]> git.proxmox.com Git - pve-firewall.git/blob - pvefw
projects / pve-firewall.git / blob
? search:


70a2beecd954f867174c45fe7758d4812b22d65b
[pve-firewall.git] / pvefw
1 #!/usr/bin/perl -w
2
3 use strict;
4 use lib qw(.);
5 use PVE::Firewall;
6
7 use PVE::SafeSyslog;
8 use PVE::Cluster;
9 use PVE::INotify;
10 use PVE::RPCEnvironment;
11
12 use PVE::JSONSchema qw(get_standard_option);
13
14 use PVE::CLIHandler;
15
16 use base qw(PVE::CLIHandler);
17
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20 initlog ('pvefw');
21
22 die "please run as root\n" if $> != 0;
23
24 PVE::INotify::inotify_init();
25
26 my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG});
30 $rpcenv->set_user('root@pam');
31
32 __PACKAGE__->register_method({
33 name => 'enablevmfw',
34 path => 'enablevmfw',
35 method => 'POST',
36 parameters => {
37 additionalProperties => 0,
38 properties => {
39 vmid => get_standard_option('pve-vmid'),
40 netid => {
41 type => 'string',
42 optional => 1
43 },
44 },
45 },
46 returns => { type => 'null' },
47 code => sub {
48 my ($param) = @_;
49
50 # test if VM exists
51 my $vmid = $param->{vmid};
52 my $netid = $param->{netid};
53
54 my $conf = PVE::QemuServer::load_config($vmid);
55
56 foreach my $opt (keys %$conf) {
57 next if $opt !~ m/^net(\d+)$/;
58 my $net = PVE::QemuServer::parse_net($conf->{$opt});
59 next if !$net;
60 next if $netid && $opt != $netid;
61 PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
62 }
63
64 return undef;
65 }});
66
67 __PACKAGE__->register_method({
68 name => 'disablevmfw',
69 path => 'disablevmfw',
70 method => 'POST',
71 parameters => {
72 additionalProperties => 0,
73 properties => {
74 vmid => get_standard_option('pve-vmid'),
75 netid => {
76 type => 'string',
77 optional => 1
78 },
79
80 },
81 },
82 returns => { type => 'null' },
83 code => sub {
84 my ($param) = @_;
85
86 # test if VM exists
87 my $vmid = $param->{vmid};
88 my $netid = $param->{netid};
89
90 my $conf = PVE::QemuServer::load_config($vmid);
91
92 foreach my $opt (keys %$conf) {
93 next if $opt !~ m/^net(\d+)$/;
94 my $net = PVE::QemuServer::parse_net($conf->{$opt});
95 next if !$net;
96 next if $netid && $opt != $netid;
97 PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
98 }
99
100 return undef;
101 }});
102
103 __PACKAGE__->register_method({
104 name => 'enablegroup',
105 path => 'enablegroup',
106 method => 'POST',
107 parameters => {
108 additionalProperties => 0,
109 properties => {
110 securitygroup => {
111 type => 'string',
112 },
113 },
114 },
115 returns => { type => 'null' },
116 code => sub {
117 my ($param) = @_;
118
119 my $group = $param->{securitygroup};
120 PVE::Firewall::enable_group_rules($group);
121
122 return undef;
123 }});
124
125 __PACKAGE__->register_method({
126 name => 'disablegroup',
127 path => 'disablegroup',
128 method => 'POST',
129 parameters => {
130 additionalProperties => 0,
131 properties => {
132 securitygroup => {
133 type => 'string',
134 },
135
136 },
137 },
138 returns => { type => 'null' },
139 code => sub {
140 my ($param) = @_;
141
142 my $group = $param->{securitygroup};
143 PVE::Firewall::disable_group_rules($group);
144
145 return undef;
146 }});
147
148 __PACKAGE__->register_method({
149 name => 'enablehostfw',
150 path => 'enablehostfw',
151 method => 'POST',
152 parameters => {
153 additionalProperties => 0,
154 properties => {},
155 },
156 returns => { type => 'null' },
157
158 code => sub {
159 my ($param) = @_;
160
161 PVE::Firewall::enablehostfw();
162
163 return undef;
164 }});
165
166 __PACKAGE__->register_method({
167 name => 'disablehostfw',
168 path => 'disablehostfw',
169 method => 'POST',
170 parameters => {
171 additionalProperties => 0,
172 properties => {},
173 },
174 returns => { type => 'null' },
175
176 code => sub {
177 my ($param) = @_;
178
179 PVE::Firewall::disablehostfw();
180
181 return undef;
182 }});
183
184 __PACKAGE__->register_method ({
185 name => 'compile',
186 path => 'compile',
187 method => 'POST',
188 description => "Compile firewall rules.",
189 parameters => {
190 additionalProperties => 0,
191 properties => {},
192 },
193 returns => { type => 'null' },
194
195 code => sub {
196 my ($param) = @_;
197
198 PVE::Firewall::compile();
199
200 return undef;
201 }});
202
203 __PACKAGE__->register_method ({
204 name => 'start',
205 path => 'start',
206 method => 'POST',
207 description => "Start firewall.",
208 parameters => {
209 additionalProperties => 0,
210 properties => {},
211 },
212 returns => { type => 'null' },
213
214 code => sub {
215 my ($param) = @_;
216
217 PVE::Firewall::compile_and_start();
218
219 return undef;
220 }});
221
222 __PACKAGE__->register_method ({
223 name => 'restart',
224 path => 'restart',
225 method => 'POST',
226 description => "Restart firewall.",
227 parameters => {
228 additionalProperties => 0,
229 properties => {},
230 },
231 returns => { type => 'null' },
232
233 code => sub {
234 my ($param) = @_;
235
236 PVE::Firewall::compile_and_start(1);
237
238 return undef;
239 }});
240
241 __PACKAGE__->register_method ({
242 name => 'stop',
243 path => 'stop',
244 method => 'POST',
245 description => "Stop firewall.",
246 parameters => {
247 additionalProperties => 0,
248 properties => {},
249 },
250 returns => { type => 'null' },
251
252 code => sub {
253 my ($param) = @_;
254
255 PVE::Tools::run_command(['shorewall', 'stop']);
256
257 return undef;
258 }});
259
260 __PACKAGE__->register_method ({
261 name => 'clear',
262 path => 'clear',
263 method => 'POST',
264 description => "Clear will remove all rules installed by this script. The host is then unprotected.",
265 parameters => {
266 additionalProperties => 0,
267 properties => {},
268 },
269 returns => { type => 'null' },
270
271 code => sub {
272 my ($param) = @_;
273
274 PVE::Tools::run_command(['shorewall', 'clear']);
275
276 return undef;
277 }});
278
279 my $nodename = PVE::INotify::nodename();
280
281 my $cmddef = {
282 compile => [ __PACKAGE__, 'compile', []],
283 start => [ __PACKAGE__, 'start', []],
284 restart => [ __PACKAGE__, 'restart', []],
285 stop => [ __PACKAGE__, 'stop', []],
286 clear => [ __PACKAGE__, 'clear', []],
287 enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
288 disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
289 enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
290 disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
291 enablegroup => [ __PACKAGE__, 'enablegroup', []],
292 disablegroup => [ __PACKAGE__, 'disablegroup', []],
293 };
294
295 my $cmd = shift;
296
297 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
298
299 exit(0);
300
Firewall test scripts