]>
git.proxmox.com Git - pve-firewall.git/blob - pvefw
13 use PVE
::RPCEnvironment
;
16 use PVE
::JSONSchema
qw(get_standard_option);
20 use base
qw(PVE::CLIHandler);
22 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
26 die "please run as root\n" if $> != 0;
28 PVE
::INotify
::inotify_init
();
30 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
32 $rpcenv->init_request();
33 $rpcenv->set_language($ENV{LANG
});
34 $rpcenv->set_user('root@pam');
38 my ($filename, $fh) = @_;
42 my $res = { in => [], out
=> [] };
44 my $macros = PVE
::Firewall
::get_shorewall_macros
();
46 while (defined(my $line = <$fh>)) {
47 next if $line =~ m/^#/;
48 next if $line =~ m/^\s*$/;
50 if ($line =~ m/^\[(in|out)\]\s*$/i) {
56 my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
59 if (!($action && $iface && $source && $dest)) {
60 warn "skip incomplete line\n";
65 if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
67 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
68 ($service, $action) = ($1, $2);
69 if (!$macros->{$service}) {
70 warn "unknown service '$service'\n";
74 warn "unknown action '$action'\n";
78 if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {
79 warn "unknown interface '$iface'\n";
83 if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
84 warn "unknown protokol '$proto'\n";
88 if ($source !~ m/^(any)$/) {
89 warn "unknown source '$source'\n";
93 if ($dest !~ m/^(any)$/) {
94 warn "unknown destination '$dest'\n";
109 push @{$res->{$section}}, $rule;
115 sub read_local_vm_config
{
121 my $list = PVE
::QemuServer
::config_list
();
123 foreach my $vmid (keys %$list) {
124 my $cfspath = PVE
::QemuServer
::cfs_config_path
($vmid);
125 if (my $conf = PVE
::Cluster
::cfs_read_file
($cfspath)) {
126 $qemu->{$vmid} = $conf;
130 my $vmdata = { openvz
=> $openvz, qemu
=> $qemu };
135 sub read_vm_firewall_rules
{
138 foreach my $vmid (keys %{$vmdata->{qemu
}}, keys %{$vmdata->{openvz
}}) {
139 my $filename = "/etc/pve/firewall/$vmid.fw";
140 my $fh = IO
::File-
>new($filename, O_RDONLY
);
143 $rules->{$vmid} = parse_fw_rules
($filename, $fh);
149 __PACKAGE__-
>register_method ({
153 description
=> "Compile firewall rules.",
155 additionalProperties
=> 0,
158 returns
=> { type
=> 'null' },
163 my $vmdata = read_local_vm_config
();
164 my $rules = read_vm_firewall_rules
($vmdata);
166 # print Dumper($vmdata);
168 my $swdir = '/etc/shorewall';
171 PVE
::Firewall
::compile
($swdir, $vmdata, $rules);
173 PVE
::Tools
::run_command
(['shorewall', 'compile']);
179 __PACKAGE__-
>register_method ({
183 description
=> "Start firewall.",
185 additionalProperties
=> 0,
188 returns
=> { type
=> 'null' },
193 PVE
::Tools
::run_command
(['shorewall', 'start']);
198 __PACKAGE__-
>register_method ({
202 description
=> "Stop firewall.",
204 additionalProperties
=> 0,
207 returns
=> { type
=> 'null' },
212 PVE
::Tools
::run_command
(['shorewall', 'stop']);
217 __PACKAGE__-
>register_method ({
221 description
=> "Clear will remove all rules installed by this script. The host is then unprotected.",
223 additionalProperties
=> 0,
226 returns
=> { type
=> 'null' },
231 PVE
::Tools
::run_command
(['shorewall', 'clear']);
236 my $nodename = PVE
::INotify
::nodename
();
239 compile
=> [ __PACKAGE__
, 'compile', []],
240 start
=> [ __PACKAGE__
, 'start', []],
241 stop
=> [ __PACKAGE__
, 'stop', []],
242 clear
=> [ __PACKAGE__
, 'clear', []],
247 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);