my $vmid = $param->{vmid};
my $netid = $param->{netid};
- my $conf = PVE::QemuServer::load_config($vmid);
-
- foreach my $opt (keys %$conf) {
- next if $opt !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$opt});
- next if !$net;
- next if $netid && $opt != $netid;
- PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
- }
-
- return undef;
+ my $code = sub {
+ my $conf = PVE::QemuServer::load_config($vmid);
+
+ foreach my $opt (keys %$conf) {
+ next if $opt !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$opt});
+ next if !$net;
+ next if $netid && $opt != $netid;
+ PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
+ }
+ };
+
+ PVE::Firewall::run_locked($code);
+
+ return undef;
}});
__PACKAGE__->register_method({
my $vmid = $param->{vmid};
my $netid = $param->{netid};
- my $conf = PVE::QemuServer::load_config($vmid);
- foreach my $opt (keys %$conf) {
- next if $opt !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$opt});
- next if !$net;
- next if $netid && $opt != $netid;
- PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
- }
+ my $code = sub {
+ my $conf = PVE::QemuServer::load_config($vmid);
+
+ foreach my $opt (keys %$conf) {
+ next if $opt !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$opt});
+ next if !$net;
+ next if $netid && $opt != $netid;
+ PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
+ }
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
code => sub {
my ($param) = @_;
- my $group = $param->{securitygroup};
- PVE::Firewall::enable_group_rules($group);
+ my $code = sub {
+ my $group = $param->{securitygroup};
+ PVE::Firewall::enable_group_rules($group);
+ };
+ PVE::Firewall::run_locked($code);
+
return undef;
}});
code => sub {
my ($param) = @_;
- my $group = $param->{securitygroup};
- PVE::Firewall::disable_group_rules($group);
+ my $code = sub {
+ my $group = $param->{securitygroup};
+ PVE::Firewall::disable_group_rules($group);
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
code => sub {
my ($param) = @_;
- PVE::Firewall::enablehostfw();
+ my $code = sub {
+ PVE::Firewall::enablehostfw();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
code => sub {
my ($param) = @_;
- PVE::Firewall::disablehostfw();
+ my $code = sub {
+ PVE::Firewall::disablehostfw();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
code => sub {
my ($param) = @_;
- PVE::Firewall::compile();
+ my $code = sub {
+ PVE::Firewall::compile();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
name => 'start',
path => 'start',
method => 'POST',
- description => "Start firewall.",
+ description => "Start (or restart if already active) firewall.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Firewall::compile_and_start();
+ my $code = sub {
+ PVE::Firewall::compile_and_start();
+ };
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'restart',
- path => 'restart',
- method => 'POST',
- description => "Restart firewall.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- PVE::Firewall::compile_and_start(1);
+ PVE::Firewall::run_locked($code);
return undef;
}});
name => 'stop',
path => 'stop',
method => 'POST',
- description => "Stop firewall.",
+ description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Tools::run_command(['shorewall', 'stop']);
-
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'clear',
- path => 'clear',
- method => 'POST',
- description => "Clear will remove all rules installed by this script. The host is then unprotected.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
+ my $code = sub {
+ my $chash = PVE::Firewall::iptables_get_chains();
+ my $cmdlist = "*filter\n";
+ $cmdlist .= "-D INPUT -j proxmoxfw-INPUT\n";
+ $cmdlist .= "-D FORWARD -j proxmoxfw-FORWARD\n";
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-F $chain\n";
+ }
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-X $chain\n";
+ }
+ $cmdlist .= "COMMIT\n";
- code => sub {
- my ($param) = @_;
+ PVE::Firewall::iptables_restore_cmdlist($cmdlist);
+ };
- PVE::Tools::run_command(['shorewall', 'clear']);
+ PVE::Firewall::run_locked($code);
return undef;
}});
start => [ __PACKAGE__, 'start', []],
restart => [ __PACKAGE__, 'restart', []],
stop => [ __PACKAGE__, 'stop', []],
- clear => [ __PACKAGE__, 'clear', []],
enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
enablehostfw => [ __PACKAGE__, 'enablehostfw', []],