]>
Commit | Line | Data |
---|---|---|
b6360c3f DM |
1 | #!/usr/bin/perl -w |
2 | ||
3 | use strict; | |
4 | use lib qw(.); | |
5 | use PVE::Firewall; | |
dddd9413 | 6 | |
80bfe1ff DM |
7 | use PVE::SafeSyslog; |
8 | use PVE::Cluster; | |
9 | use PVE::INotify; | |
10 | use PVE::RPCEnvironment; | |
b6360c3f | 11 | |
80bfe1ff DM |
12 | use PVE::JSONSchema qw(get_standard_option); |
13 | ||
14 | use PVE::CLIHandler; | |
15 | ||
16 | use base qw(PVE::CLIHandler); | |
17 | ||
18 | $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin'; | |
19 | ||
20 | initlog ('pvefw'); | |
21 | ||
22 | die "please run as root\n" if $> != 0; | |
23 | ||
24 | PVE::INotify::inotify_init(); | |
25 | ||
26 | my $rpcenv = PVE::RPCEnvironment->init('cli'); | |
27 | ||
28 | $rpcenv->init_request(); | |
29 | $rpcenv->set_language($ENV{LANG}); | |
30 | $rpcenv->set_user('root@pam'); | |
b6360c3f | 31 | |
3a616aa0 | 32 | __PACKAGE__->register_method({ |
462a6553 AD |
33 | name => 'enablevmfw', |
34 | path => 'enablevmfw', | |
3a616aa0 AD |
35 | method => 'POST', |
36 | parameters => { | |
37 | additionalProperties => 0, | |
38 | properties => { | |
39 | vmid => get_standard_option('pve-vmid'), | |
40 | netid => { | |
41 | type => 'string', | |
462a6553 | 42 | optional => 1 |
3a616aa0 | 43 | }, |
3a616aa0 AD |
44 | }, |
45 | }, | |
46 | returns => { type => 'null' }, | |
47 | code => sub { | |
48 | my ($param) = @_; | |
49 | ||
50 | # test if VM exists | |
51 | my $vmid = $param->{vmid}; | |
52 | my $netid = $param->{netid}; | |
53 | ||
06320eb0 DM |
54 | my $code = sub { |
55 | my $conf = PVE::QemuServer::load_config($vmid); | |
56 | ||
57 | foreach my $opt (keys %$conf) { | |
58 | next if $opt !~ m/^net(\d+)$/; | |
59 | my $net = PVE::QemuServer::parse_net($conf->{$opt}); | |
60 | next if !$net; | |
61 | next if $netid && $opt != $netid; | |
62 | PVE::Firewall::generate_tap_rules($net, $opt, $vmid); | |
63 | } | |
64 | }; | |
65 | ||
66 | PVE::Firewall::run_locked($code); | |
67 | ||
68 | return undef; | |
3a616aa0 AD |
69 | }}); |
70 | ||
71 | __PACKAGE__->register_method({ | |
462a6553 AD |
72 | name => 'disablevmfw', |
73 | path => 'disablevmfw', | |
3a616aa0 AD |
74 | method => 'POST', |
75 | parameters => { | |
76 | additionalProperties => 0, | |
77 | properties => { | |
78 | vmid => get_standard_option('pve-vmid'), | |
79 | netid => { | |
80 | type => 'string', | |
462a6553 | 81 | optional => 1 |
3a616aa0 AD |
82 | }, |
83 | ||
84 | }, | |
85 | }, | |
86 | returns => { type => 'null' }, | |
87 | code => sub { | |
88 | my ($param) = @_; | |
89 | ||
90 | # test if VM exists | |
91 | my $vmid = $param->{vmid}; | |
92 | my $netid = $param->{netid}; | |
93 | ||
3a616aa0 | 94 | |
06320eb0 DM |
95 | my $code = sub { |
96 | my $conf = PVE::QemuServer::load_config($vmid); | |
97 | ||
98 | foreach my $opt (keys %$conf) { | |
99 | next if $opt !~ m/^net(\d+)$/; | |
100 | my $net = PVE::QemuServer::parse_net($conf->{$opt}); | |
101 | next if !$net; | |
102 | next if $netid && $opt != $netid; | |
103 | PVE::Firewall::flush_tap_rules($net, $opt, $vmid); | |
104 | } | |
105 | }; | |
106 | ||
107 | PVE::Firewall::run_locked($code); | |
3a616aa0 AD |
108 | |
109 | return undef; | |
110 | }}); | |
9aab3127 | 111 | |
9d31b418 AD |
112 | __PACKAGE__->register_method({ |
113 | name => 'enablegroup', | |
114 | path => 'enablegroup', | |
115 | method => 'POST', | |
116 | parameters => { | |
117 | additionalProperties => 0, | |
118 | properties => { | |
119 | securitygroup => { | |
120 | type => 'string', | |
121 | }, | |
122 | }, | |
123 | }, | |
124 | returns => { type => 'null' }, | |
125 | code => sub { | |
126 | my ($param) = @_; | |
127 | ||
06320eb0 DM |
128 | my $code = sub { |
129 | my $group = $param->{securitygroup}; | |
130 | PVE::Firewall::enable_group_rules($group); | |
131 | }; | |
9d31b418 | 132 | |
06320eb0 DM |
133 | PVE::Firewall::run_locked($code); |
134 | ||
9d31b418 AD |
135 | return undef; |
136 | }}); | |
137 | ||
138 | __PACKAGE__->register_method({ | |
139 | name => 'disablegroup', | |
140 | path => 'disablegroup', | |
141 | method => 'POST', | |
142 | parameters => { | |
143 | additionalProperties => 0, | |
144 | properties => { | |
145 | securitygroup => { | |
146 | type => 'string', | |
147 | }, | |
148 | ||
149 | }, | |
150 | }, | |
151 | returns => { type => 'null' }, | |
152 | code => sub { | |
