$rpcenv->set_language($ENV{LANG});
$rpcenv->set_user('root@pam');
-
__PACKAGE__->register_method ({
name => 'compile',
path => 'compile',
method => 'POST',
- description => "Compile firewall rules.",
+ description => "Compile amd print firewall rules. This is only for testing.",
parameters => {
additionalProperties => 0,
- properties => {},
+ properties => {
+ verbose => {
+ description => "Verbose output.",
+ type => "boolean",
+ optional => 1,
+ default => 0,
+ },
+ },
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
- PVE::Firewall::compile();
+ my $code = sub {
+ my $ruleset = PVE::Firewall::compile();
+ PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
name => 'start',
path => 'start',
method => 'POST',
- description => "Start firewall.",
+ description => "Start (or restart if already active) firewall.",
parameters => {
additionalProperties => 0,
- properties => {},
+ properties => {
+ verbose => {
+ description => "Verbose output.",
+ type => "boolean",
+ optional => 1,
+ default => 0,
+ },
+ },
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
- PVE::Firewall::compile_and_start();
+ my $code = sub {
+ PVE::Firewall::enable_bridge_firewall();
+ PVE::Firewall::compile_and_start($param->{verbose});
+ };
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'restart',
- path => 'restart',
- method => 'POST',
- description => "Restart firewall.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- PVE::Firewall::compile_and_start(1);
+ PVE::Firewall::run_locked($code);
return undef;
}});
name => 'stop',
path => 'stop',
method => 'POST',
- description => "Stop firewall.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- PVE::Tools::run_command(['shorewall', 'stop']);
-
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'clear',
- path => 'clear',
- method => 'POST',
- description => "Clear will remove all rules installed by this script. The host is then unprotected.",
+ description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Tools::run_command(['shorewall', 'clear']);
+ my $code = sub {
+ my $chash = PVE::Firewall::iptables_get_chains();
+ my $cmdlist = "*filter\n";
+ my $rule = "INPUT -j PVEFW-INPUT";
+ if (PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-D $rule\n";
+ }
+ $rule = "OUTPUT -j PVEFW-OUTPUT";
+ if (PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-D $rule\n";
+ }
+
+ $rule = "FORWARD -j PVEFW-FORWARD";
+ if (PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-D $rule\n";
+ }
+
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-F $chain\n";
+ }
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-X $chain\n";
+ }
+ $cmdlist .= "COMMIT\n";
+
+ PVE::Firewall::iptables_restore_cmdlist($cmdlist);
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
my $cmddef = {
compile => [ __PACKAGE__, 'compile', []],
start => [ __PACKAGE__, 'start', []],
- restart => [ __PACKAGE__, 'restart', []],
stop => [ __PACKAGE__, 'stop', []],
- clear => [ __PACKAGE__, 'clear', []],
};
my $cmd = shift;