basic bridge iptables implementation
[pve-firewall.git] / pvefw
1 #!/usr/bin/perl -w
2
3 use strict;
4 use lib qw(.);
5 use PVE::Firewall;
6
7 use PVE::SafeSyslog;
8 use PVE::Cluster;
9 use PVE::INotify;
10 use PVE::RPCEnvironment;
11
12 use PVE::JSONSchema qw(get_standard_option);
13
14 use PVE::CLIHandler;
15
16 use base qw(PVE::CLIHandler);
17
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
19
20 initlog ('pvefw');
21
22 die "please run as root\n" if $> != 0;
23
24 PVE::INotify::inotify_init();
25
26 my $rpcenv = PVE::RPCEnvironment->init('cli');
27
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG});
30 $rpcenv->set_user('root@pam');
31
32 __PACKAGE__->register_method({
33 name => 'enabletaprules',
34 path => 'enabletaprules',
35 method => 'POST',
36 parameters => {
37 additionalProperties => 0,
38 properties => {
39 vmid => get_standard_option('pve-vmid'),
40 netid => {
41 type => 'string',
42 },
43
44 },
45 },
46 returns => { type => 'null' },
47 code => sub {
48 my ($param) = @_;
49
50 # test if VM exists
51 my $vmid = $param->{vmid};
52 my $netid = $param->{netid};
53
54 my $conf = PVE::QemuServer::load_config($vmid);
55 my $net = PVE::QemuServer::parse_net($conf->{$netid});
56
57 PVE::Firewall::generate_tap_rules($net, $netid, $vmid);
58
59 return undef;
60 }});
61
62 __PACKAGE__->register_method({
63 name => 'disabletaprules',
64 path => 'disabletaprules',
65 method => 'POST',
66 parameters => {
67 additionalProperties => 0,
68 properties => {
69 vmid => get_standard_option('pve-vmid'),
70 netid => {
71 type => 'string',
72 },
73
74 },
75 },
76 returns => { type => 'null' },
77 code => sub {
78 my ($param) = @_;
79
80 # test if VM exists
81 my $vmid = $param->{vmid};
82 my $netid = $param->{netid};
83
84 my $conf = PVE::QemuServer::load_config($vmid);
85 my $net = PVE::QemuServer::parse_net($conf->{$netid});
86
87 PVE::Firewall::flush_tap_rules($net, $netid, $vmid);
88
89 return undef;
90 }});
91
92 __PACKAGE__->register_method ({
93 name => 'compile',
94 path => 'compile',
95 method => 'POST',
96 description => "Compile firewall rules.",
97 parameters => {
98 additionalProperties => 0,
99 properties => {},
100 },
101 returns => { type => 'null' },
102
103 code => sub {
104 my ($param) = @_;
105
106 PVE::Firewall::compile();
107
108 return undef;
109 }});
110
111 __PACKAGE__->register_method ({
112 name => 'start',
113 path => 'start',
114 method => 'POST',
115 description => "Start firewall.",
116 parameters => {
117 additionalProperties => 0,
118 properties => {},
119 },
120 returns => { type => 'null' },
121
122 code => sub {
123 my ($param) = @_;
124
125 PVE::Firewall::compile_and_start();
126
127 return undef;
128 }});
129
130 __PACKAGE__->register_method ({
131 name => 'restart',
132 path => 'restart',
133 method => 'POST',
134 description => "Restart firewall.",
135 parameters => {
136 additionalProperties => 0,
137 properties => {},
138 },
139 returns => { type => 'null' },
140
141 code => sub {
142 my ($param) = @_;
143
144 PVE::Firewall::compile_and_start(1);
145
146 return undef;
147 }});
148
149 __PACKAGE__->register_method ({
150 name => 'stop',
151 path => 'stop',
152 method => 'POST',
153 description => "Stop firewall.",
154 parameters => {
155 additionalProperties => 0,
156 properties => {},
157 },
158 returns => { type => 'null' },
159
160 code => sub {
161 my ($param) = @_;
162
163 PVE::Tools::run_command(['shorewall', 'stop']);
164
165 return undef;
166 }});
167
168 __PACKAGE__->register_method ({
169 name => 'clear',
170 path => 'clear',
171 method => 'POST',
172 description => "Clear will remove all rules installed by this script. The host is then unprotected.",
173 parameters => {
174 additionalProperties => 0,
175 properties => {},
176 },
177 returns => { type => 'null' },
178
179 code => sub {
180 my ($param) = @_;
181
182 PVE::Tools::run_command(['shorewall', 'clear']);
183
184 return undef;
185 }});
186
187 my $nodename = PVE::INotify::nodename();
188
189 my $cmddef = {
190 compile => [ __PACKAGE__, 'compile', []],
191 start => [ __PACKAGE__, 'start', []],
192 restart => [ __PACKAGE__, 'restart', []],
193 stop => [ __PACKAGE__, 'stop', []],
194 clear => [ __PACKAGE__, 'clear', []],
195 enabletaprules => [ __PACKAGE__, 'enabletaprules', []],
196 disabletaprules => [ __PACKAGE__, 'disabletaprules', []],
197 };
198
199 my $cmd = shift;
200
201 PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0);
202
203 exit(0);
204