[pve-firewall.git] / pvefw

#!/usr/bin/perl -w

use strict;
use lib qw(.);
use PVE::Firewall;
use File::Path;
use IO::File;
use Data::Dumper;

use PVE::SafeSyslog;
use PVE::Cluster;
use PVE::INotify;
use PVE::RPCEnvironment;
use PVE::QemuServer;

use PVE::JSONSchema qw(get_standard_option);

use PVE::CLIHandler;

use base qw(PVE::CLIHandler);

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

initlog ('pvefw');

die "please run as root\n" if $> != 0;

PVE::INotify::inotify_init();

my $rpcenv = PVE::RPCEnvironment->init('cli');

$rpcenv->init_request();
$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');


sub parse_fw_rules {
    my ($filename, $fh) = @_;

    my $section;

    my $res = { in => [], out => [] };

    my $macros = PVE::Firewall::get_shorewall_macros();

    while (defined(my $line = <$fh>)) {
	next if $line =~ m/^#/;
	next if $line =~ m/^\s*$/;

	if ($line =~ m/^\[(in|out)\]\s*$/i) {
	    $section = lc($1);
	    next;
	}
	next if !$section;

	my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
	    split(/\s+/, $line);

	if (!($action && $iface && $source && $dest)) {
	    warn "skip incomplete line\n";
	    next;
	}

	my $service;
	if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
	    # OK
	} elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
	    ($service, $action) = ($1, $2);
	    if (!$macros->{$service}) {
		warn "unknown service '$service'\n";
		next;
	    }
	} else {
	    warn "unknown action '$action'\n";
	    next;
	}

	if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {
	    warn "unknown interface '$iface'\n";
	    next;
	}

	if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
	    warn "unknown protokol '$proto'\n";
	    next;
	}

	if ($source !~ m/^(any)$/) {
	    warn "unknown source '$source'\n";
	    next;
	}

	if ($dest !~ m/^(any)$/) {
	    warn "unknown destination '$dest'\n";
	    next;
	}

	my $rule = {
	    action => $action,
	    service => $service,
	    iface => $iface,
	    source => $source,
	    dest => $dest,
	    proto => $proto,
	    dport => $dport,
	    sport => $sport,
	};

	push @{$res->{$section}}, $rule;
    }

    return $res;
}

sub read_local_vm_config {

    my $openvz = {};

    my $qemu = {};

    my $list = PVE::QemuServer::config_list();

    foreach my $vmid (keys %$list) {
	my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
	if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
	    $qemu->{$vmid} = $conf;
	}
    }

    my $vmdata = { openvz => $openvz, qemu => $qemu };

    return $vmdata;
};

sub read_vm_firewall_rules {
    my ($vmdata) = @_;
    my $rules = {};
    foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
	my $filename = "/etc/pve/firewall/$vmid.fw";
	my $fh = IO::File->new($filename, O_RDONLY);
	next if !$fh;

	$rules->{$vmid} = parse_fw_rules($filename, $fh);
    }

    return $rules;
}

__PACKAGE__->register_method ({
    name => 'compile',
    path => 'compile',
    method => 'POST',
    description => "Compile firewall rules.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	my $vmdata = read_local_vm_config();
	my $rules = read_vm_firewall_rules($vmdata);

	# print Dumper($vmdata);

	my $swdir = '/etc/shorewall';
	mkdir $swdir;

	PVE::Firewall::compile($swdir, $vmdata, $rules);

	PVE::Tools::run_command(['shorewall', 'compile']);

	return undef;

    }});

__PACKAGE__->register_method ({
    name => 'start',
    path => 'start',
    method => 'POST',
    description => "Start firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Tools::run_command(['shorewall', 'start']);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'stop',
    path => 'stop',
    method => 'POST',
    description => "Stop firewall.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Tools::run_command(['shorewall', 'stop']);

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'clear',
    path => 'clear',
    method => 'POST',
    description => "Clear will remove all rules installed by this script. The host is then unprotected.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => { type => 'null' },

    code => sub {
	my ($param) = @_;

	PVE::Tools::run_command(['shorewall', 'clear']);

	return undef;
    }});

my $nodename = PVE::INotify::nodename();

my $cmddef = {
    compile => [ __PACKAGE__, 'compile', []],
    start => [ __PACKAGE__, 'start', []],
    stop => [ __PACKAGE__, 'stop', []],
    clear => [ __PACKAGE__, 'clear', []],
};

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);

