[pve-firewall.git] / src / pve-firewall

#!/usr/bin/perl

use strict;
use warnings;
use PVE::SafeSyslog;
use POSIX ":sys_wait_h";
use Fcntl ':flock';
use Getopt::Long;
use Time::HiRes qw (gettimeofday);
use PVE::Tools qw(dir_glob_foreach file_read_firstline);
use PVE::INotify;
use PVE::Cluster qw(cfs_read_file);
use PVE::RPCEnvironment;
use PVE::CLIHandler;
use PVE::Firewall;
use PVE::FirewallSimulator;
use Data::Dumper;

use base qw(PVE::CLIHandler);

my $pve_firewall_pidfile = "/var/run/pve-firewall.pid";

$SIG{'__WARN__'} = sub {
    my $err = $@;
    my $t = $_[0];
    chomp $t;
    print "$t\n";
    syslog('warning', "WARNING: %s", $t);
    $@ = $err;
};

initlog('pve-firewall');

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

die "please run as root\n" if $> != 0;

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');

my $nodename = PVE::INotify::nodename();

my $commandline = [$0, @ARGV];

$0 = "pve-firewall";

sub restart_server {
    my ($waittime) = @_;

    syslog('info', "server shutdown (restart)");

    $ENV{RESTART_PVE_FIREWALL} = 1;

    sleep($waittime) if $waittime; # avoid high server load due to restarts

    PVE::INotify::inotify_close();

    exec (@$commandline);
    exit (-1); # never reached?
}

sub cleanup {
    unlink "$pve_firewall_pidfile.lock";
    unlink $pve_firewall_pidfile;
}

sub lockpidfile {
    my $pidfile = shift;
    my $lkfn = "$pidfile.lock";

    if (!open (FLCK, ">>$lkfn")) {
	my $msg = "can't aquire lock on file '$lkfn' - $!";
	syslog ('err', $msg);
	die "ERROR: $msg\n";
    }

    if (!flock (FLCK, LOCK_EX|LOCK_NB)) {
	close (FLCK);
        my $msg = "can't aquire lock '$lkfn' - $!";
	syslog ('err', $msg);
	die "ERROR: $msg\n";
    }
}

sub writepidfile {
    my $pidfile = shift;

    if (!open (PIDFH, ">$pidfile")) {
	my $msg = "can't open pid file '$pidfile' - $!";
	syslog ('err', $msg);
	die "ERROR: $msg\n";
    } 
    print PIDFH "$$\n";
    close (PIDFH);
}

my $restart_request = 0;
my $next_update = 0;

my $cycle = 0; 
my $updatetime = 10;

my $initial_memory_usage;

sub run_server {
    my ($param) = @_;

    # try to get the lock
    lockpidfile($pve_firewall_pidfile);

    # run in background
    my $spid;

    my $restart = $ENV{RESTART_PVE_FIREWALL};

    delete $ENV{RESTART_PVE_FIREWALL};

    PVE::Cluster::cfs_update();
    
    PVE::Firewall::init();

    if (!$param->{debug}) {
	open STDIN,  '</dev/null' || die "can't read /dev/null";
	open STDOUT, '>/dev/null' || die "can't write /dev/null";
    }

    if (!$restart && !$param->{debug}) {
	$spid = fork();
	if (!defined ($spid)) {
	    my $msg =  "can't put server into background - fork failed";
	    syslog('err', $msg);
	    die "ERROR: $msg\n";
	} elsif ($spid) { # parent
	    exit (0);
	}
    } 

    writepidfile($pve_firewall_pidfile);

    open STDERR, '>&STDOUT' || die "can't close STDERR\n";
 
    $SIG{INT} = $SIG{TERM} = $SIG{QUIT} = sub { 
	syslog('info' , "server closing");

	$SIG{INT} = 'DEFAULT';

	# wait for children
	1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
	
	syslog('info' , "clear firewall rules");
	eval { PVE::Firewall::remove_pvefw_chains(); die "STOP";};
	warn $@ if $@;

	cleanup();

	exit (0);
    };

