]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/perl -w | |
2 | ||
3 | use strict; | |
4 | use lib qw(.); | |
5 | use PVE::Firewall; | |
6 | ||
7 | use PVE::SafeSyslog; | |
8 | use PVE::Cluster; | |
9 | use PVE::INotify; | |
10 | use PVE::RPCEnvironment; | |
11 | ||
12 | use PVE::JSONSchema qw(get_standard_option); | |
13 | ||
14 | use PVE::CLIHandler; | |
15 | ||
16 | use base qw(PVE::CLIHandler); | |
17 | ||
18 | $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin'; | |
19 | ||
20 | initlog ('pvefw'); | |
21 | ||
22 | die "please run as root\n" if $> != 0; | |
23 | ||
24 | PVE::INotify::inotify_init(); | |
25 | ||
26 | my $rpcenv = PVE::RPCEnvironment->init('cli'); | |
27 | ||
28 | $rpcenv->init_request(); | |
29 | $rpcenv->set_language($ENV{LANG}); | |
30 | $rpcenv->set_user('root@pam'); | |
31 | ||
32 | __PACKAGE__->register_method({ | |
33 | name => 'enablevmfw', | |
34 | path => 'enablevmfw', | |
35 | method => 'POST', | |
36 | parameters => { | |
37 | additionalProperties => 0, | |
38 | properties => { | |
39 | vmid => get_standard_option('pve-vmid'), | |
40 | netid => { | |
41 | type => 'string', | |
42 | optional => 1 | |
43 | }, | |
44 | }, | |
45 | }, | |
46 | returns => { type => 'null' }, | |
47 | code => sub { | |
48 | my ($param) = @_; | |
49 | ||
50 | # test if VM exists | |
51 | my $vmid = $param->{vmid}; | |
52 | my $netid = $param->{netid}; | |
53 | ||
54 | my $code = sub { | |
55 | my $conf = PVE::QemuServer::load_config($vmid); | |
56 | ||
57 | foreach my $opt (keys %$conf) { | |
58 | next if $opt !~ m/^net(\d+)$/; | |
59 | my $net = PVE::QemuServer::parse_net($conf->{$opt}); | |
60 | next if !$net; | |
61 | next if $netid && $opt != $netid; | |
62 | PVE::Firewall::generate_tap_rules($net, $opt, $vmid); | |
63 | } | |
64 | }; | |
65 | ||
66 | PVE::Firewall::run_locked($code); | |
67 | ||
68 | return undef; | |
69 | }}); | |
70 | ||
71 | __PACKAGE__->register_method({ | |
72 | name => 'disablevmfw', | |
73 | path => 'disablevmfw', | |
74 | method => 'POST', | |
75 | parameters => { | |
76 | additionalProperties => 0, | |
77 | properties => { | |
78 | vmid => get_standard_option('pve-vmid'), | |
79 | netid => { | |
80 | type => 'string', | |
81 | optional => 1 | |
82 | }, | |
83 | ||
84 | }, | |
85 | }, | |
86 | returns => { type => 'null' }, | |
87 | code => sub { | |
88 | my ($param) = @_; | |
89 | ||
90 | # test if VM exists | |
91 | my $vmid = $param->{vmid}; | |
92 | my $netid = $param->{netid}; | |
93 | ||
94 | ||
95 | my $code = sub { | |
96 | my $conf = PVE::QemuServer::load_config($vmid); | |
97 | ||
98 | foreach my $opt (keys %$conf) { | |
99 | next if $opt !~ m/^net(\d+)$/; | |
100 | my $net = PVE::QemuServer::parse_net($conf->{$opt}); | |
101 | next if !$net; | |
102 | next if $netid && $opt != $netid; | |
103 | PVE::Firewall::flush_tap_rules($net, $opt, $vmid); | |
104 | } | |
105 | }; | |
106 | ||
107 | PVE::Firewall::run_locked($code); | |
108 | ||
109 | return undef; | |
110 | }}); | |
111 | ||
112 | __PACKAGE__->register_method({ | |
113 | name => 'enablegroup', | |
114 | path => 'enablegroup', | |
115 | method => 'POST', | |
116 | parameters => { | |
117 | additionalProperties => 0, | |
118 | properties => { | |
119 | securitygroup => { | |
120 | type => 'string', | |
121 | }, | |
122 | }, | |
123 | }, | |
124 | returns => { type => 'null' }, | |
125 | code => sub { | |
126 | my ($param) = @_; | |
127 | ||
128 | my $code = sub { | |
129 | my $group = $param->{securitygroup}; | |
130 | PVE::Firewall::enable_group_rules($group); | |
131 | }; | |
132 | ||
133 | PVE::Firewall::run_locked($code); | |
134 | ||
135 | return undef; | |
136 | }}); | |
137 | ||
138 | __PACKAGE__->register_method({ | |
139 | name => 'disablegroup', | |
140 | path => 'disablegroup', | |
141 | method => 'POST', | |
142 | parameters => { | |
143 | additionalProperties => 0, | |
144 | properties => { | |
145 | securitygroup => { | |
146 | type => 'string', | |
147 | }, | |
148 | ||
149 | }, | |
150 | }, | |
151 | returns => { type => 'null' }, | |
152 | code => sub { | |
153 | my ($param) = @_; | |
154 | ||
155 | my $code = sub { | |
156 | my $group = $param->{securitygroup}; | |
157 | PVE::Firewall::disable_group_rules($group); | |
158 | }; | |
159 | ||
