]> git.proxmox.com Git - pve-firewall.git/blob - pvefw
projects / pve-firewall.git / blob
? search:


2d4d4503481824e6c1103d9c560771f04705386e
[pve-firewall.git] / pvefw
1 #!/usr/bin/perl -w
2
3 use strict;
4 use lib qw(.);
5 use PVE::Firewall;
6
7 use PVE::SafeSyslog;
8 use PVE::Cluster;
9 use PVE::INotify;
10 use PVE::RPCEnvironment;
11
12 use PVE::JSONSchema qw(get_standard_option);
13
14 use PVE::CLIHandler;
15
16 use base qw(PVE::CLIHandler);
17
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20 initlog ('pvefw');
21
22 die "please run as root\n" if $> != 0;
23
24 PVE::INotify::inotify_init();
25
26 my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG});
30 $rpcenv->set_user('root@pam');
31
32 __PACKAGE__->register_method({
33 name => 'enablevmfw',
34 path => 'enablevmfw',
35 method => 'POST',
36 parameters => {
37 additionalProperties => 0,
38 properties => {
39 vmid => get_standard_option('pve-vmid'),
40 netid => {
41 type => 'string',
42 optional => 1
43 },
44 },
45 },
46 returns => { type => 'null' },
47 code => sub {
48 my ($param) = @_;
49
50 # test if VM exists
51 my $vmid = $param->{vmid};
52 my $netid = $param->{netid};
53
54 my $conf = PVE::QemuServer::load_config($vmid);
55
56 foreach my $opt (keys %$conf) {
57 next if $opt !~ m/^net(\d+)$/;
58 my $net = PVE::QemuServer::parse_net($conf->{$opt});
59 next if !$net;
60 next if $netid && $opt != $netid;
61 PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
62 }
63
64 return undef;
65 }});
66
67 __PACKAGE__->register_method({
68 name => 'disablevmfw',
69 path => 'disablevmfw',
70 method => 'POST',
71 parameters => {
72 additionalProperties => 0,
73 properties => {
74 vmid => get_standard_option('pve-vmid'),
75 netid => {
76 type => 'string',
77 optional => 1
78 },
79
80 },
81 },
82 returns => { type => 'null' },
83 code => sub {
84 my ($param) = @_;
85
86 # test if VM exists
87 my $vmid = $param->{vmid};
88 my $netid = $param->{netid};
89
90 my $conf = PVE::QemuServer::load_config($vmid);
91
92 foreach my $opt (keys %$conf) {
93 next if $opt !~ m/^net(\d+)$/;
94 my $net = PVE::QemuServer::parse_net($conf->{$opt});
95 next if !$net;
96 next if $netid && $opt != $netid;
97 PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
98 }
99
100 return undef;
101 }});
102
103 __PACKAGE__->register_method({
104 name => 'enablehostfw',
105 path => 'enablehostfw',
106 method => 'POST',
107 parameters => {
108 additionalProperties => 0,
109 properties => {},
110 },
111 returns => { type => 'null' },
112
113 code => sub {
114 my ($param) = @_;
115
116 PVE::Firewall::enablehostfw();
117
118 return undef;
119 }});
120
121 __PACKAGE__->register_method({
122 name => 'disablehostfw',
123 path => 'disablehostfw',
124 method => 'POST',
125 parameters => {
126 additionalProperties => 0,
127 properties => {},
128 },
129 returns => { type => 'null' },
130
131 code => sub {
132 my ($param) = @_;
133
134 PVE::Firewall::disablehostfw();
135
136 return undef;
137 }});
138
139 __PACKAGE__->register_method ({
140 name => 'compile',
141 path => 'compile',
142 method => 'POST',
143 description => "Compile firewall rules.",
144 parameters => {
145 additionalProperties => 0,
146 properties => {},
147 },
148 returns => { type => 'null' },
149
150 code => sub {
151 my ($param) = @_;
152
153 PVE::Firewall::compile();
154
155 return undef;
156 }});
157
158 __PACKAGE__->register_method ({
159 name => 'start',
160 path => 'start',
161 method => 'POST',
162 description => "Start firewall.",
163 parameters => {
164 additionalProperties => 0,
165 properties => {},
166 },
167 returns => { type => 'null' },
168
169 code => sub {
170 my ($param) = @_;
171
172 PVE::Firewall::compile_and_start();
173
174 return undef;
175 }});
176
177 __PACKAGE__->register_method ({
178 name => 'restart',
179 path => 'restart',
180 method => 'POST',
181 description => "Restart firewall.",
182 parameters => {
183 additionalProperties => 0,
184 properties => {},
185 },
186 returns => { type => 'null' },
187
188 code => sub {
189 my ($param) = @_;
190
191 PVE::Firewall::compile_and_start(1);
192
193 return undef;
194 }});
195
196 __PACKAGE__->register_method ({
197 name => 'stop',
198 path => 'stop',
199 method => 'POST',
200 description => "Stop firewall.",
201 parameters => {
202 additionalProperties => 0,
203 properties => {},
204 },
205 returns => { type => 'null' },
206
207 code => sub {
208 my ($param) = @_;
209
210 PVE::Tools::run_command(['shorewall', 'stop']);
211
212 return undef;
213 }});
214
215 __PACKAGE__->register_method ({
216 name => 'clear',
217 path => 'clear',
218 method => 'POST',
219 description => "Clear will remove all rules installed by this script. The host is then unprotected.",
220 parameters => {
221 additionalProperties => 0,
222 properties => {},
223 },
224 returns => { type => 'null' },
225
226 code => sub {
227 my ($param) = @_;
228
229 PVE::Tools::run_command(['shorewall', 'clear']);
230
231 return undef;
232 }});
233
234 my $nodename = PVE::INotify::nodename();
235
236 my $cmddef = {
237 compile => [ __PACKAGE__, 'compile', []],
238 start => [ __PACKAGE__, 'start', []],
239 restart => [ __PACKAGE__, 'restart', []],
240 stop => [ __PACKAGE__, 'stop', []],
241 clear => [ __PACKAGE__, 'clear', []],
242 enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
243 disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
244 enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
245 disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
246 };
247
248 my $cmd = shift;
249
250 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
251
252 exit(0);
253
Firewall test scripts