exit(0);
Commit	Line	Data
	1	#!/usr/bin/perl -w
	2
	3	use strict;
	4	use lib qw(.);
	5	use PVE::Firewall;
	6	use File::Path;
	7	use IO::File;
	8	use Data::Dumper;
	9
	10	use PVE::SafeSyslog;
	11	use PVE::Cluster;
	12	use PVE::INotify;
	13	use PVE::RPCEnvironment;
	14	use PVE::QemuServer;
	15
	16	use PVE::JSONSchema qw(get_standard_option);
	17
	18	use PVE::CLIHandler;
	19
	20	use base qw(PVE::CLIHandler);
	21
	22	$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
	23
	24	initlog ('pvefw');
	25
	26	die "please run as root\n" if $> != 0;
	27
	28	PVE::INotify::inotify_init();
	29
	30	my $rpcenv = PVE::RPCEnvironment->init('cli');
	31
	32	$rpcenv->init_request();
	33	$rpcenv->set_language($ENV{LANG});
	34	$rpcenv->set_user('root@pam');
	35
	36
	37	sub parse_fw_rules {
	38	my ($filename, $fh) = @_;
	39
	40	my $section;
	41
	42	my $res = { in => [], out => [] };
	43
	44	my $macros = PVE::Firewall::get_shorewall_macros();
	45
	46	while (defined(my $line = <$fh>)) {
	47	next if $line =~ m/^#/;
	48	next if $line =~ m/^\s*$/;
	49
	50	if ($line =~ m/^\[(in\|out)\]\s*$/i) {
	51	$section = lc($1);
	52	next;
	53	}
	54	next if !$section;
	55
	56	my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
	57	split(/\s+/, $line);
	58
	59	if (!($action && $iface && $source && $dest)) {
	60	warn "skip incomplete line\n";
	61	next;
	62	}
	63
	64	my $service;
	65	if ($action =~ m/^(ACCEPT\|DROP\|REJECT)$/) {
	66	# OK
	67	} elsif ($action =~ m/^(\S+)\((ACCEPT\|DROP\|REJECT)\)$/) {
	68	($service, $action) = ($1, $2);
	69	if (!$macros->{$service}) {
	70	warn "unknown service '$service'\n";
	71	next;
	72	}
	73	} else {
	74	warn "unknown action '$action'\n";
	75	next;
	76	}
	77
	78	if ($iface !~ m/^(all\|net0\|net1\|net2\|net3\|net4\|net5)$/) {
	79	warn "unknown interface '$iface'\n";
	80	next;
	81	}
	82
	83	if ($proto && $proto !~ m/^(icmp\|tcp\|udp)$/) {
	84	warn "unknown protokol '$proto'\n";
	85	next;
	86	}
	87
	88	if ($source !~ m/^(any)$/) {
	89	warn "unknown source '$source'\n";
	90	next;
	91	}
	92
	93	if ($dest !~ m/^(any)$/) {
	94	warn "unknown destination '$dest'\n";
	95	next;
	96	}
	97
	98	my $rule = {
	99	action => $action,
	100	service => $service,
	101	iface => $iface,
	102	source => $source,
	103	dest => $dest,
	104	proto => $proto,
	105	dport => $dport,
	106	sport => $sport,
	107	};
	108
	109	push @{$res->{$section}}, $rule;
	110	}
	111
	112	return $res;
	113	}
	114
	115	sub read_local_vm_config {
	116
	117	my $openvz = {};
	118
	119	my $qemu = {};
	120
	121	my $list = PVE::QemuServer::config_list();
	122
	123	foreach my $vmid (keys %$list) {
	124	my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
	125	if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
	126	$qemu->{$vmid} = $conf;
	127	}
	128	}
	129
	130	my $vmdata = { openvz => $openvz, qemu => $qemu };
	131
	132	return $vmdata;
	133	};
	134
	135	sub read_vm_firewall_rules {
	136	my ($vmdata) = @_;
	137	my $rules = {};
	138	foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
	139	my $filename = "/etc/pve/firewall/$vmid.fw";
	140	my $fh = IO::File->new($filename, O_RDONLY);
	141	next if !$fh;
	142
	143	$rules->{$vmid} = parse_fw_rules($filename, $fh);
	144	}
	145
	146	return $rules;
	147	}
	148
	149	__PACKAGE__->register_method ({
	150	name => 'compile',
	151	path => 'compile',
	152	method => 'POST',
	153	description => "Compile firewall rules.",
	154	parameters => {
	155	additionalProperties => 0,
	156	properties => {},
	157	},
	158	returns => { type => 'null' },
	159
	160	code => sub {
	161	my ($param) = @_;
	162
	163	my $vmdata = read_local_vm_config();
	164	my $rules = read_vm_firewall_rules($vmdata);
	165
	166	# print Dumper($vmdata);
	167
	168	my $swdir = '/etc/shorewall';
	169	mkdir $swdir;
	170
	171	PVE::Firewall::compile($swdir, $vmdata, $rules);
	172
	173	PVE::Tools::run_command(['shorewall', 'compile']);
	174
	175	return undef;
	176
	177	}});
	178
	179	__PACKAGE__->register_method ({
	180	name => 'start',
	181	path => 'start',
	182	method => 'POST',
	183	description => "Start firewall.",
	184	parameters => {
	185	additionalProperties => 0,
	186	properties => {},
	187	},
	188	returns => { type => 'null' },
	189
	190	code => sub {
	191	my ($param) = @_;
	192
	193	PVE::Tools::run_command(['shorewall', 'start']);
	194
	195	return undef;
	196	}});
	197
	198	__PACKAGE__->register_method ({
	199	name => 'stop',
	200	path => 'stop',
	201	method => 'POST',
	202	description => "Stop firewall.",
	203	parameters => {
	204	additionalProperties => 0,
	205	properties => {},
	206	},
	207	returns => { type => 'null' },
	208
	209	code => sub {
	210	my ($param) = @_;
	211
	212	PVE::Tools::run_command(['shorewall', 'stop']);
	213
	214	return undef;
	215	}});
	216
	217	__PACKAGE__->register_method ({
	218	name => 'clear',
	219	path => 'clear',
	220	method => 'POST',
	221	description => "Clear will remove all rules installed by this script. The host is then unprotected.",
	222	parameters => {
	223	additionalProperties => 0,
	224	properties => {},
	225	},
	226	returns => { type => 'null' },
	227
	228	code => sub {
	229	my ($param) = @_;
	230
	231	PVE::Tools::run_command(['shorewall', 'clear']);
	232
	233	return undef;
	234	}});
	235
	236	my $nodename = PVE::INotify::nodename();
	237
	238	my $cmddef = {
	239	compile => [ __PACKAGE__, 'compile', []],
	240	start => [ __PACKAGE__, 'start', []],
	241	stop => [ __PACKAGE__, 'stop', []],
	242	clear => [ __PACKAGE__, 'clear', []],
	243	};
	244
	245	my $cmd = shift;
	246
	247	PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
	248
	249	exit(0);
	250