$rpcenv->set_user('root@pam');
__PACKAGE__->register_method({
- name => 'enabletaprules',
- path => 'enabletaprules',
+ name => 'enablevmfw',
+ path => 'enablevmfw',
method => 'POST',
parameters => {
additionalProperties => 0,
vmid => get_standard_option('pve-vmid'),
netid => {
type => 'string',
+ optional => 1
},
-
},
},
returns => { type => 'null' },
my $vmid = $param->{vmid};
my $netid = $param->{netid};
- my $conf = PVE::QemuServer::load_config($vmid);
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ my $code = sub {
+ my $conf = PVE::QemuServer::load_config($vmid);
- PVE::Firewall::generate_tap_rules($net, $netid, $vmid);
+ foreach my $opt (keys %$conf) {
+ next if $opt !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$opt});
+ next if !$net;
+ next if $netid && $opt != $netid;
+ PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
+ }
+ };
- return undef;
+ PVE::Firewall::run_locked($code);
+
+ return undef;
}});
__PACKAGE__->register_method({
- name => 'disabletaprules',
- path => 'disabletaprules',
+ name => 'disablevmfw',
+ path => 'disablevmfw',
method => 'POST',
parameters => {
additionalProperties => 0,
vmid => get_standard_option('pve-vmid'),
netid => {
type => 'string',
+ optional => 1
},
},
my $vmid = $param->{vmid};
my $netid = $param->{netid};
- my $conf = PVE::QemuServer::load_config($vmid);
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
- PVE::Firewall::flush_tap_rules($net, $netid, $vmid);
+ my $code = sub {
+ my $conf = PVE::QemuServer::load_config($vmid);
+
+ foreach my $opt (keys %$conf) {
+ next if $opt !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$opt});
+ next if !$net;
+ next if $netid && $opt != $netid;
+ PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
+ }
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
-__PACKAGE__->register_method ({
- name => 'compile',
- path => 'compile',
+__PACKAGE__->register_method({
+ name => 'enablegroup',
+ path => 'enablegroup',
+ method => 'POST',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ securitygroup => {
+ type => 'string',
+ },
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my $code = sub {
+ my $group = $param->{securitygroup};
+ PVE::Firewall::enable_group_rules($group);
+ };
+
+ PVE::Firewall::run_locked($code);
+
+ return undef;
+ }});
+
+__PACKAGE__->register_method({
+ name => 'disablegroup',
+ path => 'disablegroup',
+ method => 'POST',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ securitygroup => {
+ type => 'string',
+ },
+
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my $code = sub {
+ my $group = $param->{securitygroup};
+ PVE::Firewall::disable_group_rules($group);
+ };
+
+ PVE::Firewall::run_locked($code);
+
+ return undef;
+ }});
+
+__PACKAGE__->register_method({
+ name => 'enablehostfw',
+ path => 'enablehostfw',
method => 'POST',
- description => "Compile firewall rules.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Firewall::compile();
+ my $code = sub {
+ PVE::Firewall::enablehostfw();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
-__PACKAGE__->register_method ({
- name => 'start',
- path => 'start',
+__PACKAGE__->register_method({
+ name => 'disablehostfw',
+ path => 'disablehostfw',
method => 'POST',
- description => "Start firewall.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Firewall::compile_and_start();
+ my $code = sub {
+ PVE::Firewall::disablehostfw();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
__PACKAGE__->register_method ({
- name => 'restart',
- path => 'restart',
+ name => 'compile',
+ path => 'compile',
method => 'POST',
- description => "Restart firewall.",
+ description => "Compile firewall rules.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Firewall::compile_and_start(1);
+ my $code = sub {
+ PVE::Firewall::compile();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
__PACKAGE__->register_method ({
- name => 'stop',
- path => 'stop',
+ name => 'start',
+ path => 'start',
method => 'POST',
- description => "Stop firewall.",
+ description => "Start (or restart if already active) firewall.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Tools::run_command(['shorewall', 'stop']);
+ my $code = sub {
+ PVE::Firewall::compile_and_start();
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
__PACKAGE__->register_method ({
- name => 'clear',
- path => 'clear',
+ name => 'stop',
+ path => 'stop',
method => 'POST',
- description => "Clear will remove all rules installed by this script. The host is then unprotected.",
+ description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
- PVE::Tools::run_command(['shorewall', 'clear']);
+ my $code = sub {
+ my $chash = PVE::Firewall::iptables_get_chains();
+ my $cmdlist = "*filter\n";
+ $cmdlist .= "-D INPUT -j proxmoxfw-INPUT\n";
+ $cmdlist .= "-D FORWARD -j proxmoxfw-FORWARD\n";
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-F $chain\n";
+ }
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-X $chain\n";
+ }
+ $cmdlist .= "COMMIT\n";
+
+ PVE::Firewall::iptables_restore_cmdlist($cmdlist);
+ };
+
+ PVE::Firewall::run_locked($code);
return undef;
}});
start => [ __PACKAGE__, 'start', []],
restart => [ __PACKAGE__, 'restart', []],
stop => [ __PACKAGE__, 'stop', []],
- clear => [ __PACKAGE__, 'clear', []],
- enabletaprules => [ __PACKAGE__, 'enabletaprules', []],
- disabletaprules => [ __PACKAGE__, 'disabletaprules', []],
+ enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
+ disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
+ enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
+ disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
+ enablegroup => [ __PACKAGE__, 'enablegroup', []],
+ disablegroup => [ __PACKAGE__, 'disablegroup', []],
};
my $cmd = shift;