    $SIG{HUP} = sub {
	# wake up process, so this forces an immediate firewall rules update
	syslog('info' , "received signal HUP (restart)");
	$restart_request = 1;
    };

    if ($restart) {
	syslog('info' , "restarting server");
    } else {
	syslog('info' , "starting server");
    }

    for (;;) { # forever

	eval {

	    local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs

	    $next_update = time() + $updatetime;

	    my ($ccsec, $cusec) = gettimeofday ();
	    eval {
		PVE::Cluster::cfs_update();
		PVE::Firewall::update();
	    };
	    my $err = $@;

	    if ($err) {
		syslog('err', "status update error: $err");
	    }

	    my ($ccsec_end, $cusec_end) = gettimeofday ();
	    my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;

	    syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
		if ($cptime > 5);

	    $cycle++;

	    my $mem = PVE::ProcFSTools::read_memory_usage();

	    if (!defined($initial_memory_usage) || ($cycle < 10)) {
		$initial_memory_usage = $mem->{resident};
	    } else {
		my $diff = $mem->{resident} - $initial_memory_usage;
		if ($diff > 5*1024*1024) {
		    syslog ('info', "restarting server after $cycle cycles to " .
			    "reduce memory usage (free $mem->{resident} ($diff) bytes)");
		    restart_server();
		}
	    }

	    my $wcount = 0;
	    while ((time() < $next_update) && 
		   ($wcount < $updatetime) && # protect against time wrap
		   !$restart_request) { $wcount++; sleep (1); };

	    restart_server() if $restart_request;
	};

	my $err = $@;
    
	if ($err) {
	    syslog ('err', "ERROR: $err");
	    restart_server(5);
	    exit (0);
	}
    }
}

__PACKAGE__->register_method ({
    name => 'start',
    path => 'start',
    method => 'POST',
    description => "Start the Proxmox VE firewall service.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    debug => {
		description => "Debug mode - stay in foreground",
		type => "boolean",
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	run_server($param);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'stop',
    path => 'stop',
    method => 'POST',
    description => "Stop firewall. This removes all Proxmox VE related iptable rules. The host is unprotected afterwards.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);

	if ($pid) {
	    if (PVE::ProcFSTools::check_process_running($pid)) {
		kill(15, $pid); # send TERM signal
		# give max 5 seconds to shut down
		for (my $i = 0; $i < 5; $i++) {
		    last if !PVE::ProcFSTools::check_process_running($pid);
		    sleep (1);
		}
       
		# to be sure
		kill(9, $pid); 
		waitpid($pid, 0);
	    }
	    if (-f $pve_firewall_pidfile) {
		# try to get the lock
		lockpidfile($pve_firewall_pidfile);
		cleanup();
	    }
	}

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'status',
    path => 'status',
    method => 'GET',
    description => "Get firewall status.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { 
	type => 'object',
	additionalProperties => 0,
	properties => {
	    status => {
		type => 'string',
		enum => ['unknown', 'stopped', 'active'],
	    },
	    changes => {
		description => "Set when there are pending changes.",
		type => 'boolean',
		optional => 1,
	    }
	},
    },
    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my $code = sub {

	    my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
	    my $running = PVE::ProcFSTools::check_process_running($pid);

	    my $status = $running ? 'active' : 'stopped';

	    my $res = { status => $status };
	    if ($status eq 'active') {
		my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();

		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
		my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
	      
		$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
	    }

	    return $res;
	};

	return PVE::Firewall::run_locked($code);
    }});

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'GET',
    description => "Compile and print firewall rules. This is useful for testing.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my $code = sub {
	    my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();

	    my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
	    my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
	    if ($ipset_changes || $ruleset_changes) {
		print "detected changes\n";
	    } else {
		print "no changes\n";
	    }
	};

	PVE::Firewall::run_locked($code);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'localnet',
    path => 'localnet',
    method => 'GET',
    description => "Print information about local network.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my $nodename = PVE::INotify::nodename();
	print "local hostname: $nodename\n";

	my $ip = PVE::Cluster::remote_node_ip($nodename);
	print "local IP address: $ip\n";

