use PVE::ProcFSTools;
use PVE::INotify;
use PVE::Cluster qw(cfs_read_file);
+use PVE::Corosync;
use PVE::RPCEnvironment;
use PVE::CLIHandler;
use PVE::Firewall;
sub init {
PVE::Cluster::cfs_update();
-
+
PVE::Firewall::init();
}
my $restart_request = 0;
my $next_update = 0;
-my $cycle = 0;
+my $cycle = 0;
my $updatetime = 10;
my $initial_memory_usage;
# wait for children
1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
-
+
syslog('info' , "clear firewall rules");
eval { PVE::Firewall::remove_pvefw_chains(); };
PVE::Firewall::update();
};
my $err = $@;
-
+
if ($err) {
syslog('err', "status update error: $err");
}
$cycle++;
my $mem = PVE::ProcFSTools::read_memory_usage();
-
+
if (!defined($initial_memory_usage) || ($cycle < 10)) {
$initial_memory_usage = $mem->{resident};
} else {
}
my $wcount = 0;
- while ((time() < $next_update) &&
+ while ((time() < $next_update) &&
($wcount < $updatetime) && # protect against time wrap
!$restart_request) { $wcount++; sleep (1); };
-
+
$self->restart_daemon() if $restart_request;
}
}
method => 'GET',
description => "Get firewall status.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {},
},
- returns => {
+ returns => {
type => 'object',
additionalProperties => 0,
properties => {
my $res = { status => $status };
- my $verbose = 1; # show syntax errors
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose);
+ PVE::Firewall::set_verbose(1); # show syntax errors
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
$res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;
if ($status eq 'running') {
-
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
- $verbose = 0; # do not show iptables details
- my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
- my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
- my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables");
- my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset, $verbose);
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);
+
+ PVE::Firewall::set_verbose(0); # do not show iptables details
+ my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
+ my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
+ my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
+ my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);
$res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) ? 1 : 0;
}
method => 'GET',
description => "Compile and print firewall rules. This is useful for testing.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {},
},
returns => { type => 'null' },
my $code = sub {
- my $verbose = 1;
+ PVE::Firewall::set_verbose(1);
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose);
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef);
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef);
print "ipset cmdlist:\n";
- my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
+ my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
print "\niptables cmdlist:\n";
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
+ my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
print "\nip6tables cmdlist:\n";
- my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables");
+ my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables");
print "\nebtables cmdlist:\n";
- my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset, $verbose);
+ my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset);
if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) {
print "detected changes\n";
method => 'GET',
description => "Print information about local network.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {},
},
returns => { type => 'null' },
print "local IP address: $ip\n";
my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
-
+
my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8';
print "network auto detect: $localnet\n";
if ($cluster_conf->{aliases}->{local_network}) {
print "using detected local_network: $localnet\n";
}
+ if (PVE::Corosync::check_conf_exists(1)) {
+ my $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf");
+ my $corosync_node_found = 0;
+
+ print "\naccepting corosync traffic from/to:\n";
+
+ PVE::Corosync::for_all_corosync_addresses($corosync_conf, undef, sub {
+ my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+
+ if (!$corosync_node_found) {
+ $corosync_node_found = 1;
+ }
+
+ $key =~ m/(?:ring|link)(\d+)_addr/;
+ print " - $node_name: $node_ip (link: $1)\n";
+ });
+
+ if (!$corosync_node_found) {
+ print " - no nodes found\n";
+ }
+ }
+
return undef;
}});
method => 'GET',
description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
verbose => {
description => "Verbose output.",
local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose});
+ PVE::Firewall::set_verbose($param->{verbose});
+
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile();
+
+ PVE::FirewallSimulator::debug();
- PVE::FirewallSimulator::debug($param->{verbose} || 0);
-
my $host_ip = PVE::Cluster::remote_node_ip($nodename);
PVE::FirewallSimulator::reset_trace();
if (!defined($test->{to})) {
$test->{to} = 'host';
- PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n");
- }
+ PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n");
+ }
if (!defined($test->{from})) {
$test->{from} = 'outside',
- PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n");
+ PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n");
}
my $vmdata = PVE::Firewall::read_local_vm_config();
$test->{action} = 'QUERY';
- my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
+ my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
$host_ip, $vmdata, $test);
-
+
print "ACTION: $res\n";
return undef;
status => [ __PACKAGE__, 'status', [], undef, sub {
my $res = shift;
my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status};
-
+
if ($res->{changes}) {
print "Status: $status (pending changes)\n";
} else {
projects / pve-firewall.git / blobdiff