]>
git.proxmox.com Git - pve-firewall.git/blob - src/pvefw
12 use PVE
::RPCEnvironment
;
14 use PVE
::JSONSchema
qw(get_standard_option);
17 use PVE
::API2
::Firewall
::Groups
;
19 use base
qw(PVE::CLIHandler);
23 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
27 die "please run as root\n" if $> != 0;
29 PVE
::INotify
::inotify_init
();
31 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
33 $rpcenv->init_request();
34 $rpcenv->set_language($ENV{LANG
});
35 $rpcenv->set_user('root@pam');
37 __PACKAGE__-
>register_method ({
41 description
=> "Compile amd print firewall rules. This is only for testing.",
43 additionalProperties
=> 0,
46 description
=> "Verbose output.",
52 returns
=> { type
=> 'null' },
57 my $rpcenv = PVE
::RPCEnvironment
::get
();
60 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
63 my $ruleset = PVE
::Firewall
::compile
();
64 PVE
::Firewall
::get_ruleset_status
($ruleset, 1) if $param->{verbose
};
67 PVE
::Firewall
::run_locked
($code);
72 __PACKAGE__-
>register_method ({
76 description
=> "Get firewall status.",
78 additionalProperties
=> 0,
83 additionalProperties
=> 0,
87 enum
=> ['unknown', 'stopped', 'active'],
90 description
=> "Set when there are pending changes.",
99 my $rpcenv = PVE
::RPCEnvironment
::get
();
101 $param->{verbose
} = 1
102 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
105 my $status = PVE
::Firewall
::read_pvefw_status
();
107 my $res = { status
=> $status };
108 if ($status eq 'active') {
109 my $ruleset = PVE
::Firewall
::compile
();
110 my $cmdlist = PVE
::Firewall
::get_rulset_cmdlist
($ruleset);
112 if ($cmdlist ne "*filter\nCOMMIT\n") {
120 return PVE
::Firewall
::run_locked
($code);
123 __PACKAGE__-
>register_method ({
127 description
=> "Start (or simply update if already active) firewall.",
129 additionalProperties
=> 0,
132 description
=> "Verbose output.",
139 returns
=> { type
=> 'null' },
144 PVE
::Firewall
::update
(1, $param->{verbose
});
149 __PACKAGE__-
>register_method ({
153 description
=> "Check firewall rules. Then update the rules if the firewall is active.",
155 additionalProperties
=> 0,
158 description
=> "Verbose output.",
165 returns
=> { type
=> 'null' },
170 PVE
::Firewall
::update
(0, $param->{verbose
});
175 __PACKAGE__-
>register_method ({
179 description
=> "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
181 additionalProperties
=> 0,
184 returns
=> { type
=> 'null' },
191 my $chash = PVE
::Firewall
::iptables_get_chains
();
192 my $cmdlist = "*filter\n";
193 my $rule = "INPUT -j PVEFW-INPUT";
194 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
195 $cmdlist .= "-D $rule\n";
197 $rule = "OUTPUT -j PVEFW-OUTPUT";
198 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
199 $cmdlist .= "-D $rule\n";
202 $rule = "FORWARD -j PVEFW-FORWARD";
203 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
204 $cmdlist .= "-D $rule\n";
207 foreach my $chain (keys %$chash) {
208 $cmdlist .= "-F $chain\n";
210 foreach my $chain (keys %$chash) {
211 $cmdlist .= "-X $chain\n";
213 $cmdlist .= "COMMIT\n";
215 PVE
::Firewall
::iptables_restore_cmdlist
($cmdlist);
217 PVE
::Firewall
::save_pvefw_status
('stopped');
220 PVE
::Firewall
::run_locked
($code);
225 my $nodename = PVE
::INotify
::nodename
();
228 compile
=> [ __PACKAGE__
, 'compile', []],
229 start
=> [ __PACKAGE__
, 'start', []],
230 update
=> [ __PACKAGE__
, 'update', []],
231 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
233 if ($res->{changes
}) {
234 print "Status: $res->{status} (pending changes)\n";
236 print "Status: $res->{status}\n";
239 stop
=> [ __PACKAGE__
, 'stop', []],
241 # This is for debugging
242 listgroups
=> [ 'PVE::API2::Firewall::Groups', 'list', [],
243 { node
=> $nodename }, sub {
247 grouprules
=> [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'],
248 { node
=> $nodename }, sub {
256 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);