]>
git.proxmox.com Git - pve-firewall.git/blob - pvefw
fdf72468e109e072d1837fa84907bcba4ec48ba8
13 use PVE
::RPCEnvironment
;
16 use PVE
::JSONSchema
qw(get_standard_option);
20 use base
qw(PVE::CLIHandler);
22 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
26 die "please run as root\n" if $> != 0;
28 PVE
::INotify
::inotify_init
();
30 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
32 $rpcenv->init_request();
33 $rpcenv->set_language($ENV{LANG
});
34 $rpcenv->set_user('root@pam');
37 my ($filename, $fh) = @_;
41 my $res = { in => [], out
=> [] };
43 while (defined(my $line = <$fh>)) {
44 next if $line =~ m/^#/;
45 next if $line =~ m/^\s*$/;
47 if ($line =~ m/^\[(in|out)\]\s*$/i) {
53 my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
56 if (!($action && $iface && $source && $dest)) {
57 warn "skip incomplete line\n";
61 if ($action !~ m/^(ACCEPT|DROP)$/) {
62 warn "unknown action '$action'\n";
66 if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) {
67 warn "unknown interface '$iface'\n";
71 if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
72 warn "unknown protokol '$proto'\n";
76 if ($source !~ m/^(any)$/) {
77 warn "unknown source '$source'\n";
81 if ($dest !~ m/^(any)$/) {
82 warn "unknown destination '$dest'\n";
96 push @{$res->{$section}}, $rule;
102 sub read_local_vm_config
{
108 my $list = PVE
::QemuServer
::config_list
();
110 foreach my $vmid (keys %$list) {
111 my $cfspath = PVE
::QemuServer
::cfs_config_path
($vmid);
112 if (my $conf = PVE
::Cluster
::cfs_read_file
($cfspath)) {
113 $qemu->{$vmid} = $conf;
117 my $vmdata = { openvz
=> $openvz, qemu
=> $qemu };
122 sub read_vm_firewall_rules
{
126 foreach my $vmid (keys %{$vmdata->{qemu
}}, keys %{$vmdata->{openvz
}}) {
127 my $filename = "/etc/pve/$vmid.fw";
128 my $fh = IO
::File-
>new($filename, O_RDONLY
);
131 $rules->{$vmid} = parse_fw_rules
($filename, $fh);
137 __PACKAGE__-
>register_method ({
141 description
=> "Compile firewall rules.",
143 additionalProperties
=> 0,
146 returns
=> { type
=> 'null' },
151 my $vmdata = read_local_vm_config
();
152 my $rules = read_vm_firewall_rules
();
154 # print Dumper($vmdata);
156 my $swdir = '/etc/shorewall';
159 PVE
::Firewall
::compile
($swdir, $vmdata, $rules);
161 PVE
::Tools
::run_command
(['shorewall', 'compile']);
167 __PACKAGE__-
>register_method ({
171 description
=> "Start firewall.",
173 additionalProperties
=> 0,
176 returns
=> { type
=> 'null' },
181 PVE
::Tools
::run_command
(['shorewall', 'start']);
186 __PACKAGE__-
>register_method ({
190 description
=> "Stop firewall.",
192 additionalProperties
=> 0,
195 returns
=> { type
=> 'null' },
200 PVE
::Tools
::run_command
(['shorewall', 'stop']);
205 __PACKAGE__-
>register_method ({
209 description
=> "Clear will remove all rules installed by this script. The host is then unprotected.",
211 additionalProperties
=> 0,
214 returns
=> { type
=> 'null' },
219 PVE
::Tools
::run_command
(['shorewall', 'clear']);
224 my $nodename = PVE
::INotify
::nodename
();
227 compile
=> [ __PACKAGE__
, 'compile', []],
228 start
=> [ __PACKAGE__
, 'start', []],
229 stop
=> [ __PACKAGE__
, 'stop', []],
230 clear
=> [ __PACKAGE__
, 'clear', []],
235 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);