sleep($waittime) if $waittime; # avoid high server load due to restarts
+ PVE::INotify::inotify_close();
+
exec (@$commandline);
exit (-1); # never reached?
}
my $res = { status => $status };
if ($status eq 'active') {
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
+
+ my $verbose = 1; # show syntax errors
+ my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose);
- my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
+ $verbose = 0; # do not show iptables details
+ my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
+ my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
}
__PACKAGE__->register_method ({
name => 'compile',
path => 'compile',
- method => 'POST',
+ method => 'GET',
description => "Compile and print firewall rules. This is useful for testing.",
parameters => {
additionalProperties => 0,
local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
my $code = sub {
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
- my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
+ my $verbose = 1;
+
+ my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose);
+
+ my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
+ my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
if ($ipset_changes || $ruleset_changes) {
print "detected changes\n";
} else {
return undef;
}});
+__PACKAGE__->register_method ({
+ name => 'localnet',
+ path => 'localnet',
+ method => 'GET',
+ description => "Print information about local network.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {},
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
+
+ my $nodename = PVE::INotify::nodename();
+ print "local hostname: $nodename\n";
+
+ my $ip = PVE::Cluster::remote_node_ip($nodename);
+ print "local IP address: $ip\n";
+
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+
+ my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8';
+ print "network auto detect: $localnet\n";
+ if ($cluster_conf->{aliases}->{local_network}) {
+ print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
+ } else {
+ print "using detected local_network: $localnet\n";
+ }
+
+ return undef;
+ }});
+
__PACKAGE__->register_method ({
name => 'simulate',
path => 'simulate',
- method => 'POST',
+ method => 'GET',
description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
parameters => {
additionalProperties => 0,
local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
+ my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose});
PVE::FirewallSimulator::debug($param->{verbose} || 0);
stop => [ __PACKAGE__, 'stop', []],
compile => [ __PACKAGE__, 'compile', []],
simulate => [ __PACKAGE__, 'simulate', []],
+ localnet => [ __PACKAGE__, 'localnet', []],
status => [ __PACKAGE__, 'status', [], undef, sub {
my $res = shift;
if ($res->{changes}) {