]>
git.proxmox.com Git - pve-firewall.git/blob - src/pvefw
f700e95d03b43b00432ac9f6daa3b8120c22c955
12 use PVE
::RPCEnvironment
;
14 use PVE
::JSONSchema
qw(get_standard_option);
17 use PVE
::API2
::Firewall
::Groups
;
19 use base
qw(PVE::CLIHandler);
23 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
27 die "please run as root\n" if $> != 0;
29 PVE
::INotify
::inotify_init
();
31 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
33 $rpcenv->init_request();
34 $rpcenv->set_language($ENV{LANG
});
35 $rpcenv->set_user('root@pam');
37 __PACKAGE__-
>register_method ({
41 description
=> "Compile amd print firewall rules. This is only for testing.",
43 additionalProperties
=> 0,
46 description
=> "Verbose output.",
52 returns
=> { type
=> 'null' },
57 my $rpcenv = PVE
::RPCEnvironment
::get
();
60 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
63 my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE
::Firewall
::compile
();
65 if ($param->{verbose
}) {
66 my (undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset, 1);
67 my (undef, $ruleset_changes) = PVE
::Firewall
::get_rulset_cmdlist
($ruleset, 1);
68 if ($ipset_changes || $ruleset_changes) {
69 print "detected changes\n";
76 PVE
::Firewall
::run_locked
($code);
81 __PACKAGE__-
>register_method ({
85 description
=> "Get firewall status.",
87 additionalProperties
=> 0,
92 additionalProperties
=> 0,
96 enum
=> ['unknown', 'stopped', 'active'],
99 description
=> "Set when there are pending changes.",
108 my $rpcenv = PVE
::RPCEnvironment
::get
();
110 $param->{verbose
} = 1
111 if !defined($param->{verbose
}) && ($rpcenv->{type
} eq 'cli');
114 my $status = PVE
::Firewall
::read_pvefw_status
();
116 my $res = { status
=> $status };
117 if ($status eq 'active') {
118 my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE
::Firewall
::compile
();
120 my (undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset);
121 my (undef, $ruleset_changes) = PVE
::Firewall
::get_rulset_cmdlist
($ruleset);
122 # fixme: ipset changes
123 $res->{changes
} = ($ipset_changes || $ruleset_changes) ?
1 : 0;
129 return PVE
::Firewall
::run_locked
($code);
132 __PACKAGE__-
>register_method ({
136 description
=> "Start (or simply update if already active) firewall.",
138 additionalProperties
=> 0,
141 description
=> "Verbose output.",
148 returns
=> { type
=> 'null' },
153 PVE
::Firewall
::update
(1, $param->{verbose
});
158 __PACKAGE__-
>register_method ({
162 description
=> "Check firewall rules. Then update the rules if the firewall is active.",
164 additionalProperties
=> 0,
167 description
=> "Verbose output.",
174 returns
=> { type
=> 'null' },
179 PVE
::Firewall
::update
(0, $param->{verbose
});
184 __PACKAGE__-
>register_method ({
188 description
=> "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
190 additionalProperties
=> 0,
193 returns
=> { type
=> 'null' },
200 my $chash = PVE
::Firewall
::iptables_get_chains
();
201 my $cmdlist = "*filter\n";
202 my $rule = "INPUT -j PVEFW-INPUT";
203 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
204 $cmdlist .= "-D $rule\n";
206 $rule = "OUTPUT -j PVEFW-OUTPUT";
207 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
208 $cmdlist .= "-D $rule\n";
211 $rule = "FORWARD -j PVEFW-FORWARD";
212 if (PVE
::Firewall
::iptables_rule_exist
($rule)) {
213 $cmdlist .= "-D $rule\n";
216 foreach my $chain (keys %$chash) {
217 $cmdlist .= "-F $chain\n";
219 foreach my $chain (keys %$chash) {
220 $cmdlist .= "-X $chain\n";
222 $cmdlist .= "COMMIT\n";
224 PVE
::Firewall
::iptables_restore_cmdlist
($cmdlist);
226 PVE
::Firewall
::save_pvefw_status
('stopped');
229 PVE
::Firewall
::run_locked
($code);
234 my $nodename = PVE
::INotify
::nodename
();
237 compile
=> [ __PACKAGE__
, 'compile', []],
238 start
=> [ __PACKAGE__
, 'start', []],
239 update
=> [ __PACKAGE__
, 'update', []],
240 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
242 if ($res->{changes
}) {
243 print "Status: $res->{status} (pending changes)\n";
245 print "Status: $res->{status}\n";
248 stop
=> [ __PACKAGE__
, 'stop', []],
250 # This is for debugging
251 listgroups
=> [ 'PVE::API2::Firewall::Groups', 'list', [],
252 { node
=> $nodename }, sub {
256 grouprules
=> [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'],
257 { node
=> $nodename }, sub {
265 PVE
::CLIHandler
::handle_cmd
($cmddef, "pvefw", $cmd, \
@ARGV, undef, $0);