experimental code to read existing chains and compute SHA1 checksum
[pve-firewall.git] / pvefw
CommitLineData
b6360c3f
DM
1#!/usr/bin/perl -w
2
3use strict;
4use lib qw(.);
5use PVE::Firewall;
dddd9413 6
80bfe1ff
DM
7use PVE::SafeSyslog;
8use PVE::Cluster;
9use PVE::INotify;
10use PVE::RPCEnvironment;
b6360c3f 11
80bfe1ff
DM
12use PVE::JSONSchema qw(get_standard_option);
13
14use PVE::CLIHandler;
15
16use base qw(PVE::CLIHandler);
17
18$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20initlog ('pvefw');
21
22die "please run as root\n" if $> != 0;
23
24PVE::INotify::inotify_init();
25
26my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28$rpcenv->init_request();
29$rpcenv->set_language($ENV{LANG});
30$rpcenv->set_user('root@pam');
b6360c3f 31
3a616aa0 32__PACKAGE__->register_method({
462a6553
AD
33 name => 'enablevmfw',
34 path => 'enablevmfw',
3a616aa0
AD
35 method => 'POST',
36 parameters => {
37 additionalProperties => 0,
38 properties => {
39 vmid => get_standard_option('pve-vmid'),
40 netid => {
41 type => 'string',
462a6553 42 optional => 1
3a616aa0 43 },
3a616aa0
AD
44 },
45 },
46 returns => { type => 'null' },
47 code => sub {
48 my ($param) = @_;
49
50 # test if VM exists
51 my $vmid = $param->{vmid};
52 my $netid = $param->{netid};
53
06320eb0
DM
54 my $code = sub {
55 my $conf = PVE::QemuServer::load_config($vmid);
56
57 foreach my $opt (keys %$conf) {
58 next if $opt !~ m/^net(\d+)$/;
59 my $net = PVE::QemuServer::parse_net($conf->{$opt});
60 next if !$net;
61 next if $netid && $opt != $netid;
62 PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
63 }
64 };
65
66 PVE::Firewall::run_locked($code);
67
68 return undef;
3a616aa0
AD
69 }});
70
71__PACKAGE__->register_method({
462a6553
AD
72 name => 'disablevmfw',
73 path => 'disablevmfw',
3a616aa0
AD
74 method => 'POST',
75 parameters => {
76 additionalProperties => 0,
77 properties => {
78 vmid => get_standard_option('pve-vmid'),
79 netid => {
80 type => 'string',
462a6553 81 optional => 1
3a616aa0
AD
82 },
83
84 },
85 },
86 returns => { type => 'null' },
87 code => sub {
88 my ($param) = @_;
89
90 # test if VM exists
91 my $vmid = $param->{vmid};
92 my $netid = $param->{netid};
93
3a616aa0 94
06320eb0
DM
95 my $code = sub {
96 my $conf = PVE::QemuServer::load_config($vmid);
97
98 foreach my $opt (keys %$conf) {
99 next if $opt !~ m/^net(\d+)$/;
100 my $net = PVE::QemuServer::parse_net($conf->{$opt});
101 next if !$net;
102 next if $netid && $opt != $netid;
103 PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
104 }
105 };
106
107 PVE::Firewall::run_locked($code);
3a616aa0
AD
108
109 return undef;
110 }});
9aab3127 111
9d31b418
AD
112__PACKAGE__->register_method({
113 name => 'enablegroup',
114 path => 'enablegroup',
115 method => 'POST',
116 parameters => {
117 additionalProperties => 0,
118 properties => {
119 securitygroup => {
120 type => 'string',
121 },
122 },
123 },
124 returns => { type => 'null' },
125 code => sub {
126 my ($param) = @_;
127
06320eb0
DM
128 my $code = sub {
129 my $group = $param->{securitygroup};
130 PVE::Firewall::enable_group_rules($group);
131 };
9d31b418 132
06320eb0
DM
133 PVE::Firewall::run_locked($code);
134
9d31b418
AD
135 return undef;
136 }});
137
138__PACKAGE__->register_method({
139 name => 'disablegroup',
140 path => 'disablegroup',
141 method => 'POST',
142 parameters => {
143 additionalProperties => 0,
144 properties => {
145 securitygroup => {
146 type => 'string',
147 },
148
149 },
150 },
151 returns => { type => 'null' },
152 code => sub {
