pvefw

   1 #!/usr/bin/perl -w
   2
   3 use strict;
   4 use lib qw(.);
   5 use PVE::Firewall;
   6
   7 use PVE::SafeSyslog;
   8 use PVE::Cluster;
   9 use PVE::INotify;
  10 use PVE::RPCEnvironment;
  11
  12 use PVE::JSONSchema qw(get_standard_option);
  13
  14 use PVE::CLIHandler;
  15
  16 use base qw(PVE::CLIHandler);
  17
  18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
  19
  20 initlog ('pvefw');
  21
  22 die "please run as root\n" if $> != 0;
  23
  24 PVE::INotify::inotify_init();
  25
  26 my $rpcenv = PVE::RPCEnvironment->init('cli');
  27
  28 $rpcenv->init_request();
  29 $rpcenv->set_language($ENV{LANG});
  30 $rpcenv->set_user('root@pam');
  31
  32 __PACKAGE__->register_method({
  33     name => 'enabletaprules',
  34     path => 'enabletaprules',
  35     method => 'POST',
  36     parameters => {
  37         additionalProperties => 0,
  38         properties => {
  39             vmid => get_standard_option('pve-vmid'),
  40             netid => {
  41                 type => 'string',
  42             },
  43
  44         },
  45     },
  46     returns => { type => 'null' },
  47     code => sub {
  48         my ($param) = @_;
  49
  50         # test if VM exists
  51         my $vmid = $param->{vmid};
  52         my $netid = $param->{netid};
  53
  54         my $conf = PVE::QemuServer::load_config($vmid);
  55         my $net = PVE::QemuServer::parse_net($conf->{$netid});
  56
  57         PVE::Firewall::generate_tap_rules($net, $netid, $vmid);
  58
  59         return undef;
  60     }});
  61
  62 __PACKAGE__->register_method({
  63     name => 'disabletaprules',
  64     path => 'disabletaprules',
  65     method => 'POST',
  66     parameters => {
  67         additionalProperties => 0,
  68         properties => {
  69             vmid => get_standard_option('pve-vmid'),
  70             netid => {
  71                 type => 'string',
  72             },
  73
  74         },
  75     },
  76     returns => { type => 'null' },
  77     code => sub {
  78         my ($param) = @_;
  79
  80         # test if VM exists
  81         my $vmid = $param->{vmid};
  82         my $netid = $param->{netid};
  83
  84         my $conf = PVE::QemuServer::load_config($vmid);
  85         my $net = PVE::QemuServer::parse_net($conf->{$netid});
  86
  87         PVE::Firewall::flush_tap_rules($net, $netid, $vmid);
  88
  89         return undef;
  90     }});
  91
  92 __PACKAGE__->register_method ({
  93     name => 'compile',
  94     path => 'compile',
  95     method => 'POST',
  96     description => "Compile firewall rules.",
  97     parameters => {
  98         additionalProperties => 0,
  99         properties => {},
 100     },
 101     returns => { type => 'null' },
 102
 103     code => sub {
 104         my ($param) = @_;
 105
 106         PVE::Firewall::compile();
 107
 108         return undef;
 109     }});
 110
 111 __PACKAGE__->register_method ({
 112     name => 'start',
 113     path => 'start',
 114     method => 'POST',
 115     description => "Start firewall.",
 116     parameters => {
 117         additionalProperties => 0,
 118         properties => {},
 119     },
 120     returns => { type => 'null' },
 121
 122     code => sub {
 123         my ($param) = @_;
 124
 125         PVE::Firewall::compile_and_start();
 126
 127         return undef;
 128     }});
 129
 130 __PACKAGE__->register_method ({
 131     name => 'restart',
 132     path => 'restart',
 133     method => 'POST',
 134     description => "Restart firewall.",
 135     parameters => {
 136         additionalProperties => 0,
 137         properties => {},
 138     },
 139     returns => { type => 'null' },
 140
 141     code => sub {
 142         my ($param) = @_;
 143
 144         PVE::Firewall::compile_and_start(1);
 145
 146         return undef;
 147     }});
 148
 149 __PACKAGE__->register_method ({
 150     name => 'stop',
 151     path => 'stop',
 152     method => 'POST',
 153     description => "Stop firewall.",
 154     parameters => {
 155         additionalProperties => 0,
 156         properties => {},
 157     },
 158     returns => { type => 'null' },
 159
 160     code => sub {
 161         my ($param) = @_;
 162
 163         PVE::Tools::run_command(['shorewall', 'stop']);
 164
 165         return undef;
 166     }});
 167
 168 __PACKAGE__->register_method ({
 169     name => 'clear',
 170     path => 'clear',
 171     method => 'POST',
 172     description => "Clear will remove all rules installed by this script. The host is then unprotected.",
 173     parameters => {
 174         additionalProperties => 0,
 175         properties => {},
 176     },
 177     returns => { type => 'null' },
 178
 179     code => sub {
 180         my ($param) = @_;
 181
 182         PVE::Tools::run_command(['shorewall', 'clear']);
 183
 184         return undef;
 185     }});
 186
 187 my $nodename = PVE::INotify::nodename();
 188
 189 my $cmddef = {
 190     compile => [ __PACKAGE__, 'compile', []],
 191     start => [ __PACKAGE__, 'start', []],
 192     restart => [ __PACKAGE__, 'restart', []],
 193     stop => [ __PACKAGE__, 'stop', []],
 194     clear => [ __PACKAGE__, 'clear', []],
 195     enabletaprules => [ __PACKAGE__, 'enabletaprules', []],
 196     disabletaprules => [ __PACKAGE__, 'disabletaprules', []],
 197 };
 198
 199 my $cmd = shift;
 200
 201 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
 202
 203 exit(0);
 204