "-D $rule\n";
117 }
118
119 $rule = "FORWARD -j proxmoxfw-FORWARD";
120 if (PVE::Firewall::iptables_rule_exist($rule)) {
121 $cmdlist .= "-D $rule\n";
122 }
123
b16e818e
DM
124 foreach my $chain (keys %$chash) {
125 $cmdlist .= "-F $chain\n";
126 }
127 foreach my $chain (keys %$chash) {
128 $cmdlist .= "-X $chain\n";
129 }
130 $cmdlist .= "COMMIT\n";
131
132 PVE::Firewall::iptables_restore_cmdlist($cmdlist);
06320eb0
DM
133 };
134
135 PVE::Firewall::run_locked($code);
80bfe1ff
DM
136
137 return undef;
138 }});
139
140my $nodename = PVE::INotify::nodename();
141
142my $cmddef = {
143 compile => [ __PACKAGE__, 'compile', []],
144 start => [ __PACKAGE__, 'start', []],
145 stop => [ __PACKAGE__, 'stop', []],
80bfe1ff
DM
146};
147
148my $cmd = shift;
149
150PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
b6360c3f
DM
151
152exit(0);
80bfe1ff 153