[pve-firewall.git] / src / PVE / Service / pve_firewall.pm

package PVE::Service::pve_firewall;

use strict;
use warnings;
use PVE::SafeSyslog;
use PVE::Daemon;

use Time::HiRes qw (gettimeofday);
use PVE::Tools qw(dir_glob_foreach file_read_firstline);
use PVE::ProcFSTools;
use PVE::INotify;
use PVE::Cluster qw(cfs_read_file);
use PVE::Corosync;
use PVE::RPCEnvironment;
use PVE::CLIHandler;
use PVE::Firewall;
use PVE::FirewallSimulator;
use Data::Dumper;

use base qw(PVE::Daemon);

my $cmdline = [$0, @ARGV];

my %daemon_options = (restart_on_error => 5, stop_wait_time => 5);

my $daemon = __PACKAGE__->new('pve-firewall', $cmdline, %daemon_options);

my $nodename = PVE::INotify::nodename();

sub init {

    PVE::Cluster::cfs_update();

    PVE::Firewall::init();
}

my $restart_request = 0;
my $next_update = 0;

my $cycle = 0;
my $updatetime = 10;

my $initial_memory_usage;

sub shutdown {
    my ($self) = @_;

    syslog('info' , "server closing");

    # wait for children
    1 while (waitpid(-1, POSIX::WNOHANG()) > 0);

    syslog('info' , "clear firewall rules");

    eval { PVE::Firewall::remove_pvefw_chains(); };
    warn $@ if $@;

    $self->exit_daemon(0);
}

sub hup {
    my ($self) = @_;

    $restart_request = 1;
}

sub run {
    my ($self) = @_;

    local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs

    for (;;) { # forever

	$next_update = time() + $updatetime;

	my ($ccsec, $cusec) = gettimeofday ();
	eval {
	    PVE::Cluster::cfs_update();
	    PVE::Firewall::update();
	};
	my $err = $@;

	if ($err) {
	    syslog('err', "status update error: $err");
	}

	my ($ccsec_end, $cusec_end) = gettimeofday ();
	my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;

	syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
	    if ($cptime > 5);

	$cycle++;

	my $mem = PVE::ProcFSTools::read_memory_usage();

	if (!defined($initial_memory_usage) || ($cycle < 10)) {
	    $initial_memory_usage = $mem->{resident};
	} else {
	    my $diff = $mem->{resident} - $initial_memory_usage;
	    if ($diff > 5*1024*1024) {
		syslog ('info', "restarting server after $cycle cycles to " .
			"reduce memory usage (free $mem->{resident} ($diff) bytes)");
		$self->restart_daemon();
	    }
	}

	my $wcount = 0;
	while ((time() < $next_update) &&
	       ($wcount < $updatetime) && # protect against time wrap
	       !$restart_request) { $wcount++; sleep (1); };

	$self->restart_daemon() if $restart_request;
    }
}

$daemon->register_start_command("Start the Proxmox VE firewall service.");
$daemon->register_restart_command(1, "Restart the Proxmox VE firewall service.");
$daemon->register_stop_command("Stop firewall. This removes all Proxmox VE " .
			       "related iptable rules. " .
			       "The host is unprotected afterwards.");

__PACKAGE__->register_method ({
    name => 'status',
    path => 'status',
    method => 'GET',
    description => "Get firewall status.",
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'object',
	additionalProperties => 0,
	properties => {
	    status => {
		type => 'string',
		enum => ['unknown', 'stopped', 'running'],
	    },
	    enable => {
		description => "Firewall is enabled (in 'cluster.fw')",
		type => 'boolean',
	    },
	    changes => {
		description => "Set when there are pending changes.",
		type => 'boolean',
		optional => 1,
	    }
	},
    },
    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my $code = sub {

	    my $status = $daemon->running() ? 'running' : 'stopped';

	    my $res = { status => $status };

	    PVE::Firewall::set_verbose(1); # show syntax errors

	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
	    $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;

	    if ($status eq 'running') {

		my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);

		PVE::Firewall::set_verbose(0); # do not show iptables details
		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
		my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
		my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
		my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);

		$res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) ? 1 : 0;
	    }

	    return $res;
	};

	return PVE::Firewall::run_locked($code);
    }});

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'GET',
    description => "Compile and print firewall rules. This is useful for testing.",
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my $code = sub {

	    PVE::Firewall::set_verbose(1);

