10 use PVE
::RPCEnvironment
;
12 use PVE
::JSONSchema
qw(get_standard_option);
16 use base
qw(PVE::CLIHandler);
18 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
22 die "please run as root\n" if $> != 0;
24 PVE
::INotify
::inotify_init
();
26 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
28 $rpcenv->init_request();
29 $rpcenv->set_language($ENV{LANG
});
30 $rpcenv->set_user('root@pam');
32 __PACKAGE__-
>register_method ({
36 description
=> "Compile amd print firewall rules. This is only for testing.",
38 additionalProperties
=> 0,
41 description
=> "Verbose output.",
47 returns
=> { type
=> 'null' },
52 my $rpcenv = PVE
::RPCEnvironment
::get
();
55 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
58 my $ruleset = PVE
::Firewall
::compile
();
59 PVE
::Firewall
::get_ruleset_status
($ruleset, 1) if $param->{verbose
};
62 PVE
::Firewall
::run_locked
($code);
67 __PACKAGE__-
>register_method ({
71 description
=> "Get firewall status.",
73 additionalProperties
=> 0,
78 additionalProperties
=> 0,
82 enum
=> ['unknown', 'stopped', 'active'],
85 description
=> "Set when there are pending changes.",
94 my $rpcenv = PVE
::RPCEnvironment
::get
();
97 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
100 my $status = PVE
::Firewall
::read_pvefw_status
();
102 my $res = { status
=> $status };
103 if ($status eq 'active') {
104 my $ruleset = PVE
::Firewall
::compile
();
105 my $cmdlist = PVE
::Firewall
::get_rulset_cmdlist
($ruleset);
107 if ($cmdlist ne "*filter\nCOMMIT\n") {
115 return PVE
::Firewall
::run_locked
($code);
118 __PACKAGE__-
>register_method ({
122 description
=> "Start (or simply update if already active) firewall.",
124 additionalProperties
=> 0,
127 description
=> "Verbose output.",
134 returns
=> { type
=> 'null' },
139 PVE
::Firewall
::update
(1, $param->{verbose
});
144 __PACKAGE__-
>register_method ({
148 description
=> "Check firewall rules. Then update the rules if the firewall is active.",
150 additionalProperties
=> 0,
153 description
=> "Verbose output.",
160 returns
=> { type
=> 'null' },
165 PVE
::Firewall
::update
(0, $param->{verbose
});
170 __PACKAGE__-
>register_method ({
174 description
=> "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
176 additionalProperties
=> 0,
179 returns
=> { type
=> 'null' },
186 my $chash = PVE
::Firewall
::iptables_get_chains
();
187 my $cmdlist = "*filter\n";
188 my $rule = "INPUT -j PVEFW-INPUT";
189 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
190 $cmdlist .= "-D $rule\n";
192 $rule = "OUTPUT -j PVEFW-OUTPUT";
193 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
194 $cmdlist .= "-D $rule\n";
197 $rule = "FORWARD -j PVEFW-FORWARD";
198 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
199 $cmdlist .= "-D $rule\n";
202 foreach my $chain (keys %$chash) {
203 $cmdlist .= "-F $chain\n";
205 foreach my $chain (keys %$chash) {
206 $cmdlist .= "-X $chain\n";
208 $cmdlist .= "COMMIT\n";
210 PVE
::Firewall
::iptables_restore_cmdlist
($cmdlist);
212 PVE
::Firewall
::save_pvefw_status
('stopped');
215 PVE
::Firewall
::run_locked
($code);
220 my $nodename = PVE
::INotify
::nodename
();
223 compile
=> [ __PACKAGE__
, 'compile', []],
224 start
=> [ __PACKAGE__
, 'start', []],
225 update
=> [ __PACKAGE__
, 'update', []],
226 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
228 if ($res->{changes
}) {
229 print "Status: $res->{status} (pending changes)\n";
231 print "Status: $res->{status}\n";
234 stop
=> [ __PACKAGE__
, 'stop', []],
239 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);