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	
	my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8';
	print "network auto detect: $localnet\n";
	if ($cluster_conf->{aliases}->{local_network}) {
	    print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
	} else {
	    print "using detected local_network: $localnet\n";
	}

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'simulate',
    path => 'simulate',
    method => 'GET',
    description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
    parameters => {
    	additionalProperties => 0,
	properties => {
	    verbose => {
		description => "Verbose output.",
		type => 'boolean',
		optional => 1,
		default => 0,
	    },
	    from => {
		description => "Source zone.",
		type => 'string',
		pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
		optional => 1,
		default => 'outside',
	    },
	    to => {
		description => "Destination zone.",
		type => 'string',
		pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
		optional => 1,
		default => 'host',
	    },
	    protocol => {
		description => "Protocol.",
		type => 'string',
		pattern => '(tcp|udp)',
		optional => 1,
		default => 'tcp',
	    },
	    dport => {
		description => "Destination port.",
		type => 'integer',
		minValue => 1,
		maxValue => 65535,
		optional => 1,
	    },
	    sport => {
		description => "Source port.",
		type => 'integer',
		minValue => 1,
		maxValue => 65535,
		optional => 1,
	    },
	    source => {
		description => "Source IP address.",
		type => 'string', format => 'ipv4',
		optional => 1,
	    },
	    dest => {
		description => "Destination IP address.",
		type => 'string', format => 'ipv4',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog

	my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();

	PVE::FirewallSimulator::debug($param->{verbose} || 0);
	
	my $host_ip = PVE::Cluster::remote_node_ip($nodename);

	PVE::FirewallSimulator::reset_trace();
	print Dumper($ruleset) if $param->{verbose};

	my $test = {
	    from => $param->{from},
	    to => $param->{to},
	    proto => $param->{protocol} || 'tcp',
	    source => $param->{source},
	    dest => $param->{dest},
	    dport => $param->{dport},
	    sport => $param->{sport},
	};

	if (!defined($test->{to})) {
	    $test->{to} = 'host';
	    PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n"); 
	} 
	if (!defined($test->{from})) {
	    $test->{from} = 'outside',
	    PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n"); 
	}

	my $vmdata = PVE::Firewall::read_local_vm_config();

	print "Test packet:\n";

	foreach my $k (qw(from to proto source dest dport sport)) {
	    printf("  %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k});
	}

	$test->{action} = 'QUERY';

	my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
							    $host_ip, $vmdata, $test);
	
	print "ACTION: $res\n";

	return undef;
    }});

my $cmddef = {
    start => [ __PACKAGE__, 'start', []],
    stop => [ __PACKAGE__, 'stop', []],
    compile => [ __PACKAGE__, 'compile', []],
    simulate => [ __PACKAGE__, 'simulate', []],
    localnet => [ __PACKAGE__, 'localnet', []],
    status => [ __PACKAGE__, 'status', [], undef, sub {
	my $res = shift;
	if ($res->{changes}) {
	    print "Status: $res->{status} (pending changes)\n";
	} else {
	    print "Status: $res->{status}\n";
	}
    }],
 };

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0);

exit (0);

__END__

=head1 NAME
                                          
pve-firewall - PVE Firewall Daemon

=head1 SYNOPSIS

=include synopsis

=head1 DESCRIPTION

This service updates iptables rules periodically.

