10 use PVE::RPCEnvironment;
12 use PVE::JSONSchema qw(get_standard_option);
16 use base qw(PVE::CLIHandler);
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
22 die "please run as root\n" if $> != 0;
24 PVE::INotify::inotify_init();
26 my $rpcenv = PVE::RPCEnvironment->init('cli');
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG});
30 $rpcenv->set_user('root@pam');
32 __PACKAGE__->register_method ({
36 description => "Compile amd print firewall rules. This is only for testing.",
38 additionalProperties => 0,
41 description => "Verbose output.",
47 returns => { type => 'null' },
52 my $rpcenv = PVE::RPCEnvironment::get();
55 if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
58 my $ruleset = PVE::Firewall::compile();
59 PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
62 PVE::Firewall::run_locked($code);
67 __PACKAGE__->register_method ({
71 description => "Get firewall status.",
73 additionalProperties => 0,
78 additionalProperties => 0,
82 enum => ['unknown', 'stopped', 'active'],
85 description => "Set when there are pending changes.",
94 my $rpcenv = PVE::RPCEnvironment::get();
97 if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
100 my $status = PVE::Firewall::read_pvefw_status();
102 my $res = { status => $status };
103 if ($status eq 'active') {
104 my $ruleset = PVE::Firewall::compile();
105 my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);
107 if ($cmdlist ne "*filter\nCOMMIT\n") {
115 return PVE::Firewall::run_locked($code);
118 __PACKAGE__->register_method ({
122 description => "Start (or simply update if already active) firewall.",
124 additionalProperties => 0,
127 description => "Verbose output.",
134 returns => { type => 'null' },
139 PVE::Firewall::update(1, $param->{verbose});
144 __PACKAGE__->register_method ({
148 description => "Check firewall rules. Then update the rules if the firewall is active.",
150 additionalProperties => 0,
153 description => "Verbose output.",
160 returns => { type => 'null' },
165 PVE::Firewall::update(0, $param->{verbose});
170 __PACKAGE__->register_method ({
174 description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
176 additionalProperties => 0,
179 returns => { type => 'null' },
186 my $chash = PVE::Firewall::iptables_get_chains();
187 my $cmdlist = "*filter\n";
188 my $rule = "INPUT -j PVEFW-INPUT";
189 if (PVE::Firewall::iptables_rule_exist($rule)) {
190 $cmdlist .= "-D $rule\n";
192 $rule = "OUTPUT -j PVEFW-OUTPUT";
193 if (PVE::Firewall::iptables_rule_exist($rule)) {
194 $cmdlist .= "-D $rule\n";
197 $rule = "FORWARD -j PVEFW-FORWARD";
198 if (PVE::Firewall::iptables_rule_exist($rule)) {
199 $cmdlist .= "-D $rule\n";
202 foreach my $chain (keys %$chash) {
203 $cmdlist .= "-F $chain\n";
205 foreach my $chain (keys %$chash) {
206 $cmdlist .= "-X $chain\n";
208 $cmdlist .= "COMMIT\n";
210 PVE::Firewall::iptables_restore_cmdlist($cmdlist);
212 PVE::Firewall::save_pvefw_status('stopped');
215 PVE::Firewall::run_locked($code);
220 my $nodename = PVE::INotify::nodename();
223 compile => [ __PACKAGE__, 'compile', []],
224 start => [ __PACKAGE__, 'start', []],
225 update => [ __PACKAGE__, 'update', []],
226 status => [ __PACKAGE__, 'status', [], undef, sub {
228 if ($res->{changes}) {
229 print "Status: $res->{status} (pending changes)\n";
231 print "Status: $res->{status}\n";
234 stop => [ __PACKAGE__, 'stop', []],
239 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);