start cluster wide firewall API

[pve-firewall.git] / src / pvefw

diff --git a/src/pvefw b/src/pvefw
index d0f1e6023fd8042e75daf2e3456d5c63f9df4b54..f02b12acb33b5150f78746773be48b518a76063d 100755 (executable)
--- a/src/pvefw
+++ b/src/pvefw
@@ -14,9 +14,12 @@ use PVE::RPCEnvironment;
 use PVE::JSONSchema qw(get_standard_option);
 
 use PVE::CLIHandler;
+use PVE::API2::Firewall::Groups;
 
 use base qw(PVE::CLIHandler);
 
+use Data::Dumper;
+
 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
 
 initlog ('pvefw');
@@ -57,8 +60,17 @@ __PACKAGE__->register_method ({
            if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
 
        my $code = sub {
-           my $ruleset = PVE::Firewall::compile();
-           PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
+           my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE::Firewall::compile();
+
+           if ($param->{verbose}) {
+               my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
+               my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
+               if ($ipset_changes || $ruleset_changes) {
+                   print "detected changes\n";
+               } else {
+                   print "no changes\n";
+               }
+           }
        };
 
        PVE::Firewall::run_locked($code);
@@ -103,12 +115,12 @@ __PACKAGE__->register_method ({
 
            my $res = { status => $status };
            if ($status eq 'active') {
-               my $ruleset = PVE::Firewall::compile();
-               my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);
+               my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE::Firewall::compile();
 
-               if ($cmdlist ne "*filter\nCOMMIT\n") {
-                   $res->{changes} = 1;
-               }
+               my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
+               my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
+               # fixme: ipset changes
+               $res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
            } 
 
            return $res;
@@ -184,33 +196,7 @@ __PACKAGE__->register_method ({
        my ($param) = @_;
 
        my $code = sub {
-
-           my $chash = PVE::Firewall::iptables_get_chains();
-           my $cmdlist = "*filter\n";
-           my $rule = "INPUT -j PVEFW-INPUT";
-           if (PVE::Firewall::iptables_rule_exist($rule)) {
-               $cmdlist .= "-D $rule\n";
-           }
-           $rule = "OUTPUT -j PVEFW-OUTPUT";
-           if (PVE::Firewall::iptables_rule_exist($rule)) {
-               $cmdlist .= "-D $rule\n";
-           }
-
-           $rule = "FORWARD -j PVEFW-FORWARD";
-           if (PVE::Firewall::iptables_rule_exist($rule)) {
-               $cmdlist .= "-D $rule\n";
-           }
-
-           foreach my $chain (keys %$chash) {
-               $cmdlist .= "-F $chain\n";
-           }
-           foreach my $chain (keys %$chash) {
-               $cmdlist .= "-X $chain\n";
-           }
-           $cmdlist .= "COMMIT\n";
-
-           PVE::Firewall::iptables_restore_cmdlist($cmdlist);
-
+           PVE::Firewall::remove_pvefw_chains();
            PVE::Firewall::save_pvefw_status('stopped');
        };
 
@@ -234,6 +220,18 @@ my $cmddef = {
        }
     }],
     stop => [ __PACKAGE__, 'stop', []],
+
+    # This is for debugging 
+    listgroups => [ 'PVE::API2::Firewall::Groups', 'list', [], 
+                   { node => $nodename }, sub {
+                       my $res = shift;
+                       print Dumper($res);
+                   }],
+    grouprules => [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'], 
+                   { node => $nodename }, sub {
+                       my $res = shift;
+                       print Dumper($res);
+                   }],
 };
 
 my $cmd = shift;