=include pve_copyright
Commit	Line	Data
e2beb7aa DM	1	#!/usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5	use PVE::SafeSyslog;
	6	use POSIX ":sys_wait_h";
	7	use Fcntl ':flock';
	8	use Getopt::Long;
	9	use Time::HiRes qw (gettimeofday);
	10	use PVE::Tools qw(dir_glob_foreach file_read_firstline);
	11	use PVE::INotify;
	12	use PVE::Cluster qw(cfs_read_file);
	13	use PVE::RPCEnvironment;
	14	use PVE::CLIHandler;
	15	use PVE::Firewall;
814de832 DM	16	use PVE::FirewallSimulator;
814de832 DM	17	use Data::Dumper;
e2beb7aa DM	18
	19	use base qw(PVE::CLIHandler);
	20
	21	my $pve_firewall_pidfile = "/var/run/pve-firewall.pid";
	22
	23	$SIG{'__WARN__'} = sub {
	24	my $err = $@;
	25	my $t = $_[0];
	26	chomp $t;
	27	print "$t\n";
	28	syslog('warning', "WARNING: %s", $t);
	29	$@ = $err;
	30	};
	31
	32	initlog('pve-firewall');
	33
	34	$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
	35
	36	die "please run as root\n" if $> != 0;
	37
	38	PVE::INotify::inotify_init();
	39
	40	my $rpcenv = PVE::RPCEnvironment->init('cli');
	41
	42	$rpcenv->init_request();
	43	$rpcenv->set_language($ENV{LANG});
	44	$rpcenv->set_user('root@pam');
	45
814de832 DM	46	my $nodename = PVE::INotify::nodename();
814de832 DM	47
e2beb7aa DM	48	my $commandline = [$0, @ARGV];
	49
	50	$0 = "pve-firewall";
	51
	52	sub restart_server {
	53	my ($waittime) = @_;
	54
	55	syslog('info', "server shutdown (restart)");
	56
	57	$ENV{RESTART_PVE_FIREWALL} = 1;
	58
	59	sleep($waittime) if $waittime; # avoid high server load due to restarts
	60
3e998704 DM	61	PVE::INotify::inotify_close();
3e998704 DM	62
e2beb7aa DM	63	exec (@$commandline);
	64	exit (-1); # never reached?
	65	}
	66
	67	sub cleanup {
	68	unlink "$pve_firewall_pidfile.lock";
	69	unlink $pve_firewall_pidfile;
	70	}
	71
	72	sub lockpidfile {
	73	my $pidfile = shift;
	74	my $lkfn = "$pidfile.lock";
	75
	76	if (!open (FLCK, ">>$lkfn")) {
	77	my $msg = "can't aquire lock on file '$lkfn' - $!";
	78	syslog ('err', $msg);
	79	die "ERROR: $msg\n";
	80	}
	81
	82	if (!flock (FLCK, LOCK_EX\|LOCK_NB)) {
	83	close (FLCK);
	84	my $msg = "can't aquire lock '$lkfn' - $!";
	85	syslog ('err', $msg);
	86	die "ERROR: $msg\n";
	87	}
	88	}
	89
	90	sub writepidfile {
	91	my $pidfile = shift;
	92
	93	if (!open (PIDFH, ">$pidfile")) {
	94	my $msg = "can't open pid file '$pidfile' - $!";
	95	syslog ('err', $msg);
	96	die "ERROR: $msg\n";
	97	}
	98	print PIDFH "$$\n";
	99	close (PIDFH);
	100	}
	101
	102	my $restart_request = 0;
	103	my $next_update = 0;
	104
	105	my $cycle = 0;
	106	my $updatetime = 10;
	107
	108	my $initial_memory_usage;
	109
	110	sub run_server {
	111	my ($param) = @_;
	112
	113	# try to get the lock
	114	lockpidfile($pve_firewall_pidfile);
	115
	116	# run in background
	117	my $spid;
	118
	119	my $restart = $ENV{RESTART_PVE_FIREWALL};
	120
	121	delete $ENV{RESTART_PVE_FIREWALL};
	122
8b453a09 DM	123	PVE::Cluster::cfs_update();
	124
	125	PVE::Firewall::init();
	126
e2beb7aa DM	127	if (!$param->{debug}) {
	128	open STDIN, '</dev/null' \|\| die "can't read /dev/null";
	129	open STDOUT, '>/dev/null' \|\| die "can't write /dev/null";
	130	}
	131
	132	if (!$restart && !$param->{debug}) {
	133	$spid = fork();
	134	if (!defined ($spid)) {
	135	my $msg = "can't put server into background - fork failed";
	136	syslog('err', $msg);
	137	die "ERROR: $msg\n";
	138	} elsif ($spid) { # parent
	139	exit (0);
	140	}
	141	}
	142
	143	writepidfile($pve_firewall_pidfile);
	144
	145	open STDERR, '>&STDOUT' \|\| die "can't close STDERR\n";
	146
	147	$SIG{INT} = $SIG{TERM} = $SIG{QUIT} = sub {
	148	syslog('info' , "server closing");
