#!/usr/bin/perl -w use strict; use lib qw(.); use PVE::Firewall; use PVE::SafeSyslog; use PVE::Cluster; use PVE::INotify; use PVE::RPCEnvironment; use PVE::JSONSchema qw(get_standard_option); use PVE::CLIHandler; use base qw(PVE::CLIHandler); $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin'; initlog ('pvefw'); die "please run as root\n" if $> != 0; PVE::INotify::inotify_init(); my $rpcenv = PVE::RPCEnvironment->init('cli'); $rpcenv->init_request(); $rpcenv->set_language($ENV{LANG}); $rpcenv->set_user('root@pam'); __PACKAGE__->register_method({ name => 'enablevmfw', path => 'enablevmfw', method => 'POST', parameters => { additionalProperties => 0, properties => { vmid => get_standard_option('pve-vmid'), netid => { type => 'string', optional => 1 }, }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; # test if VM exists my $vmid = $param->{vmid}; my $netid = $param->{netid}; my $conf = PVE::QemuServer::load_config($vmid); foreach my $opt (keys %$conf) { next if $opt !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$opt}); next if !$net; next if $netid && $opt != $netid; PVE::Firewall::generate_tap_rules($net, $opt, $vmid); } return undef; }}); __PACKAGE__->register_method({ name => 'disablevmfw', path => 'disablevmfw', method => 'POST', parameters => { additionalProperties => 0, properties => { vmid => get_standard_option('pve-vmid'), netid => { type => 'string', optional => 1 }, }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; # test if VM exists my $vmid = $param->{vmid}; my $netid = $param->{netid}; my $conf = PVE::QemuServer::load_config($vmid); foreach my $opt (keys %$conf) { next if $opt !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$opt}); next if !$net; next if $netid && $opt != $netid; PVE::Firewall::flush_tap_rules($net, $opt, $vmid); } return undef; }}); __PACKAGE__->register_method({ name => 'enablegroup', path => 'enablegroup', method => 'POST', parameters => { additionalProperties => 0, properties => { securitygroup => { type => 'string', }, }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; my $group = $param->{securitygroup}; PVE::Firewall::enable_group_rules($group); return undef; }}); __PACKAGE__->register_method({ name => 'disablegroup', path => 'disablegroup', method => 'POST', parameters => { additionalProperties => 0, properties => { securitygroup => { type => 'string', }, }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; my $group = $param->{securitygroup}; PVE::Firewall::disable_group_rules($group); return undef; }}); __PACKAGE__->register_method({ name => 'enablehostfw', path => 'enablehostfw', method => 'POST', parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Firewall::enablehostfw(); return undef; }}); __PACKAGE__->register_method({ name => 'disablehostfw', path => 'disablehostfw', method => 'POST', parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Firewall::disablehostfw(); return undef; }}); __PACKAGE__->register_method ({ name => 'compile', path => 'compile', method => 'POST', description => "Compile firewall rules.", parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Firewall::compile(); return undef; }}); __PACKAGE__->register_method ({ name => 'start', path => 'start', method => 'POST', description => "Start firewall.", parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Firewall::compile_and_start(); return undef; }}); __PACKAGE__->register_method ({ name => 'restart', path => 'restart', method => 'POST', description => "Restart firewall.", parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Firewall::compile_and_start(1); return undef; }}); __PACKAGE__->register_method ({ name => 'stop', path => 'stop', method => 'POST', description => "Stop firewall.", parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Tools::run_command(['shorewall', 'stop']); return undef; }}); __PACKAGE__->register_method ({ name => 'clear', path => 'clear', method => 'POST', description => "Clear will remove all rules installed by this script. The host is then unprotected.", parameters => { additionalProperties => 0, properties => {}, }, returns => { type => 'null' }, code => sub { my ($param) = @_; PVE::Tools::run_command(['shorewall', 'clear']); return undef; }}); my $nodename = PVE::INotify::nodename(); my $cmddef = { compile => [ __PACKAGE__, 'compile', []], start => [ __PACKAGE__, 'start', []], restart => [ __PACKAGE__, 'restart', []], stop => [ __PACKAGE__, 'stop', []], clear => [ __PACKAGE__, 'clear', []], enablevmfw => [ __PACKAGE__, 'enablevmfw', []], disablevmfw => [ __PACKAGE__, 'disablevmfw', []], enablehostfw => [ __PACKAGE__, 'enablehostfw', []], disablehostfw => [ __PACKAGE__, 'disablehostfw', []], enablegroup => [ __PACKAGE__, 'enablegroup', []], disablegroup => [ __PACKAGE__, 'disablegroup', []], }; my $cmd = shift; PVE::CLIHandler::handle_cmd($cmddef, "pvefw", $cmd, \@ARGV, undef, $0); exit(0);