fix iptables-restore - correctly add newline after COMMIT
[pve-firewall.git] / pvefw
1 #!/usr/bin/perl -w
2
3 use strict;
4 use lib qw(.);
5 use PVE::Firewall;
6
7 use PVE::SafeSyslog;
8 use PVE::Cluster;
9 use PVE::INotify;
10 use PVE::RPCEnvironment;
11
12 use PVE::JSONSchema qw(get_standard_option);
13
14 use PVE::CLIHandler;
15
16 use base qw(PVE::CLIHandler);
17
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20 initlog ('pvefw');
21
22 die "please run as root\n" if $> != 0;
23
24 PVE::INotify::inotify_init();
25
26 my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG});
30 $rpcenv->set_user('root@pam');
31
32 __PACKAGE__->register_method({
33 name => 'enablevmfw',
34 path => 'enablevmfw',
35 method => 'POST',
36 parameters => {
37 additionalProperties => 0,
38 properties => {
39 vmid => get_standard_option('pve-vmid'),
40 netid => {
41 type => 'string',
42 optional => 1
43 },
44 },
45 },
46 returns => { type => 'null' },
47 code => sub {
48 my ($param) = @_;
49
50 # test if VM exists
51 my $vmid = $param->{vmid};
52 my $netid = $param->{netid};
53
54 my $code = sub {
55 my $conf = PVE::QemuServer::load_config($vmid);
56
57 foreach my $opt (keys %$conf) {
58 next if $opt !~ m/^net(\d+)$/;
59 my $net = PVE::QemuServer::parse_net($conf->{$opt});
60 next if !$net;
61 next if $netid && $opt != $netid;
62 PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
63 }
64 };
65
66 PVE::Firewall::run_locked($code);
67
68 return undef;
69 }});
70
71 __PACKAGE__->register_method({
72 name => 'disablevmfw',
73 path => 'disablevmfw',
74 method => 'POST',
75 parameters => {
76 additionalProperties => 0,
77 properties => {
78 vmid => get_standard_option('pve-vmid'),
79 netid => {
80 type => 'string',
81 optional => 1
82 },
83
84 },
85 },
86 returns => { type => 'null' },
87 code => sub {
88 my ($param) = @_;
89
90 # test if VM exists
91 my $vmid = $param->{vmid};
92 my $netid = $param->{netid};
93
94
95 my $code = sub {
96 my $conf = PVE::QemuServer::load_config($vmid);
97
98 foreach my $opt (keys %$conf) {
99 next if $opt !~ m/^net(\d+)$/;
100 my $net = PVE::QemuServer::parse_net($conf->{$opt});
101 next if !$net;
102 next if $netid && $opt != $netid;
103 PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
104 }
105 };
106
107 PVE::Firewall::run_locked($code);
108
109 return undef;
110 }});
111
112 __PACKAGE__->register_method({
113 name => 'enablegroup',
114 path => 'enablegroup',
115 method => 'POST',
116 parameters => {
117 additionalProperties => 0,
118 properties => {
119 securitygroup => {
120 type => 'string',
121 },
122 },
123 },
124 returns => { type => 'null' },
125 code => sub {
126 my ($param) = @_;
127
128 my $code = sub {
129 my $group = $param->{securitygroup};
130 PVE::Firewall::enable_group_rules($group);
131 };
132
133 PVE::Firewall::run_locked($code);
134
135 return undef;
136 }});
137
138 __PACKAGE__->register_method({
139 name => 'disablegroup',
140 path => 'disablegroup',
141 method => 'POST',
142 parameters => {
143 additionalProperties => 0,
144 properties => {
145 securitygroup => {
146 type => 'string',
147 },
148
149 },
150 },
151 returns => { type => 'null' },
152 code => sub {
153 my ($param) = @_;
154
155 my $code = sub {
156 my $group = $param->{securitygroup};
157 PVE::Firewall::disable_group_rules($group);
158 };
159
160 PVE::Firewall::run_locked($code);
161
162 return undef;
163 }});
164
165 __PACKAGE__->register_method({
166 name => 'enablehostfw',
167 path => 'enablehostfw',
168 method => 'POST',
169 parameters => {
170 additionalProperties => 0,
171 properties => {},
172 },
173 returns => { type => 'null' },
174
175 code => sub {
176 my ($param) = @_;
177
178 my $code = sub {
179 PVE::Firewall::enablehostfw();
180 };
181
182 PVE::Firewall::run_locked($code);
183
184 return undef;
185 }});
186
187 __PACKAGE__->register_method({
188 name => 'disablehostfw',
189 path => 'disablehostfw',
190 method => 'POST',
191 parameters => {
192 additionalProperties => 0,
193 properties => {},
194 },
195 returns => { type => 'null' },
196
197 code => sub {
198 my ($param) = @_;
199
200 my $code = sub {
201 PVE::Firewall::disablehostfw();
202 };
203
204 PVE::Firewall::run_locked($code);
205
206 return undef;
207 }});
208
209 __PACKAGE__->register_method ({
210 name => 'compile',
211 path => 'compile',
212 method => 'POST',
213 description => "Compile firewall rules.",
214 parameters => {
215 additionalProperties => 0,
216 properties => {},
217 },
218 returns => { type => 'null' },
219
220 code => sub {
221 my ($param) = @_;
222
223 my $code = sub {
224 PVE::Firewall::compile();
225 };
226
227 PVE::Firewall::run_locked($code);
228
229 return undef;
230 }});
231
232 __PACKAGE__->register_method ({
233 name => 'start',
234 path => 'start',
235 method => 'POST',
236 description => "Start (or restart if already active) firewall.",
237 parameters => {
238 additionalProperties => 0,
239 properties => {},
240 },
241 returns => { type => 'null' },
242
243 code => sub {
244 my ($param) = @_;
245
246 my $code = sub {
247 PVE::Firewall::compile_and_start();
248 };
249
250 PVE::Firewall::run_locked($code);
251
252 return undef;
253 }});
254
255 __PACKAGE__->register_method ({
256 name => 'stop',
257 path => 'stop',
258 method => 'POST',
259 description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
260 parameters => {
261 additionalProperties => 0,
262 properties => {},
263 },
264 returns => { type => 'null' },
265
266 code => sub {
267 my ($param) = @_;
268
269 my $code = sub {
270 die "implement me";
271 };
272
273 PVE::Firewall::run_locked($code);
274
275 return undef;
276 }});
277
278 my $nodename = PVE::INotify::nodename();
279
280 my $cmddef = {
281 compile => [ __PACKAGE__, 'compile', []],
282 start => [ __PACKAGE__, 'start', []],
283 restart => [ __PACKAGE__, 'restart', []],
284 stop => [ __PACKAGE__, 'stop', []],
285 enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
286 disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
287 enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
288 disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
289 enablegroup => [ __PACKAGE__, 'enablegroup', []],
290 disablegroup => [ __PACKAGE__, 'disablegroup', []],
291 };
292
293 my $cmd = shift;
294
295 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
296
297 exit(0);
298