	149
	150	$SIG{INT} = 'DEFAULT';
	151
	152	# wait for children
	153	1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
	154
	155	syslog('info' , "clear firewall rules");
	156	eval { PVE::Firewall::remove_pvefw_chains(); die "STOP";};
	157	warn $@ if $@;
	158
	159	cleanup();
	160
	161	exit (0);
	162	};
	163
	164	$SIG{HUP} = sub {
	165	# wake up process, so this forces an immediate firewall rules update
	166	syslog('info' , "received signal HUP (restart)");
	167	$restart_request = 1;
	168	};
	169
	170	if ($restart) {
	171	syslog('info' , "restarting server");
	172	} else {
	173	syslog('info' , "starting server");
	174	}
	175
	176	for (;;) { # forever
	177
	178	eval {
	179
	180	local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
	181
	182	$next_update = time() + $updatetime;
	183
	184	my ($ccsec, $cusec) = gettimeofday ();
	185	eval {
	186	PVE::Cluster::cfs_update();
	187	PVE::Firewall::update();
	188	};
	189	my $err = $@;
	190
191	if ($err) {
192	syslog('err', "status update error: $err");
193	}
194
195	my ($ccsec_end, $cusec_end) = gettimeofday ();
196	my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
197
198	syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
199	if ($cptime > 5);
200
201	$cycle++;
202
203	my $mem = PVE::ProcFSTools::read_memory_usage();
204
205	if (!defined($initial_memory_usage) \|\| ($cycle < 10)) {
206	$initial_memory_usage = $mem->{resident};
207	} else {
208	my $diff = $mem->{resident} - $initial_memory_usage;
209	if ($diff > 510241024) {
210	syslog ('info', "restarting server after $cycle cycles to " .
211	"reduce memory usage (free $mem->{resident} ($diff) bytes)");
212	restart_server();
213	}
214	}
215
216	my $wcount = 0;
217	while ((time() < $next_update) &&
218	($wcount < $updatetime) && # protect against time wrap
219	!$restart_request) { $wcount++; sleep (1); };
220
221	restart_server() if $restart_request;
222	};
223
224	my $err = $@;
225
226	if ($err) {
227	syslog ('err', "ERROR: $err");
228	restart_server(5);
229	exit (0);
230	}
231	}
232	}
233
234	__PACKAGE__->register_method ({
235	name => 'start',
236	path => 'start',
237	method => 'POST',
238	description => "Start the Proxmox VE firewall service.",
239	parameters => {
240	additionalProperties => 0,
241	properties => {
242	debug => {
243	description => "Debug mode - stay in foreground",
244	type => "boolean",
245	optional => 1,
246	default => 0,
247	},
248	},
249	},
250	returns => { type => 'null' },
251
252	code => sub {
253	my ($param) = @_;
254
255	run_server($param);
256
257	return undef;
258	}});
259
260	__PACKAGE__->register_method ({
261	name => 'stop',
262	path => 'stop',
263	method => 'POST',
16adff04	264	description => "Stop firewall. This removes all Proxmox VE related iptable rules. The host is unprotected afterwards.",
e2beb7aa DM	265	parameters => {
	266	additionalProperties => 0,
	267	properties => {},
	268	},
	269	returns => { type => 'null' },
	270
	271	code => sub {
	272	my ($param) = @_;
	273
	274	my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) \|\| 0);
	275
	276	if ($pid) {
	277	if (PVE::ProcFSTools::check_process_running($pid)) {
	278	kill(15, $pid); # send TERM signal
	279	# give max 5 seconds to shut down
	280	for (my $i = 0; $i < 5; $i++) {
	281	last if !PVE::ProcFSTools::check_process_running($pid);
	282	sleep (1);
	283	}
	284
	285	# to be sure
	286	kill(9, $pid);
	287	waitpid($pid, 0);
	288	}
	289	if (-f $pve_firewall_pidfile) {
	290	# try to get the lock
	291	lockpidfile($pve_firewall_pidfile);
	292	cleanup();
	293	}
	294	}
	295
	296	return undef;
	297	}});
	298