	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
	    my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);

	    print "ipset cmdlist:\n";
	    my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);

	    print "\niptables cmdlist:\n";
	    my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);

	    print "\nip6tables cmdlist:\n";
	    my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");

	    print "\nebtables cmdlist:\n";
	    my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);

	    if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) {
		print "detected changes\n";
	    } else {
		print "no changes\n";
	    }
	    if (!$cluster_conf->{options}->{enable}) {
		print "firewall disabled\n";
	    }

	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'localnet',
    path => 'localnet',
    method => 'GET',
    description => "Print information about local network.",
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my $nodename = PVE::INotify::nodename();
	print "local hostname: $nodename\n";

	my $ip = PVE::Cluster::remote_node_ip($nodename);
	print "local IP address: $ip\n";

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8';
	print "network auto detect: $localnet\n";
	if ($cluster_conf->{aliases}->{local_network}) {
	    print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
	} else {
	    print "using detected local_network: $localnet\n";
	}

	if (PVE::Corosync::check_conf_exists(1)) {
	    my $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf");
	    my $corosync_node_found = 0;

	    print "\naccepting corosync traffic from/to:\n";

	    PVE::Corosync::for_all_corosync_addresses($corosync_conf, undef, sub {
		my ($curr_node_name, $curr_node_ip, undef, $key) = @_;

		if (!$corosync_node_found) {
		    $corosync_node_found = 1;
		}

		$key =~ m/(?:ring|link)(\d+)_addr/;
		print " - $curr_node_name: $curr_node_ip (link: $1)\n";
	    });

	    if (!$corosync_node_found) {
		print " - no nodes found\n";
	    }
	}

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'simulate',
    path => 'simulate',
    method => 'GET',
    description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => 'boolean',
		optional => 1,
		default => 0,
	    },
	    from => {
		description => "Source zone.",
		type => 'string',
		pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
		optional => 1,
		default => 'outside',
	    },
	    to => {
		description => "Destination zone.",
		type => 'string',
		pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
		optional => 1,
		default => 'host',
	    },
	    protocol => {
		description => "Protocol.",
		type => 'string',
		pattern => '(tcp|udp)',
		optional => 1,
		default => 'tcp',
	    },
	    dport => {
		description => "Destination port.",
		type => 'integer',
		minValue => 1,
		maxValue => 65535,
		optional => 1,
	    },
	    sport => {
		description => "Source port.",
		type => 'integer',
		minValue => 1,
		maxValue => 65535,
		optional => 1,
	    },
	    source => {
		description => "Source IP address.",
		type => 'string', format => 'ipv4',
		optional => 1,
	    },
	    dest => {
		description => "Destination IP address.",
		type => 'string', format => 'ipv4',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	PVE::Firewall::set_verbose($param->{verbose});

	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile();

	PVE::FirewallSimulator::debug();

	my $host_ip = PVE::Cluster::remote_node_ip($nodename);

	PVE::FirewallSimulator::reset_trace();
	print Dumper($ruleset) if $param->{verbose};

	my $test = {
	    from => $param->{from},
	    to => $param->{to},
	    proto => $param->{protocol} || 'tcp',
	    source => $param->{source},
	    dest => $param->{dest},
	    dport => $param->{dport},
	    sport => $param->{sport},
	};

	if (!defined($test->{to})) {
	    $test->{to} = 'host';
	    PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n");
	}
	if (!defined($test->{from})) {
	    $test->{from} = 'outside',
	    PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n");
	}

	my $vmdata = PVE::Firewall::read_local_vm_config();

	print "Test packet:\n";

	foreach my $k (qw(from to proto source dest dport sport)) {
	    printf("  %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k});
	}

	$test->{action} = 'QUERY';

	my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
							    $host_ip, $vmdata, $test);

	print "ACTION: $res\n";

	return undef;
    }});

our $cmddef = {
    start => [ __PACKAGE__, 'start', []],
    restart => [ __PACKAGE__, 'restart', []],
    stop => [ __PACKAGE__, 'stop', []],
    compile => [ __PACKAGE__, 'compile', []],
    simulate => [ __PACKAGE__, 'simulate', []],
    localnet => [ __PACKAGE__, 'localnet', []],
    status => [ __PACKAGE__, 'status', [], undef, sub {
	my $res = shift;
	my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status};

	if ($res->{changes}) {
	    print "Status: $status (pending changes)\n";
	} else {
	    print "Status: $status\n";
	}
    }],
 };

