]> git.proxmox.com Git - pve-firewall.git/blob - src/pve-firewall
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add init function
[pve-firewall.git] / src / pve-firewall
1 #!/usr/bin/perl
2
3 use strict;
4 use warnings;
5 use PVE::SafeSyslog;
6 use POSIX ":sys_wait_h";
7 use Fcntl ':flock';
8 use Getopt::Long;
9 use Time::HiRes qw (gettimeofday);
10 use PVE::Tools qw(dir_glob_foreach file_read_firstline);
11 use PVE::INotify;
12 use PVE::Cluster qw(cfs_read_file);
13 use PVE::RPCEnvironment;
14 use PVE::CLIHandler;
15 use PVE::Firewall;
16
17 use base qw(PVE::CLIHandler);
18
19 my $pve_firewall_pidfile = "/var/run/pve-firewall.pid";
20
21 $SIG{'__WARN__'} = sub {
22 my $err = $@;
23 my $t = $_[0];
24 chomp $t;
25 print "$t\n";
26 syslog('warning', "WARNING: %s", $t);
27 $@ = $err;
28 };
29
30 initlog('pve-firewall');
31
32 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
33
34 die "please run as root\n" if $> != 0;
35
36 PVE::INotify::inotify_init();
37
38 my $rpcenv = PVE::RPCEnvironment->init('cli');
39
40 $rpcenv->init_request();
41 $rpcenv->set_language($ENV{LANG});
42 $rpcenv->set_user('root@pam');
43
44 my $commandline = [$0, @ARGV];
45
46 $0 = "pve-firewall";
47
48 sub restart_server {
49 my ($waittime) = @_;
50
51 syslog('info', "server shutdown (restart)");
52
53 $ENV{RESTART_PVE_FIREWALL} = 1;
54
55 sleep($waittime) if $waittime; # avoid high server load due to restarts
56
57 exec (@$commandline);
58 exit (-1); # never reached?
59 }
60
61 sub cleanup {
62 unlink "$pve_firewall_pidfile.lock";
63 unlink $pve_firewall_pidfile;
64 }
65
66 sub lockpidfile {
67 my $pidfile = shift;
68 my $lkfn = "$pidfile.lock";
69
70 if (!open (FLCK, ">>$lkfn")) {
71 my $msg = "can't aquire lock on file '$lkfn' - $!";
72 syslog ('err', $msg);
73 die "ERROR: $msg\n";
74 }
75
76 if (!flock (FLCK, LOCK_EX|LOCK_NB)) {
77 close (FLCK);
78 my $msg = "can't aquire lock '$lkfn' - $!";
79 syslog ('err', $msg);
80 die "ERROR: $msg\n";
81 }
82 }
83
84 sub writepidfile {
85 my $pidfile = shift;
86
87 if (!open (PIDFH, ">$pidfile")) {
88 my $msg = "can't open pid file '$pidfile' - $!";
89 syslog ('err', $msg);
90 die "ERROR: $msg\n";
91 }
92 print PIDFH "$$\n";
93 close (PIDFH);
94 }
95
96 my $restart_request = 0;
97 my $next_update = 0;
98
99 my $cycle = 0;
100 my $updatetime = 10;
101
102 my $initial_memory_usage;
103
104 sub run_server {
105 my ($param) = @_;
106
107 # try to get the lock
108 lockpidfile($pve_firewall_pidfile);
109
110 # run in background
111 my $spid;
112
113 my $restart = $ENV{RESTART_PVE_FIREWALL};
114
115 delete $ENV{RESTART_PVE_FIREWALL};
116
117 PVE::Cluster::cfs_update();
118
119 PVE::Firewall::init();
120
121 if (!$param->{debug}) {
122 open STDIN, '</dev/null' || die "can't read /dev/null";
123 open STDOUT, '>/dev/null' || die "can't write /dev/null";
124 }
125
126 if (!$restart && !$param->{debug}) {
127 $spid = fork();
128 if (!defined ($spid)) {
129 my $msg = "can't put server into background - fork failed";
130 syslog('err', $msg);
131 die "ERROR: $msg\n";
132 } elsif ($spid) { # parent
133 exit (0);
134 }
135 }
136
137 writepidfile($pve_firewall_pidfile);
138
139 open STDERR, '>&STDOUT' || die "can't close STDERR\n";
140
141 $SIG{INT} = $SIG{TERM} = $SIG{QUIT} = sub {
142 syslog('info' , "server closing");
143
144 $SIG{INT} = 'DEFAULT';
145
146 # wait for children
147 1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
148
149 syslog('info' , "clear firewall rules");
150 eval { PVE::Firewall::remove_pvefw_chains(); die "STOP";};
151 warn $@ if $@;
152
153 cleanup();
154
155 exit (0);
156 };
157
158 $SIG{HUP} = sub {
159 # wake up process, so this forces an immediate firewall rules update
160 syslog('info' , "received signal HUP (restart)");
161 $restart_request = 1;
162 };
163
164 if ($restart) {
165 syslog('info' , "restarting server");
166 } else {
167 syslog('info' , "starting server");
168 }
169
170 for (;;) { # forever
171
172 eval {
173
174 local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
175
176 $next_update = time() + $updatetime;
177
178 my ($ccsec, $cusec) = gettimeofday ();
179 eval {
180 PVE::Cluster::cfs_update();
181 PVE::Firewall::update();
182 };
183 my $err = $@;
184
185 if ($err) {
186 syslog('err', "status update error: $err");
187 }
188
189 my ($ccsec_end, $cusec_end) = gettimeofday ();
190 my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
191
192 syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
193 if ($cptime > 5);
194
195 $cycle++;
196
197 my $mem = PVE::ProcFSTools::read_memory_usage();
198
199 if (!defined($initial_memory_usage) || ($cycle < 10)) {
200 $initial_memory_usage = $mem->{resident};
201 } else {
202 my $diff = $mem->{resident} - $initial_memory_usage;
203 if ($diff > 5*1024*1024) {
204 syslog ('info', "restarting server after $cycle cycles to " .