160 | PVE::Firewall::run_locked($code); | |
161 | ||
162 | return undef; | |
163 | }}); | |
164 | ||
165 | __PACKAGE__->register_method({ | |
166 | name => 'enablehostfw', | |
167 | path => 'enablehostfw', | |
168 | method => 'POST', | |
169 | parameters => { | |
170 | additionalProperties => 0, | |
171 | properties => {}, | |
172 | }, | |
173 | returns => { type => 'null' }, | |
174 | ||
175 | code => sub { | |
176 | my ($param) = @_; | |
177 | ||
178 | my $code = sub { | |
179 | PVE::Firewall::enablehostfw(); | |
180 | }; | |
181 | ||
182 | PVE::Firewall::run_locked($code); | |
183 | ||
184 | return undef; | |
185 | }}); | |
186 | ||
187 | __PACKAGE__->register_method({ | |
188 | name => 'disablehostfw', | |
189 | path => 'disablehostfw', | |
190 | method => 'POST', | |
191 | parameters => { | |
192 | additionalProperties => 0, | |
193 | properties => {}, | |
194 | }, | |
195 | returns => { type => 'null' }, | |
196 | ||
197 | code => sub { | |
198 | my ($param) = @_; | |
199 | ||
200 | my $code = sub { | |
201 | PVE::Firewall::disablehostfw(); | |
202 | }; | |
203 | ||
204 | PVE::Firewall::run_locked($code); | |
205 | ||
206 | return undef; | |
207 | }}); | |
208 | ||
209 | __PACKAGE__->register_method ({ | |
210 | name => 'compile', | |
211 | path => 'compile', | |
212 | method => 'POST', | |
213 | description => "Compile firewall rules.", | |
214 | parameters => { | |
215 | additionalProperties => 0, | |
216 | properties => {}, | |
217 | }, | |
218 | returns => { type => 'null' }, | |
219 | ||
220 | code => sub { | |
221 | my ($param) = @_; | |
222 | ||
223 | my $code = sub { | |
224 | PVE::Firewall::compile(); | |
225 | }; | |
226 | ||
227 | PVE::Firewall::run_locked($code); | |
228 | ||
229 | return undef; | |
230 | }}); | |
231 | ||
232 | __PACKAGE__->register_method ({ | |
233 | name => 'start', | |
234 | path => 'start', | |
235 | method => 'POST', | |
236 | description => "Start (or restart if already active) firewall.", | |
237 | parameters => { | |
238 | additionalProperties => 0, | |
239 | properties => {}, | |
240 | }, | |
241 | returns => { type => 'null' }, | |
242 | ||
243 | code => sub { | |
244 | my ($param) = @_; | |
245 | ||
246 | my $code = sub { | |
247 | PVE::Firewall::compile_and_start(); | |
248 | }; | |
249 | ||
250 | PVE::Firewall::run_locked($code); | |
251 | ||
252 | return undef; | |
253 | }}); | |
254 | ||
255 | __PACKAGE__->register_method ({ | |
256 | name => 'stop', | |
257 | path => 'stop', | |
258 | method => 'POST', | |
259 | description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.", | |
260 | parameters => { | |
261 | additionalProperties => 0, | |
262 | properties => {}, | |
263 | }, | |
264 | returns => { type => 'null' }, | |
265 | ||
266 | code => sub { | |
267 | my ($param) = @_; | |
268 | ||
269 | my $code = sub { | |
270 | my $chash = PVE::Firewall::iptables_get_chains(); | |
271 | my $cmdlist = "*filter\n"; | |
272 | $cmdlist .= "-D INPUT -j proxmoxfw-INPUT\n"; | |
273 | $cmdlist .= "-D FORWARD -j proxmoxfw-FORWARD\n"; | |
274 | foreach my $chain (keys %$chash) { | |
275 | $cmdlist .= "-F $chain\n"; | |
276 | } | |
277 | foreach my $chain (keys %$chash) { | |
278 | $cmdlist .= "-X $chain\n"; | |
279 | } | |
280 | $cmdlist .= "COMMIT\n"; | |
281 | ||
282 | PVE::Firewall::iptables_restore_cmdlist($cmdlist); | |
283 | }; | |
284 | ||
285 | PVE::Firewall::run_locked($code); | |
286 | ||
287 | return undef; | |
288 | }}); | |
289 | ||
290 | my $nodename = PVE::INotify::nodename(); | |
291 | ||
292 | my $cmddef = { | |
293 | compile => [ __PACKAGE__, 'compile', []], | |
294 | start => [ __PACKAGE__, 'start', []], | |
295 | restart => [ __PACKAGE__, 'restart', []], | |
296 | stop => [ __PACKAGE__, 'stop', []], | |
297 | enablevmfw => [ __PACKAGE__, 'enablevmfw', []], | |
298 | disablevmfw => [ __PACKAGE__, 'disablevmfw', []], | |
299 | enablehostfw => [ __PACKAGE__, 'enablehostfw', []], | |
300 | disablehostfw => [ __PACKAGE__, 'disablehostfw', []], | |
301 | enablegroup => [ __PACKAGE__, 'enablegroup', []], | |
302 | disablegroup => [ __PACKAGE__, 'disablegroup', []], | |
303 | }; | |
304 | ||
305 | my $cmd = shift; | |
306 | ||
307 | PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0); | |
308 | ||
309 | exit(0); | |
310 |