1;
Commit	Line	Data
0c32b7fb DM	1	package PVE::Service::pve_firewall;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::SafeSyslog;
	6	use PVE::Daemon;
	7
	8	use Time::HiRes qw (gettimeofday);
	9	use PVE::Tools qw(dir_glob_foreach file_read_firstline);
	10	use PVE::ProcFSTools;
	11	use PVE::INotify;
	12	use PVE::Cluster qw(cfs_read_file);
c89fafa2	13	use PVE::Corosync;
0c32b7fb DM	14	use PVE::RPCEnvironment;
	15	use PVE::CLIHandler;
	16	use PVE::Firewall;
	17	use PVE::FirewallSimulator;
	18	use Data::Dumper;
	19
	20	use base qw(PVE::Daemon);
	21
	22	my $cmdline = [$0, @ARGV];
	23
	24	my %daemon_options = (restart_on_error => 5, stop_wait_time => 5);
	25
	26	my $daemon = __PACKAGE__->new('pve-firewall', $cmdline, %daemon_options);
	27
	28	my $nodename = PVE::INotify::nodename();
	29
	30	sub init {
	31
	32	PVE::Cluster::cfs_update();
2e2b71e1	33
0c32b7fb DM	34	PVE::Firewall::init();
	35	}
	36
	37	my $restart_request = 0;
	38	my $next_update = 0;
	39
2e2b71e1	40	my $cycle = 0;
0c32b7fb DM	41	my $updatetime = 10;
	42
	43	my $initial_memory_usage;
	44
	45	sub shutdown {
	46	my ($self) = @_;
	47
	48	syslog('info' , "server closing");
	49
	50	# wait for children
	51	1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
2e2b71e1	52
0c32b7fb DM	53	syslog('info' , "clear firewall rules");
	54
	55	eval { PVE::Firewall::remove_pvefw_chains(); };
	56	warn $@ if $@;
	57
	58	$self->exit_daemon(0);
	59	}
	60
	61	sub hup {
	62	my ($self) = @_;
	63
	64	$restart_request = 1;
	65	}
	66
	67	sub run {
	68	my ($self) = @_;
	69
	70	local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
	71
	72	for (;;) { # forever
	73
	74	$next_update = time() + $updatetime;
	75
	76	my ($ccsec, $cusec) = gettimeofday ();
	77	eval {
	78	PVE::Cluster::cfs_update();
	79	PVE::Firewall::update();
	80	};
	81	my $err = $@;
2e2b71e1	82
0c32b7fb DM	83	if ($err) {
	84	syslog('err', "status update error: $err");
	85	}
	86
	87	my ($ccsec_end, $cusec_end) = gettimeofday ();
	88	my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
	89
	90	syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
	91	if ($cptime > 5);
	92
	93	$cycle++;
	94
	95	my $mem = PVE::ProcFSTools::read_memory_usage();
2e2b71e1	96
0c32b7fb DM	97	if (!defined($initial_memory_usage) \|\| ($cycle < 10)) {
	98	$initial_memory_usage = $mem->{resident};
	99	} else {
	100	my $diff = $mem->{resident} - $initial_memory_usage;
	101	if ($diff > 510241024) {
	102	syslog ('info', "restarting server after $cycle cycles to " .
	103	"reduce memory usage (free $mem->{resident} ($diff) bytes)");
	104	$self->restart_daemon();
	105	}
	106	}
	107
	108	my $wcount = 0;
2e2b71e1	109	while ((time() < $next_update) &&
0c32b7fb DM	110	($wcount < $updatetime) && # protect against time wrap
0c32b7fb DM	111	!$restart_request) { $wcount++; sleep (1); };
2e2b71e1	112
0c32b7fb DM	113	$self->restart_daemon() if $restart_request;
	114	}
	115	}
	116
	117	$daemon->register_start_command("Start the Proxmox VE firewall service.");
	118	$daemon->register_restart_command(1, "Restart the Proxmox VE firewall service.");
	119	$daemon->register_stop_command("Stop firewall. This removes all Proxmox VE " .
	120	"related iptable rules. " .
	121	"The host is unprotected afterwards.");
	122
	123	__PACKAGE__->register_method ({
	124	name => 'status',
	125	path => 'status',
	126	method => 'GET',
	127	description => "Get firewall status.",
	128	parameters => {
2e2b71e1	129	additionalProperties => 0,
0c32b7fb DM	130	properties => {},
0c32b7fb DM	131	},
2e2b71e1	132	returns => {
0c32b7fb DM	133	type => 'object',
	134	additionalProperties => 0,
	135	properties => {
	136	status => {
	137	type => 'string',
	138	enum => ['unknown', 'stopped', 'running'],
	139	},
	140	enable => {
	141	description => "Firewall is enabled (in 'cluster.fw')",
	142	type => 'boolean',
	143	},
	144	changes => {
	145	description => "Set when there are pending changes.",
	146	type => 'boolean',
	147	optional => 1,
	148	}
	149	},
	150	},
	151	code => sub {
	152	my ($param) = @_;
	153
	154	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	155
