]> git.proxmox.com Git - pve-firewall.git/blob - pvefw
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
improve multiport rule generator
[pve-firewall.git] / pvefw
1 #!/usr/bin/perl -w
2
3 use strict;
4 use lib qw(.);
5 use PVE::Firewall;
6
7 use PVE::SafeSyslog;
8 use PVE::Cluster;
9 use PVE::INotify;
10 use PVE::RPCEnvironment;
11
12 use PVE::JSONSchema qw(get_standard_option);
13
14 use PVE::CLIHandler;
15
16 use base qw(PVE::CLIHandler);
17
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20 initlog ('pvefw');
21
22 die "please run as root\n" if $> != 0;
23
24 PVE::INotify::inotify_init();
25
26 my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG});
30 $rpcenv->set_user('root@pam');
31
32 __PACKAGE__->register_method ({
33 name => 'compile',
34 path => 'compile',
35 method => 'POST',
36 description => "Compile amd print firewall rules. This is only for testing.",
37 parameters => {
38 additionalProperties => 0,
39 properties => {
40 verbose => {
41 description => "Verbose output.",
42 type => "boolean",
43 optional => 1,
44 },
45 },
46 },
47 returns => { type => 'null' },
48
49 code => sub {
50 my ($param) = @_;
51
52 my $rpcenv = PVE::RPCEnvironment::get();
53
54 $param->{verbose} = 1
55 if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
56
57 my $code = sub {
58 my $ruleset = PVE::Firewall::compile();
59 PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
60 };
61
62 PVE::Firewall::run_locked($code);
63
64 return undef;
65 }});
66
67 __PACKAGE__->register_method ({
68 name => 'start',
69 path => 'start',
70 method => 'POST',
71 description => "Start (or restart if already active) firewall.",
72 parameters => {
73 additionalProperties => 0,
74 properties => {
75 verbose => {
76 description => "Verbose output.",
77 type => "boolean",
78 optional => 1,
79 default => 0,
80 },
81 },
82 },
83 returns => { type => 'null' },
84
85 code => sub {
86 my ($param) = @_;
87
88 my $code = sub {
89 my $ruleset = PVE::Firewall::compile();
90 PVE::Firewall::apply_ruleset($ruleset, $param->{verbose});
91 };
92
93 PVE::Firewall::run_locked($code);
94
95 return undef;
96 }});
97
98 __PACKAGE__->register_method ({
99 name => 'stop',
100 path => 'stop',
101 method => 'POST',
102 description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
103 parameters => {
104 additionalProperties => 0,
105 properties => {},
106 },
107 returns => { type => 'null' },
108
109 code => sub {
110 my ($param) = @_;
111
112 my $code = sub {
113 my $chash = PVE::Firewall::iptables_get_chains();
114 my $cmdlist = "*filter\n";
115 my $rule = "INPUT -j PVEFW-INPUT";
116 if (PVE::Firewall::iptables_rule_exist($rule)) {
117 $cmdlist .= "-D $rule\n";
118 }
119 $rule = "OUTPUT -j PVEFW-OUTPUT";
120 if (PVE::Firewall::iptables_rule_exist($rule)) {
121 $cmdlist .= "-D $rule\n";
122 }
123
124 $rule = "FORWARD -j PVEFW-FORWARD";
125 if (PVE::Firewall::iptables_rule_exist($rule)) {
126 $cmdlist .= "-D $rule\n";
127 }
128
129 foreach my $chain (keys %$chash) {
130 $cmdlist .= "-F $chain\n";
131 }
132 foreach my $chain (keys %$chash) {
133 $cmdlist .= "-X $chain\n";
134 }
135 $cmdlist .= "COMMIT\n";
136
137 PVE::Firewall::iptables_restore_cmdlist($cmdlist);
138 };
139
140 PVE::Firewall::run_locked($code);
141
142 return undef;
143 }});
144
145 my $nodename = PVE::INotify::nodename();
146
147 my $cmddef = {
148 compile => [ __PACKAGE__, 'compile', []],
149 start => [ __PACKAGE__, 'start', []],
150 stop => [ __PACKAGE__, 'stop', []],
151 };
152
153 my $cmd = shift;
154
155 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
156
157 exit(0);
158
Firewall test scripts