	299	__PACKAGE__->register_method ({
	300	name => 'status',
	301	path => 'status',
	302	method => 'GET',
	303	description => "Get firewall status.",
	304	parameters => {
	305	additionalProperties => 0,
	306	properties => {},
	307	},
	308	returns => {
	309	type => 'object',
	310	additionalProperties => 0,
	311	properties => {
	312	status => {
	313	type => 'string',
	314	enum => ['unknown', 'stopped', 'active'],
	315	},
	316	changes => {
	317	description => "Set when there are pending changes.",
	318	type => 'boolean',
	319	optional => 1,
	320	}
	321	},
	322	},
	323	code => sub {
	324	my ($param) = @_;
	325
	326	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	327
	328	my $code = sub {
329
330	my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) \|\| 0);
331	my $running = PVE::ProcFSTools::check_process_running($pid);
332
333	my $status = $running ? 'active' : 'stopped';
334
335	my $res = { status => $status };
336	if ($status eq 'active') {
337	my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
338
339	my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
340	my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
341
342	$res->{changes} = ($ipset_changes \|\| $ruleset_changes) ? 1 : 0;
343	}
344
345	return $res;
346	};
347
348	return PVE::Firewall::run_locked($code);
349	}});
350
351	__PACKAGE__->register_method ({
352	name => 'compile',
353	path => 'compile',
3324948a	354	method => 'GET',
16adff04	355	description => "Compile and print firewall rules. This is useful for testing.",
e2beb7aa DM	356	parameters => {
	357	additionalProperties => 0,
	358	properties => {},
	359	},
	360	returns => { type => 'null' },
	361
	362	code => sub {
	363	my ($param) = @_;
	364
	365	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	366
	367	my $code = sub {
	368	my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
	369
	370	my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
	371	my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
	372	if ($ipset_changes \|\| $ruleset_changes) {
	373	print "detected changes\n";
	374	} else {
	375	print "no changes\n";
	376	}
	377	};
	378
	379	PVE::Firewall::run_locked($code);
	380
	381	return undef;
	382	}});
	383
e7fb6ff2 DM	384	__PACKAGE__->register_method ({
	385	name => 'localnet',
	386	path => 'localnet',
	387	method => 'GET',
	388	description => "Print information about local network.",
	389	parameters => {
	390	additionalProperties => 0,
	391	properties => {},
	392	},
	393	returns => { type => 'null' },
	394	code => sub {
	395	my ($param) = @_;
	396
	397	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
	398
	399	my $nodename = PVE::INotify::nodename();
	400	print "local hostname: $nodename\n";
	401
	402	my $ip = PVE::Cluster::remote_node_ip($nodename);
	403	print "local IP address: $ip\n";
	404
	405	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	406
	407	my $localnet = PVE::Firewall::local_network() \|\| '127.0.0.0/8';
	408	print "network auto detect: $localnet\n";
	409	if ($cluster_conf->{aliases}->{local_network}) {
	410	print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
	411	} else {
	412	print "using detected local_network: $localnet\n";
	413	}
	414
	415	return undef;
	416	}});
	417
814de832 DM	418	__PACKAGE__->register_method ({
	419	name => 'simulate',
	420	path => 'simulate',
3324948a	421	method => 'GET',
c9902e5a	422	description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
814de832 DM	423	parameters => {
	424	additionalProperties => 0,
	425	properties => {
	426	verbose => {
	427	description => "Verbose output.",