	156	my $code = sub {
	157
	158	my $status = $daemon->running() ? 'running' : 'stopped';
	159
	160	my $res = { status => $status };
	161
40af93c4 TL	162	PVE::Firewall::set_verbose(1); # show syntax errors
	163
	164	my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
0c32b7fb DM	165	$res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;
	166
	167	if ($status eq 'running') {
2e2b71e1	168
40af93c4	169	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);
0c32b7fb	170
40af93c4 TL	171	PVE::Firewall::set_verbose(0); # do not show iptables details
	172	my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
	173	my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
	174	my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
	175	my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);
0c32b7fb	176
151c209e	177	$res->{changes} = ($ipset_changes \|\| $ruleset_changes \|\| $ruleset_changesv6 \|\| $ebtables_changes) ? 1 : 0;
0c32b7fb DM	178	}
	179
	180	return $res;
	181	};
	182
	183	return PVE::Firewall::run_locked($code);
	184	}});
	185
	186	__PACKAGE__->register_method ({
	187	name => 'compile',
	188	path => 'compile',
	189	method => 'GET',
	190	description => "Compile and print firewall rules. This is useful for testing.",
	191	parameters => {
2e2b71e1	192	additionalProperties => 0,
0c32b7fb DM	193	properties => {},
	194	},
	195	returns => { type => 'null' },
	196
	197	code => sub {
	198	my ($param) = @_;
	199
	200	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	201
	202	my $code = sub {
	203
40af93c4	204	PVE::Firewall::set_verbose(1);
0c32b7fb	205
40af93c4 TL	206	my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
40af93c4 TL	207	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);
0c32b7fb DM	208
0c32b7fb DM	209	print "ipset cmdlist:\n";
40af93c4	210	my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
0c32b7fb DM	211
0c32b7fb DM	212	print "\niptables cmdlist:\n";
40af93c4	213	my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
0c32b7fb DM	214
0c32b7fb DM	215	print "\nip6tables cmdlist:\n";
40af93c4	216	my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
0c32b7fb	217
151c209e	218	print "\nebtables cmdlist:\n";
40af93c4	219	my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);
151c209e AD	220
151c209e AD	221	if ($ipset_changes \|\| $ruleset_changes \|\| $ruleset_changesv6 \|\| $ebtables_changes) {
0c32b7fb DM	222	print "detected changes\n";
	223	} else {
	224	print "no changes\n";
	225	}
	226	if (!$cluster_conf->{options}->{enable}) {
	227	print "firewall disabled\n";
	228	}
	229
	230	};
	231
	232	PVE::Firewall::run_locked($code);
	233
	234	return undef;
	235	}});
	236
	237	__PACKAGE__->register_method ({
	238	name => 'localnet',
	239	path => 'localnet',
	240	method => 'GET',
	241	description => "Print information about local network.",
	242	parameters => {
2e2b71e1	243	additionalProperties => 0,
0c32b7fb DM	244	properties => {},
	245	},
	246	returns => { type => 'null' },
	247	code => sub {
	248	my ($param) = @_;
	249
	250	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	251
	252	my $nodename = PVE::INotify::nodename();
	253	print "local hostname: $nodename\n";
	254
	255	my $ip = PVE::Cluster::remote_node_ip($nodename);
	256	print "local IP address: $ip\n";
	257
	258	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
2e2b71e1	259
0c32b7fb DM	260	my $localnet = PVE::Firewall::local_network() \|\| '127.0.0.0/8';
	261	print "network auto detect: $localnet\n";
	262	if ($cluster_conf->{aliases}->{local_network}) {
	263	print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
	264	} else {
	265	print "using detected local_network: $localnet\n";
	266	}
	267
c89fafa2 SR	268	if (PVE::Corosync::check_conf_exists(1)) {
	269	my $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf");
	270	my $corosync_node_found = 0;
	271
	272	print "\naccepting corosync traffic from/to:\n";
	273
	274	PVE::Corosync::for_all_corosync_addresses($corosync_conf, undef, sub {
ae2dc2fa	275	my ($curr_node_name, $curr_node_ip, undef, $key) = @_;
c89fafa2 SR	276
	277	if (!$corosync_node_found) {