153 my ($param) = @_;
154
06320eb0
DM
155 my $code = sub {
156 my $group = $param->{securitygroup};
157 PVE::Firewall::disable_group_rules($group);
158 };
159
160 PVE::Firewall::run_locked($code);
9d31b418
AD
161
162 return undef;
163 }});
164
0bd5f137
AD
165__PACKAGE__->register_method({
166 name => 'enablehostfw',
167 path => 'enablehostfw',
168 method => 'POST',
169 parameters => {
170 additionalProperties => 0,
171 properties => {},
172 },
173 returns => { type => 'null' },
174
175 code => sub {
176 my ($param) = @_;
177
06320eb0
DM
178 my $code = sub {
179 PVE::Firewall::enablehostfw();
180 };
181
182 PVE::Firewall::run_locked($code);
0bd5f137
AD
183
184 return undef;
185 }});
186
187__PACKAGE__->register_method({
188 name => 'disablehostfw',
189 path => 'disablehostfw',
190 method => 'POST',
191 parameters => {
192 additionalProperties => 0,
193 properties => {},
194 },
195 returns => { type => 'null' },
196
197 code => sub {
198 my ($param) = @_;
199
06320eb0
DM
200 my $code = sub {
201 PVE::Firewall::disablehostfw();
202 };
203
204 PVE::Firewall::run_locked($code);
0bd5f137
AD
205
206 return undef;
207 }});
208
80bfe1ff
DM
209__PACKAGE__->register_method ({
210 name => 'compile',
211 path => 'compile',
212 method => 'POST',
213 description => "Compile firewall rules.",
214 parameters => {
215 additionalProperties => 0,
216 properties => {},
217 },
218 returns => { type => 'null' },
219
220 code => sub {
221 my ($param) = @_;
222
06320eb0
DM
223 my $code = sub {
224 PVE::Firewall::compile();
225 };
226
227 PVE::Firewall::run_locked($code);
f789653a 228
5e1267a5
DM
229 return undef;
230 }});
80bfe1ff 231
5e1267a5
DM
232__PACKAGE__->register_method ({
233 name => 'start',
234 path => 'start',
235 method => 'POST',
a332200b 236 description => "Start (or restart if already active) firewall.",
5e1267a5
DM
237 parameters => {
238 additionalProperties => 0,
239 properties => {},
240 },
241 returns => { type => 'null' },
80bfe1ff 242
5e1267a5
DM
243 code => sub {
244 my ($param) = @_;
80bfe1ff 245
06320eb0
DM
246 my $code = sub {
247 PVE::Firewall::compile_and_start();
248 };
249
250 PVE::Firewall::run_locked($code);
80bfe1ff
DM
251
252 return undef;
80bfe1ff
DM
253 }});
254
80bfe1ff
DM
255__PACKAGE__->register_method ({
256 name => 'stop',
257 path => 'stop',
258 method => 'POST',
a332200b 259 description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
80bfe1ff
DM
260 parameters => {
261 additionalProperties => 0,
262 properties => {},
263 },
264 returns => { type => 'null' },
265
266 code => sub {
267 my ($param) = @_;
268
06320eb0
DM
269 my $code = sub {
270 die "implement me";
271 };
272
273 PVE::Firewall::run_locked($code);
80bfe1ff
DM
274
275 return undef;
276 }});
277
278my $nodename = PVE::INotify::nodename();
279
280my $cmddef = {
281 compile => [ __PACKAGE__, 'compile', []],
282 start => [ __PACKAGE__, 'start', []],
5e1267a5 283 restart => [ __PACKAGE__, 'restart', []],
80bfe1ff 284 stop => [ __PACKAGE__, 'stop', []],
462a6553
AD
285 enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
286 disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
0bd5f137
AD
287 enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
288 disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
9d31b418
AD
289 enablegroup => [ __PACKAGE__, 'enablegroup', []],
290 disablegroup => [ __PACKAGE__, 'disablegroup', []],
80bfe1ff
DM
291};
292
293my $cmd = shift;
294
295PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
b6360c3f
DM
296
297exit(0);
80bfe1ff 298