153 | my ($param) = @_; | |
154 | ||
06320eb0 DM |
155 | my $code = sub { |
156 | my $group = $param->{securitygroup}; | |
157 | PVE::Firewall::disable_group_rules($group); | |
158 | }; | |
159 | ||
160 | PVE::Firewall::run_locked($code); | |
9d31b418 AD |
161 | |
162 | return undef; | |
163 | }}); | |
164 | ||
0bd5f137 AD |
165 | __PACKAGE__->register_method({ |
166 | name => 'enablehostfw', | |
167 | path => 'enablehostfw', | |
168 | method => 'POST', | |
169 | parameters => { | |
170 | additionalProperties => 0, | |
171 | properties => {}, | |
172 | }, | |
173 | returns => { type => 'null' }, | |
174 | ||
175 | code => sub { | |
176 | my ($param) = @_; | |
177 | ||
06320eb0 DM |
178 | my $code = sub { |
179 | PVE::Firewall::enablehostfw(); | |
180 | }; | |
181 | ||
182 | PVE::Firewall::run_locked($code); | |
0bd5f137 AD |
183 | |
184 | return undef; | |
185 | }}); | |
186 | ||
187 | __PACKAGE__->register_method({ | |
188 | name => 'disablehostfw', | |
189 | path => 'disablehostfw', | |
190 | method => 'POST', | |
191 | parameters => { | |
192 | additionalProperties => 0, | |
193 | properties => {}, | |
194 | }, | |
195 | returns => { type => 'null' }, | |
196 | ||
197 | code => sub { | |
198 | my ($param) = @_; | |
199 | ||
06320eb0 DM |
200 | my $code = sub { |
201 | PVE::Firewall::disablehostfw(); | |
202 | }; | |
203 | ||
204 | PVE::Firewall::run_locked($code); | |
0bd5f137 AD |
205 | |
206 | return undef; | |
207 | }}); | |
208 | ||
80bfe1ff DM |
209 | __PACKAGE__->register_method ({ |
210 | name => 'compile', | |
211 | path => 'compile', | |
212 | method => 'POST', | |
213 | description => "Compile firewall rules.", | |
214 | parameters => { | |
215 | additionalProperties => 0, | |
216 | properties => {}, | |
217 | }, | |
218 | returns => { type => 'null' }, | |
219 | ||
220 | code => sub { | |
221 | my ($param) = @_; | |
222 | ||
06320eb0 DM |
223 | my $code = sub { |
224 | PVE::Firewall::compile(); | |
225 | }; | |
226 | ||
227 | PVE::Firewall::run_locked($code); | |
f789653a | 228 | |
5e1267a5 DM |
229 | return undef; |
230 | }}); | |
80bfe1ff | 231 | |
5e1267a5 DM |
232 | __PACKAGE__->register_method ({ |
233 | name => 'start', | |
234 | path => 'start', | |
235 | method => 'POST', | |
a332200b | 236 | description => "Start (or restart if already active) firewall.", |
5e1267a5 DM |
237 | parameters => { |
238 | additionalProperties => 0, | |
239 | properties => {}, | |
240 | }, | |
241 | returns => { type => 'null' }, | |
80bfe1ff | 242 | |
5e1267a5 DM |
243 | code => sub { |
244 | my ($param) = @_; | |
80bfe1ff | 245 | |
06320eb0 DM |
246 | my $code = sub { |
247 | PVE::Firewall::compile_and_start(); | |
248 | }; | |
249 | ||
250 | PVE::Firewall::run_locked($code); | |
80bfe1ff DM |
251 | |
252 | return undef; | |
80bfe1ff DM |
253 | }}); |
254 | ||
80bfe1ff DM |
255 | __PACKAGE__->register_method ({ |
256 | name => 'stop', | |
257 | path => 'stop', | |
258 | method => 'POST', | |
a332200b | 259 | description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.", |
80bfe1ff DM |
260 | parameters => { |
261 | additionalProperties => 0, | |
262 | properties => {}, | |
263 | }, | |
264 | returns => { type => 'null' }, | |
265 | ||
266 | code => sub { | |
267 | my ($param) = @_; | |
268 | ||
06320eb0 DM |
269 | my $code = sub { |
270 | die "implement me"; | |
271 | }; | |
272 | ||
273 | PVE::Firewall::run_locked($code); | |
80bfe1ff DM |
274 | |
275 | return undef; | |
276 | }}); | |
277 | ||
278 | my $nodename = PVE::INotify::nodename(); | |
279 | ||
280 | my $cmddef = { | |
281 | compile => [ __PACKAGE__, 'compile', []], | |
282 | start => [ __PACKAGE__, 'start', []], | |
5e1267a5 | 283 | restart => [ __PACKAGE__, 'restart', []], |
80bfe1ff | 284 | stop => [ __PACKAGE__, 'stop', []], |
462a6553 AD |
285 | enablevmfw => [ __PACKAGE__, 'enablevmfw', []], |
286 | disablevmfw => [ __PACKAGE__, 'disablevmfw', []], | |
0bd5f137 AD |
287 | enablehostfw => [ __PACKAGE__, 'enablehostfw', []], |
288 | disablehostfw => [ __PACKAGE__, 'disablehostfw', []], | |
9d31b418 AD |
289 | enablegroup => [ __PACKAGE__, 'enablegroup', []], |
290 | disablegroup => [ __PACKAGE__, 'disablegroup', []], | |
80bfe1ff DM |
291 | }; |
292 | ||
293 | my $cmd = shift; | |
294 | ||
295 | PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0); | |
b6360c3f DM |
296 | |
297 | exit(0); | |
80bfe1ff | 298 |