]>
git.proxmox.com Git - pve-firewall.git/blob - src/pvefw
12 use PVE
::RPCEnvironment
;
14 use PVE
::JSONSchema
qw(get_standard_option);
18 use base
qw(PVE::CLIHandler);
20 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
24 die "please run as root\n" if $> != 0;
26 PVE
::INotify
::inotify_init
();
28 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
30 $rpcenv->init_request();
31 $rpcenv->set_language($ENV{LANG
});
32 $rpcenv->set_user('root@pam');
34 __PACKAGE__-
>register_method ({
38 description
=> "Compile amd print firewall rules. This is only for testing.",
40 additionalProperties
=> 0,
43 description
=> "Verbose output.",
49 returns
=> { type
=> 'null' },
54 my $rpcenv = PVE
::RPCEnvironment
::get
();
57 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
60 my $ruleset = PVE
::Firewall
::compile
();
61 PVE
::Firewall
::get_ruleset_status
($ruleset, 1) if $param->{verbose
};
64 PVE
::Firewall
::run_locked
($code);
69 __PACKAGE__-
>register_method ({
73 description
=> "Get firewall status.",
75 additionalProperties
=> 0,
80 additionalProperties
=> 0,
84 enum
=> ['unknown', 'stopped', 'active'],
87 description
=> "Set when there are pending changes.",
96 my $rpcenv = PVE
::RPCEnvironment
::get
();
99 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
102 my $status = PVE
::Firewall
::read_pvefw_status
();
104 my $res = { status
=> $status };
105 if ($status eq 'active') {
106 my $ruleset = PVE
::Firewall
::compile
();
107 my $cmdlist = PVE
::Firewall
::get_rulset_cmdlist
($ruleset);
109 if ($cmdlist ne "*filter\nCOMMIT\n") {
117 return PVE
::Firewall
::run_locked
($code);
120 __PACKAGE__-
>register_method ({
124 description
=> "Start (or simply update if already active) firewall.",
126 additionalProperties
=> 0,
129 description
=> "Verbose output.",
136 returns
=> { type
=> 'null' },
141 PVE
::Firewall
::update
(1, $param->{verbose
});
146 __PACKAGE__-
>register_method ({
150 description
=> "Check firewall rules. Then update the rules if the firewall is active.",
152 additionalProperties
=> 0,
155 description
=> "Verbose output.",
162 returns
=> { type
=> 'null' },
167 PVE
::Firewall
::update
(0, $param->{verbose
});
172 __PACKAGE__-
>register_method ({
176 description
=> "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
178 additionalProperties
=> 0,
181 returns
=> { type
=> 'null' },
188 my $chash = PVE
::Firewall
::iptables_get_chains
();
189 my $cmdlist = "*filter\n";
190 my $rule = "INPUT -j PVEFW-INPUT";
191 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
192 $cmdlist .= "-D $rule\n";
194 $rule = "OUTPUT -j PVEFW-OUTPUT";
195 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
196 $cmdlist .= "-D $rule\n";
199 $rule = "FORWARD -j PVEFW-FORWARD";
200 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
201 $cmdlist .= "-D $rule\n";
204 foreach my $chain (keys %$chash) {
205 $cmdlist .= "-F $chain\n";
207 foreach my $chain (keys %$chash) {
208 $cmdlist .= "-X $chain\n";
210 $cmdlist .= "COMMIT\n";
212 PVE
::Firewall
::iptables_restore_cmdlist
($cmdlist);
214 PVE
::Firewall
::save_pvefw_status
('stopped');
217 PVE
::Firewall
::run_locked
($code);
222 my $nodename = PVE
::INotify
::nodename
();
225 compile
=> [ __PACKAGE__
, 'compile', []],
226 start
=> [ __PACKAGE__
, 'start', []],
227 update
=> [ __PACKAGE__
, 'update', []],
228 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
230 if ($res->{changes
}) {
231 print "Status: $res->{status} (pending changes)\n";
233 print "Status: $res->{status}\n";
236 stop
=> [ __PACKAGE__
, 'stop', []],
241 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);