$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');
-__PACKAGE__->register_method({
- name => 'enablevmfw',
- path => 'enablevmfw',
+__PACKAGE__->register_method ({
+ name => 'compile',
+ path => 'compile',
method => 'POST',
+ description => "Compile amd print firewall rules. This is only for testing.",
parameters => {
- additionalProperties => 0,
- properties => {
- vmid => get_standard_option('pve-vmid'),
- netid => {
- type => 'string',
- optional => 1
- },
- },
+ additionalProperties => 0,
+ properties => {
+ verbose => {
+ description => "Verbose output.",
+ type => "boolean",
+ optional => 1,
+ },
+ },
},
returns => { type => 'null' },
- code => sub {
- my ($param) = @_;
-
- # test if VM exists
- my $vmid = $param->{vmid};
- my $netid = $param->{netid};
- my $code = sub {
- my $conf = PVE::QemuServer::load_config($vmid);
-
- foreach my $opt (keys %$conf) {
- next if $opt !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$opt});
- next if !$net;
- next if $netid && $opt != $netid;
- PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
- }
- };
-
- PVE::Firewall::run_locked($code);
-
- return undef;
- }});
-
-__PACKAGE__->register_method({
- name => 'disablevmfw',
- path => 'disablevmfw',
- method => 'POST',
- parameters => {
- additionalProperties => 0,
- properties => {
- vmid => get_standard_option('pve-vmid'),
- netid => {
- type => 'string',
- optional => 1
- },
-
- },
- },
- returns => { type => 'null' },
code => sub {
- my ($param) = @_;
-
- # test if VM exists
- my $vmid = $param->{vmid};
- my $netid = $param->{netid};
-
-
- my $code = sub {
- my $conf = PVE::QemuServer::load_config($vmid);
-
- foreach my $opt (keys %$conf) {
- next if $opt !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$opt});
- next if !$net;
- next if $netid && $opt != $netid;
- PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
- }
- };
-
- PVE::Firewall::run_locked($code);
-
- return undef;
- }});
-
-__PACKAGE__->register_method({
- name => 'enablegroup',
- path => 'enablegroup',
- method => 'POST',
- parameters => {
- additionalProperties => 0,
- properties => {
- securitygroup => {
- type => 'string',
- },
- },
- },
- returns => { type => 'null' },
- code => sub {
- my ($param) = @_;
-
- my $code = sub {
- my $group = $param->{securitygroup};
- PVE::Firewall::enable_group_rules($group);
- };
-
- PVE::Firewall::run_locked($code);
-
- return undef;
- }});
+ my ($param) = @_;
-__PACKAGE__->register_method({
- name => 'disablegroup',
- path => 'disablegroup',
- method => 'POST',
- parameters => {
- additionalProperties => 0,
- properties => {
- securitygroup => {
- type => 'string',
- },
+ my $rpcenv = PVE::RPCEnvironment::get();
- },
- },
- returns => { type => 'null' },
- code => sub {
- my ($param) = @_;
+ $param->{verbose} = 1
+ if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
my $code = sub {
- my $group = $param->{securitygroup};
- PVE::Firewall::disable_group_rules($group);
+ my $ruleset = PVE::Firewall::compile();
+ PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
};
PVE::Firewall::run_locked($code);
- return undef;
+ return undef;
}});
-__PACKAGE__->register_method({
- name => 'enablehostfw',
- path => 'enablehostfw',
- method => 'POST',
+__PACKAGE__->register_method ({
+ name => 'status',
+ path => 'status',
+ method => 'GET',
+ description => "Get firewall status.",
parameters => {
additionalProperties => 0,
properties => {},
},
- returns => { type => 'null' },
-
+ returns => {
+ type => 'object',
+ additionalProperties => 0,
+ properties => {
+ status => {
+ type => 'string',
+ enum => ['unknown', 'stopped', 'active'],
+ },
+ changes => {
+ description => "Set when there are pending changes.",
+ type => 'boolean',
+ optional => 1,
+ }
+ },
+ },
code => sub {
my ($param) = @_;
- my $code = sub {
- PVE::Firewall::enablehostfw();