	278	$corosync_node_found = 1;
	279	}
	280
	281	$key =~ m/(?:ring\|link)(\d+)_addr/;
ae2dc2fa	282	print " - $curr_node_name: $curr_node_ip (link: $1)\n";
c89fafa2 SR	283	});
	284
	285	if (!$corosync_node_found) {
	286	print " - no nodes found\n";
	287	}
	288	}
	289
0c32b7fb DM	290	return undef;
	291	}});
	292
	293	__PACKAGE__->register_method ({
	294	name => 'simulate',
	295	path => 'simulate',
	296	method => 'GET',
	297	description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
	298	parameters => {
2e2b71e1	299	additionalProperties => 0,
0c32b7fb DM	300	properties => {
	301	verbose => {
	302	description => "Verbose output.",
	303	type => 'boolean',
	304	optional => 1,
	305	default => 0,
	306	},
	307	from => {
	308	description => "Source zone.",
	309	type => 'string',
	310	pattern => '(host\|outside\|vm\d+\|ct\d+\|vmbr\d+/\S+)',
	311	optional => 1,
	312	default => 'outside',
	313	},
	314	to => {
	315	description => "Destination zone.",
	316	type => 'string',
	317	pattern => '(host\|outside\|vm\d+\|ct\d+\|vmbr\d+/\S+)',
	318	optional => 1,
	319	default => 'host',
	320	},
	321	protocol => {
	322	description => "Protocol.",
	323	type => 'string',
	324	pattern => '(tcp\|udp)',
	325	optional => 1,
	326	default => 'tcp',
	327	},
	328	dport => {
	329	description => "Destination port.",
	330	type => 'integer',
	331	minValue => 1,
	332	maxValue => 65535,
	333	optional => 1,
	334	},
	335	sport => {
	336	description => "Source port.",
	337	type => 'integer',
	338	minValue => 1,
	339	maxValue => 65535,
	340	optional => 1,
	341	},
	342	source => {
	343	description => "Source IP address.",
	344	type => 'string', format => 'ipv4',
	345	optional => 1,
	346	},
	347	dest => {
	348	description => "Destination IP address.",
	349	type => 'string', format => 'ipv4',
	350	optional => 1,
	351	},
	352	},
	353	},
	354	returns => { type => 'null' },
	355	code => sub {
	356	my ($param) = @_;
	357
	358	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	359
40af93c4 TL	360	PVE::Firewall::set_verbose($param->{verbose});
	361
	362	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile();
0c32b7fb	363
40af93c4	364	PVE::FirewallSimulator::debug();
2e2b71e1	365
0c32b7fb DM	366	my $host_ip = PVE::Cluster::remote_node_ip($nodename);
	367
	368	PVE::FirewallSimulator::reset_trace();
	369	print Dumper($ruleset) if $param->{verbose};
	370
	371	my $test = {
	372	from => $param->{from},
	373	to => $param->{to},
	374	proto => $param->{protocol} \|\| 'tcp',
	375	source => $param->{source},
	376	dest => $param->{dest},
	377	dport => $param->{dport},
	378	sport => $param->{sport},
	379	};
	380
	381	if (!defined($test->{to})) {
	382	$test->{to} = 'host';
2e2b71e1 SR	383	PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n");
2e2b71e1 SR	384	}
0c32b7fb DM	385	if (!defined($test->{from})) {
0c32b7fb DM	386	$test->{from} = 'outside',
2e2b71e1	387	PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n");
0c32b7fb DM	388	}
	389
	390	my $vmdata = PVE::Firewall::read_local_vm_config();
	391
	392	print "Test packet:\n";
	393
	394	foreach my $k (qw(from to proto source dest dport sport)) {
	395	printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k});
	396	}
	397
	398	$test->{action} = 'QUERY';
	399
2e2b71e1	400	my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
0c32b7fb	401	$host_ip, $vmdata, $test);
2e2b71e1	402
0c32b7fb DM	403	print "ACTION: $res\n";
	404
	405	return undef;
	406	}});
	407
	408	our $cmddef = {
	409	start => [ __PACKAGE__, 'start', []],
	410	restart => [ __PACKAGE__, 'restart', []],
	411	stop => [ __PACKAGE__, 'stop', []],
	412	compile => [ __PACKAGE__, 'compile', []],
	413	simulate => [ __PACKAGE__, 'simulate', []],
	414	localnet => [ __PACKAGE__, 'localnet', []],
	415	status => [ __PACKAGE__, 'status', [], undef, sub {
	416	my $res = shift;
	417	my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status};
2e2b71e1	418
0c32b7fb DM	419	if ($res->{changes}) {
	420	print "Status: $status (pending changes)\n";
	421	} else {
	422	print "Status: $status\n";
	423	}
	424	}],
	425	};
	426
	427	1;