205 "reduce memory usage (free $mem->{resident} ($diff) bytes)");
206 restart_server();
207 }
208 }
209
210 my $wcount = 0;
211 while ((time() < $next_update) &&
212 ($wcount < $updatetime) && # protect against time wrap
213 !$restart_request) { $wcount++; sleep (1); };
214
215 restart_server() if $restart_request;
216 };
217
218 my $err = $@;
219
220 if ($err) {
221 syslog ('err', "ERROR: $err");
222 restart_server(5);
223 exit (0);
224 }
225 }
226 }
227
228 __PACKAGE__->register_method ({
229 name => 'start',
230 path => 'start',
231 method => 'POST',
232 description => "Start the Proxmox VE firewall service.",
233 parameters => {
234 additionalProperties => 0,
235 properties => {
236 debug => {
237 description => "Debug mode - stay in foreground",
238 type => "boolean",
239 optional => 1,
240 default => 0,
241 },
242 },
243 },
244 returns => { type => 'null' },
245
246 code => sub {
247 my ($param) = @_;
248
249 run_server($param);
250
251 return undef;
252 }});
253
254 __PACKAGE__->register_method ({
255 name => 'stop',
256 path => 'stop',
257 method => 'POST',
258 description => "Stop firewall. This removes all Proxmox VE related iptable rules. The host is unprotected afterwards.",
259 parameters => {
260 additionalProperties => 0,
261 properties => {},
262 },
263 returns => { type => 'null' },
264
265 code => sub {
266 my ($param) = @_;
267
268 my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
269
270 if ($pid) {
271 if (PVE::ProcFSTools::check_process_running($pid)) {
272 kill(15, $pid); # send TERM signal
273 # give max 5 seconds to shut down
274 for (my $i = 0; $i < 5; $i++) {
275 last if !PVE::ProcFSTools::check_process_running($pid);
276 sleep (1);
277 }
278
279 # to be sure
280 kill(9, $pid);
281 waitpid($pid, 0);
282 }
283 if (-f $pve_firewall_pidfile) {
284 # try to get the lock
285 lockpidfile($pve_firewall_pidfile);
286 cleanup();
287 }
288 }
289
290 return undef;
291 }});
292
293 __PACKAGE__->register_method ({
294 name => 'status',
295 path => 'status',
296 method => 'GET',
297 description => "Get firewall status.",
298 parameters => {
299 additionalProperties => 0,
300 properties => {},
301 },
302 returns => {
303 type => 'object',
304 additionalProperties => 0,
305 properties => {
306 status => {
307 type => 'string',
308 enum => ['unknown', 'stopped', 'active'],
309 },
310 changes => {
311 description => "Set when there are pending changes.",
312 type => 'boolean',
313 optional => 1,
314 }
315 },
316 },
317 code => sub {
318 my ($param) = @_;
319
320 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
321
322 my $code = sub {
323
324 my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
325 my $running = PVE::ProcFSTools::check_process_running($pid);
326
327 my $status = $running ? 'active' : 'stopped';
328
329 my $res = { status => $status };
330 if ($status eq 'active') {
331 my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
332
333 my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
334 my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
335
336 $res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
337 }
338
339 return $res;
340 };
341
342 return PVE::Firewall::run_locked($code);
343 }});
344
345 __PACKAGE__->register_method ({
346 name => 'compile',
347 path => 'compile',
348 method => 'POST',
349 description => "Compile and print firewall rules. This is useful for testing.",
350 parameters => {
351 additionalProperties => 0,
352 properties => {},
353 },
354 returns => { type => 'null' },
355
356 code => sub {
357 my ($param) = @_;
358
359 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
360
361 my $code = sub {
362 my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
363
364 my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
365 my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
366 if ($ipset_changes || $ruleset_changes) {
367 print "detected changes\n";
368 } else {
369 print "no changes\n";
370 }
371 };
372
373 PVE::Firewall::run_locked($code);
374
375 return undef;
376 }});
377
378 my $nodename = PVE::INotify::nodename();
379
380 my $cmddef = {
381 start => [ __PACKAGE__, 'start', []],
382 stop => [ __PACKAGE__, 'stop', []],
383 compile => [ __PACKAGE__, 'compile', []],
384 status => [ __PACKAGE__, 'status', [], undef, sub {
385 my $res = shift;
386 if ($res->{changes}) {
387 print "Status: $res->{status} (pending changes)\n";
388 } else {
389 print "Status: $res->{status}\n";
390 }
391 }],
392 };
393
394 my $cmd = shift;
395
396 PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0);
397
398 exit (0);
399
400 __END__
401
402 =head1 NAME
403
404 pve-firewall - PVE Firewall Daemon
405
406 =head1 SYNOPSIS
407
408 =include synopsis
409
410 =head1 DESCRIPTION
411
412 This service updates iptables rules periodically.
413
414 =include pve_copyright
Firewall test scripts