- };
+ my $rpcenv = PVE::RPCEnvironment::get();
- PVE::Firewall::run_locked($code);
+ $param->{verbose} = 1
+ if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
- return undef;
- }});
+ my $code = sub {
+ my $status = PVE::Firewall::read_pvefw_status();
-__PACKAGE__->register_method({
- name => 'disablehostfw',
- path => 'disablehostfw',
- method => 'POST',
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
+ my $res = { status => $status };
+ if ($status eq 'active') {
+ my $ruleset = PVE::Firewall::compile();
+ my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);
- code => sub {
- my ($param) = @_;
+ if ($cmdlist ne "*filter\nCOMMIT\n") {
+ $res->{changes} = 1;
+ }
+ }
- my $code = sub {
- PVE::Firewall::disablehostfw();
+ return $res;
};
- PVE::Firewall::run_locked($code);
-
- return undef;
+ return PVE::Firewall::run_locked($code);
}});
__PACKAGE__->register_method ({
- name => 'compile',
- path => 'compile',
+ name => 'start',
+ path => 'start',
method => 'POST',
- description => "Compile firewall rules.",
+ description => "Start (or simply update if already active) firewall.",
parameters => {
additionalProperties => 0,
- properties => {},
+ properties => {
+ verbose => {
+ description => "Verbose output.",
+ type => "boolean",
+ optional => 1,
+ default => 0,
+ },
+ },
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
- my $code = sub {
- PVE::Firewall::compile();
- };
-
- PVE::Firewall::run_locked($code);
+ PVE::Firewall::update(1, $param->{verbose});
return undef;
}});
__PACKAGE__->register_method ({
- name => 'start',
- path => 'start',
+ name => 'update',
+ path => 'update',
method => 'POST',
- description => "Start (or restart if already active) firewall.",
+ description => "Check firewall rules. Then update the rules if the firewall is active.",
parameters => {
additionalProperties => 0,
- properties => {},
+ properties => {
+ verbose => {
+ description => "Verbose output.",
+ type => "boolean",
+ optional => 1,
+ default => 0,
+ },
+ },
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
- my $code = sub {
- PVE::Firewall::compile_and_start();
- };
-
- PVE::Firewall::run_locked($code);
+ PVE::Firewall::update(0, $param->{verbose});
return undef;
}});
my ($param) = @_;
my $code = sub {
- die "implement me";
+
+ my $chash = PVE::Firewall::iptables_get_chains();
+ my $cmdlist = "*filter\n";
+ my $rule = "INPUT -j PVEFW-INPUT";
+ if (PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-D $rule\n";
+ }
+ $rule = "OUTPUT -j PVEFW-OUTPUT";
+ if (PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-D $rule\n";
+ }
+
+ $rule = "FORWARD -j PVEFW-FORWARD";
+ if (PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-D $rule\n";
+ }
+
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-F $chain\n";
+ }
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-X $chain\n";
+ }
+ $cmdlist .= "COMMIT\n";
+
+ PVE::Firewall::iptables_restore_cmdlist($cmdlist);
+
+ PVE::Firewall::save_pvefw_status('stopped');
};
PVE::Firewall::run_locked($code);
my $cmddef = {
compile => [ __PACKAGE__, 'compile', []],
start => [ __PACKAGE__, 'start', []],
- restart => [ __PACKAGE__, 'restart', []],
+ update => [ __PACKAGE__, 'update', []],
+ status => [ __PACKAGE__, 'status', [], undef, sub {
+ my $res = shift;
+ if ($res->{changes}) {
+ print "Status: $res->{status} (pending changes)\n";
+ } else {
+ print "Status: $res->{status}\n";
+ }
+ }],
stop => [ __PACKAGE__, 'stop', []],
- enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
- disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
- enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
- disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
- enablegroup => [ __PACKAGE__, 'enablegroup', []],
- disablegroup => [ __PACKAGE__, 'disablegroup', []],
};
my $cmd = shift;