13 use PVE
::RPCEnvironment
;
16 use PVE
::JSONSchema
qw(get_standard_option);
20 use base
qw(PVE::CLIHandler);
22 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
26 die "please run as root\n" if $> != 0;
28 PVE
::INotify
::inotify_init
();
30 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
32 $rpcenv->init_request();
33 $rpcenv->set_language($ENV{LANG
});
34 $rpcenv->set_user('root@pam');
38 my ($filename, $fh) = @_;
42 my $res = { in => [], out
=> [] };
44 my $macros = PVE
::Firewall
::get_shorewall_macros
();
46 while (defined(my $line = <$fh>)) {
47 next if $line =~ m/^#/;
48 next if $line =~ m/^\s*$/;
50 if ($line =~ m/^\[(in|out)\]\s*$/i) {
56 my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
60 warn "skip incomplete line\n";
65 if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
67 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
68 ($service, $action) = ($1, $2);
69 if (!$macros->{$service}) {
70 warn "unknown service '$service'\n";
74 warn "unknown action '$action'\n";
78 $iface = undef if $iface && $iface eq '-';
79 if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
80 warn "unknown interface '$iface'\n";
84 $proto = undef if $proto && $proto eq '-';
85 if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
86 warn "unknown protokol '$proto'\n";
90 $source = undef if $source && $source eq '-';
92 # if ($source !~ m/^(XYZ)$/) {
93 # warn "unknown source '$source'\n";
97 $dest = undef if $dest && $dest eq '-';
98 # if ($dest !~ m/^XYZ)$/) {
99 # warn "unknown destination '$dest'\n";
103 $dport = undef if $dport && $dport eq '-';
104 $sport = undef if $sport && $sport eq '-';
117 push @{$res->{$section}}, $rule;
123 sub read_local_vm_config
{
129 my $list = PVE
::QemuServer
::config_list
();
131 foreach my $vmid (keys %$list) {
132 # next if $vmid ne '100';
133 my $cfspath = PVE
::QemuServer
::cfs_config_path
($vmid);
134 if (my $conf = PVE
::Cluster
::cfs_read_file
($cfspath)) {
135 $qemu->{$vmid} = $conf;
139 my $vmdata = { openvz
=> $openvz, qemu
=> $qemu };
144 sub read_vm_firewall_rules
{
147 foreach my $vmid (keys %{$vmdata->{qemu
}}, keys %{$vmdata->{openvz
}}) {
148 my $filename = "/etc/pve/firewall/$vmid.fw";
149 my $fh = IO
::File-
>new($filename, O_RDONLY
);
152 $rules->{$vmid} = parse_fw_rules
($filename, $fh);
158 __PACKAGE__-
>register_method ({
162 description
=> "Compile firewall rules.",
164 additionalProperties
=> 0,
167 returns
=> { type
=> 'null' },
172 my $vmdata = read_local_vm_config
();
173 my $rules = read_vm_firewall_rules
($vmdata);
175 # print Dumper($vmdata);
177 my $swdir = '/etc/shorewall';
180 PVE
::Firewall
::compile
($swdir, $vmdata, $rules);
182 PVE
::Tools
::run_command
(['shorewall', 'compile']);
188 __PACKAGE__-
>register_method ({
192 description
=> "Start firewall.",
194 additionalProperties
=> 0,
197 returns
=> { type
=> 'null' },
202 PVE
::Tools
::run_command
(['shorewall', 'start']);
207 __PACKAGE__-
>register_method ({
211 description
=> "Stop firewall.",
213 additionalProperties
=> 0,
216 returns
=> { type
=> 'null' },
221 PVE
::Tools
::run_command
(['shorewall', 'stop']);
226 __PACKAGE__-
>register_method ({
230 description
=> "Clear will remove all rules installed by this script. The host is then unprotected.",
232 additionalProperties
=> 0,
235 returns
=> { type
=> 'null' },
240 PVE
::Tools
::run_command
(['shorewall', 'clear']);
245 my $nodename = PVE
::INotify
::nodename
();
248 compile
=> [ __PACKAGE__
, 'compile', []],
249 start
=> [ __PACKAGE__
, 'start', []],
250 stop
=> [ __PACKAGE__
, 'stop', []],
251 clear
=> [ __PACKAGE__
, 'clear', []],
256 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);