	428	type => 'boolean',
	429	optional => 1,
	430	default => 0,
	431	},
	432	from => {
	433	description => "Source zone.",
	434	type => 'string',
	435	pattern => '(host\|outside\|vm\d+\|ct\d+\|vmbr\d+/\S+)',
	436	optional => 1,
	437	default => 'outside',
	438	},
	439	to => {
	440	description => "Destination zone.",
	441	type => 'string',
	442	pattern => '(host\|outside\|vm\d+\|ct\d+\|vmbr\d+/\S+)',
	443	optional => 1,
	444	default => 'host',
	445	},
	446	protocol => {
	447	description => "Protocol.",
	448	type => 'string',
	449	pattern => '(tcp\|udp)',
	450	optional => 1,
	451	default => 'tcp',
	452	},
	453	dport => {
	454	description => "Destination port.",
	455	type => 'integer',
	456	minValue => 1,
	457	maxValue => 65535,
	458	optional => 1,
	459	},
	460	sport => {
	461	description => "Source port.",
	462	type => 'integer',
	463	minValue => 1,
	464	maxValue => 65535,
	465	optional => 1,
	466	},
	467	source => {
	468	description => "Source IP address.",
	469	type => 'string', format => 'ipv4',
	470	optional => 1,
	471	},
	472	dest => {
	473	description => "Destination IP address.",
	474	type => 'string', format => 'ipv4',
	475	optional => 1,
	476	},
	477	},
	478	},
	479	returns => { type => 'null' },
	480	code => sub {
	481	my ($param) = @_;
	482
815b4ebf DM	483	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
815b4ebf DM	484
814de832 DM	485	my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
	486
	487	PVE::FirewallSimulator::debug($param->{verbose} \|\| 0);
	488
	489	my $host_ip = PVE::Cluster::remote_node_ip($nodename);
	490
	491	PVE::FirewallSimulator::reset_trace();
	492	print Dumper($ruleset) if $param->{verbose};
	493
	494	my $test = {
	495	from => $param->{from},
	496	to => $param->{to},
	497	proto => $param->{protocol} \|\| 'tcp',
	498	source => $param->{source},
	499	dest => $param->{dest},
	500	dport => $param->{dport},
	501	sport => $param->{sport},
	502	};
	503
	504	if (!defined($test->{to})) {
	505	$test->{to} = 'host';
	506	PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n");
	507	}
	508	if (!defined($test->{from})) {
	509	$test->{from} = 'outside',
	510	PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n");
	511	}
	512
	513	my $vmdata = PVE::Firewall::read_local_vm_config();
	514
	515	print "Test packet:\n";
	516
	517	foreach my $k (qw(from to proto source dest dport sport)) {
	518	printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k});
	519	}
	520
	521	$test->{action} = 'QUERY';
	522
	523	my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
	524	$host_ip, $vmdata, $test);
	525
	526	print "ACTION: $res\n";
	527
	528	return undef;
	529	}});
e2beb7aa DM	530
	531	my $cmddef = {
	532	start => [ __PACKAGE__, 'start', []],
	533	stop => [ __PACKAGE__, 'stop', []],
	534	compile => [ __PACKAGE__, 'compile', []],
814de832	535	simulate => [ __PACKAGE__, 'simulate', []],
e7fb6ff2	536	localnet => [ __PACKAGE__, 'localnet', []],
e2beb7aa DM	537	status => [ __PACKAGE__, 'status', [], undef, sub {
	538	my $res = shift;
	539	if ($res->{changes}) {
	540	print "Status: $res->{status} (pending changes)\n";
	541	} else {
	542	print "Status: $res->{status}\n";
	543	}
	544	}],
	545	};
	546
	547	my $cmd = shift;
	548
	549	PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0);
	550
	551	exit (0);
	552
	553	__END__
	554
	555	=head1 NAME
	556
16adff04	557	pve-firewall - PVE Firewall Daemon
e2beb7aa DM	558
	559	=head1 SYNOPSIS
	560
16adff04	561	=include synopsis
e2beb7aa DM	562
	563	=head1 DESCRIPTION
	564
	565	This service updates iptables rules periodically.
	566
16adff04	567	=include pve_copyright