X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=pvefw;h=1c346b555e7e4e6019452593844508b0145cfefd;hp=2d4d4503481824e6c1103d9c560771f04705386e;hb=d050c7240e2a3d4c1de906fea7e48f926d876098;hpb=462a6553535a43ee48ce5f1b487a5eee0d2cdc3f

diff --git a/pvefw b/pvefw
index 2d4d450..1c346b5 100755
--- a/pvefw
+++ b/pvefw
@@ -29,128 +29,33 @@ $rpcenv->init_request();
 $rpcenv->set_language($ENV{LANG});
 $rpcenv->set_user('root@pam');
 
-__PACKAGE__->register_method({
-    name => 'enablevmfw',
-    path => 'enablevmfw',
-    method => 'POST',
-    parameters => {
-        additionalProperties => 0,
-        properties => {
-            vmid => get_standard_option('pve-vmid'),
-            netid => {
-                type => 'string',
-		optional => 1
-            },
-        },
-    },
-    returns => { type => 'null' },
-    code => sub {
-        my ($param) = @_;
-
-        # test if VM exists
-        my $vmid = $param->{vmid};
-        my $netid = $param->{netid};
-
-	my $conf = PVE::QemuServer::load_config($vmid);
-
-	foreach my $opt (keys %$conf) {
-            next if $opt !~ m/^net(\d+)$/;
-            my $net = PVE::QemuServer::parse_net($conf->{$opt});
-            next if !$net;
-	    next if $netid && $opt != $netid;
-	    PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
-	}
-
-        return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'disablevmfw',
-    path => 'disablevmfw',
-    method => 'POST',
-    parameters => {
-        additionalProperties => 0,
-        properties => {
-            vmid => get_standard_option('pve-vmid'),
-            netid => {
-                type => 'string',
-		optional => 1
-            },
-
-        },
-    },
-    returns => { type => 'null' },
-    code => sub {
-        my ($param) = @_;
-
-        # test if VM exists
-        my $vmid = $param->{vmid};
-        my $netid = $param->{netid};
-
-	my $conf = PVE::QemuServer::load_config($vmid);
-
-	foreach my $opt (keys %$conf) {
-            next if $opt !~ m/^net(\d+)$/;
-            my $net = PVE::QemuServer::parse_net($conf->{$opt});
-            next if !$net;
-	    next if $netid && $opt != $netid;
-	    PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
-	}
-
-        return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'enablehostfw',
-    path => 'enablehostfw',
-    method => 'POST',
-    parameters => {
-    	additionalProperties => 0,
-	properties => {},
-    },
-    returns => { type => 'null' },
-
-    code => sub {
-	my ($param) = @_;
-
-	PVE::Firewall::enablehostfw();
-
-	return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'disablehostfw',
-    path => 'disablehostfw',
-    method => 'POST',
-    parameters => {
-    	additionalProperties => 0,
-	properties => {},
-    },
-    returns => { type => 'null' },
-
-    code => sub {
-	my ($param) = @_;
-
-	PVE::Firewall::disablehostfw();
-
-	return undef;
-    }});
-
 __PACKAGE__->register_method ({
     name => 'compile',
     path => 'compile',
     method => 'POST',
-    description => "Compile firewall rules.",
+    description => "Compile amd print firewall rules. This is only for testing.",
     parameters => {
     	additionalProperties => 0,
-	properties => {},
+	properties => {
+	    verbose => {
+		description => "Verbose output.",
+		type => "boolean",
+		optional => 1,
+		default => 0,
+	    },
+	},
     },
     returns => { type => 'null' },
 
     code => sub {
 	my ($param) = @_;
 
-	PVE::Firewall::compile();
+	my $code = sub {
+	    my $ruleset = PVE::Firewall::compile();
+	    PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
@@ -159,36 +64,29 @@ __PACKAGE__->register_method ({
     name => 'start',
     path => 'start',
     method => 'POST',
-    description => "Start firewall.",
+    description => "Start (or restart if already active) firewall.",
     parameters => {
     	additionalProperties => 0,
-	properties => {},
+	properties => {
+	    verbose => {
+		description => "Verbose output.",
+		type => "boolean",
+		optional => 1,
+		default => 0,
+	    },
+	},
     },
     returns => { type => 'null' },
 
     code => sub {
 	my ($param) = @_;
 
-	PVE::Firewall::compile_and_start();
+	my $code = sub {
+	    my $ruleset = PVE::Firewall::compile();
+	    PVE::Firewall::apply_ruleset($ruleset, $param->{verbose});
+	};
 
-	return undef;
-    }});
-
-__PACKAGE__->register_method ({
-    name => 'restart',
-    path => 'restart',
-    method => 'POST',
-    description => "Restart firewall.",
-    parameters => {
-    	additionalProperties => 0,
-	properties => {},
-    },
-    returns => { type => 'null' },
-
-    code => sub {
-	my ($param) = @_;
-
-	PVE::Firewall::compile_and_start(1);
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
@@ -197,26 +95,7 @@ __PACKAGE__->register_method ({
     name => 'stop',
     path => 'stop',
     method => 'POST',
-    description => "Stop firewall.",
-    parameters => {
-    	additionalProperties => 0,
-	properties => {},
-    },
-    returns => { type => 'null' },
-
-    code => sub {
-	my ($param) = @_;
-
-	PVE::Tools::run_command(['shorewall', 'stop']);
-
-	return undef;
-    }});
-
-__PACKAGE__->register_method ({
-    name => 'clear',
-    path => 'clear',
-    method => 'POST',
-    description => "Clear will remove all rules installed by this script. The host is then unprotected.",
+    description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -226,7 +105,35 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	PVE::Tools::run_command(['shorewall', 'clear']);
+	my $code = sub {
+	    my $chash = PVE::Firewall::iptables_get_chains();
+	    my $cmdlist = "*filter\n";
+	    my $rule = "INPUT -j PVEFW-INPUT";
+	    if (PVE::Firewall::iptables_rule_exist($rule)) {
+		$cmdlist .= "-D $rule\n";
+	    }
+	    $rule = "OUTPUT -j PVEFW-OUTPUT";
+	    if (PVE::Firewall::iptables_rule_exist($rule)) {
+		$cmdlist .= "-D $rule\n";
+	    }
+
+	    $rule = "FORWARD -j PVEFW-FORWARD";
+	    if (PVE::Firewall::iptables_rule_exist($rule)) {
+		$cmdlist .= "-D $rule\n";
+	    }
+
+	    foreach my $chain (keys %$chash) {
+		$cmdlist .= "-F $chain\n";
+	    }
+	    foreach my $chain (keys %$chash) {
+		$cmdlist .= "-X $chain\n";
+	    }
+	    $cmdlist .= "COMMIT\n";
+
+	    PVE::Firewall::iptables_restore_cmdlist($cmdlist);
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
@@ -236,13 +143,7 @@ my $nodename = PVE::INotify::nodename();
 my $cmddef = {
     compile => [ __PACKAGE__, 'compile', []],
     start => [ __PACKAGE__, 'start', []],
-    restart => [ __PACKAGE__, 'restart', []],
     stop => [ __PACKAGE__, 'stop', []],
-    clear => [ __PACKAGE__, 'clear', []],
-    enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
-    disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
-    enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
-    disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
 };
 
 my $cmd = shift;