X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=pvefw;h=1c346b555e7e4e6019452593844508b0145cfefd;hp=90c24f6ebe77d18d3e3494896b3f1db6f399366d;hb=9fcad984e7f907a7d9b756613cbe59c707a247dc;hpb=b16e818ea730142f89b8d7b170a444edb385e531

diff --git a/pvefw b/pvefw
index 90c24f6..1c346b5 100755
--- a/pvefw
+++ b/pvefw
@@ -29,191 +29,21 @@ $rpcenv->init_request();
 $rpcenv->set_language($ENV{LANG});
 $rpcenv->set_user('root@pam');
 
-__PACKAGE__->register_method({
-    name => 'enablevmfw',
-    path => 'enablevmfw',
-    method => 'POST',
-    parameters => {
-        additionalProperties => 0,
-        properties => {
-            vmid => get_standard_option('pve-vmid'),
-            netid => {
-                type => 'string',
-		optional => 1
-            },
-        },
-    },
-    returns => { type => 'null' },
-    code => sub {
-        my ($param) = @_;
-
-        # test if VM exists
-        my $vmid = $param->{vmid};
-        my $netid = $param->{netid};
-
-	my $code = sub {
-	    my $conf = PVE::QemuServer::load_config($vmid);
-
-	    foreach my $opt (keys %$conf) {
-		next if $opt !~ m/^net(\d+)$/;
-		my $net = PVE::QemuServer::parse_net($conf->{$opt});
-		next if !$net;
-		next if $netid && $opt != $netid;
-		PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
-	    }
-	};
-
-	PVE::Firewall::run_locked($code);
-        
-	return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'disablevmfw',
-    path => 'disablevmfw',
-    method => 'POST',
-    parameters => {
-        additionalProperties => 0,
-        properties => {
-            vmid => get_standard_option('pve-vmid'),
-            netid => {
-                type => 'string',
-		optional => 1
-            },
-
-        },
-    },
-    returns => { type => 'null' },
-    code => sub {
-        my ($param) = @_;
-
-        # test if VM exists
-        my $vmid = $param->{vmid};
-        my $netid = $param->{netid};
-
-
-	my $code = sub {
-	    my $conf = PVE::QemuServer::load_config($vmid);
-
-	    foreach my $opt (keys %$conf) {
-		next if $opt !~ m/^net(\d+)$/;
-		my $net = PVE::QemuServer::parse_net($conf->{$opt});
-		next if !$net;
-		next if $netid && $opt != $netid;
-		PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
-	    }
-	};
-
-	PVE::Firewall::run_locked($code);
-
-        return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'enablegroup',
-    path => 'enablegroup',
-    method => 'POST',
-    parameters => {
-        additionalProperties => 0,
-        properties => {
-            securitygroup => {
-                type => 'string',
-            },
-        },
-    },
-    returns => { type => 'null' },
-    code => sub {
-        my ($param) = @_;
-
-	my $code = sub {
-	    my $group = $param->{securitygroup};
-	    PVE::Firewall::enable_group_rules($group);
-	};
-
-	PVE::Firewall::run_locked($code);
-	
-        return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'disablegroup',
-    path => 'disablegroup',
-    method => 'POST',
-    parameters => {
-        additionalProperties => 0,
-        properties => {
-            securitygroup => {
-                type => 'string',
-            },
-
-        },
-    },
-    returns => { type => 'null' },
-    code => sub {
-        my ($param) = @_;
-
-	my $code = sub {
-	    my $group = $param->{securitygroup};
-	    PVE::Firewall::disable_group_rules($group);
-	};
-
-	PVE::Firewall::run_locked($code);
-
-        return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'enablehostfw',
-    path => 'enablehostfw',
-    method => 'POST',
-    parameters => {
-    	additionalProperties => 0,
-	properties => {},
-    },
-    returns => { type => 'null' },
-
-    code => sub {
-	my ($param) = @_;
-
-	my $code = sub {
-	    PVE::Firewall::enablehostfw();
-	};
-
-	PVE::Firewall::run_locked($code);
-
-	return undef;
-    }});
-
-__PACKAGE__->register_method({
-    name => 'disablehostfw',
-    path => 'disablehostfw',
-    method => 'POST',
-    parameters => {
-    	additionalProperties => 0,
-	properties => {},
-    },
-    returns => { type => 'null' },
-
-    code => sub {
-	my ($param) = @_;
-
-	my $code = sub {
-	    PVE::Firewall::disablehostfw();
-	};
-
-	PVE::Firewall::run_locked($code);
-
-	return undef;
-    }});
-
 __PACKAGE__->register_method ({
     name => 'compile',
     path => 'compile',
     method => 'POST',
-    description => "Compile firewall rules.",
+    description => "Compile amd print firewall rules. This is only for testing.",
     parameters => {
     	additionalProperties => 0,
-	properties => {},
+	properties => {
+	    verbose => {
+		description => "Verbose output.",
+		type => "boolean",
+		optional => 1,
+		default => 0,
+	    },
+	},
     },
     returns => { type => 'null' },
 
@@ -221,7 +51,8 @@ __PACKAGE__->register_method ({
 	my ($param) = @_;
 
 	my $code = sub {
-	    PVE::Firewall::compile();
+	    my $ruleset = PVE::Firewall::compile();
+	    PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
 	};
 
 	PVE::Firewall::run_locked($code);
@@ -236,7 +67,14 @@ __PACKAGE__->register_method ({
     description => "Start (or restart if already active) firewall.",
     parameters => {
     	additionalProperties => 0,
-	properties => {},
+	properties => {
+	    verbose => {
+		description => "Verbose output.",
+		type => "boolean",
+		optional => 1,
+		default => 0,
+	    },
+	},
     },
     returns => { type => 'null' },
 
@@ -244,7 +82,8 @@ __PACKAGE__->register_method ({
 	my ($param) = @_;
 
 	my $code = sub {
-	    PVE::Firewall::compile_and_start();
+	    my $ruleset = PVE::Firewall::compile();
+	    PVE::Firewall::apply_ruleset($ruleset, $param->{verbose});
 	};
 
 	PVE::Firewall::run_locked($code);
@@ -269,8 +108,20 @@ __PACKAGE__->register_method ({
 	my $code = sub {
 	    my $chash = PVE::Firewall::iptables_get_chains();
 	    my $cmdlist = "*filter\n";
-	    $cmdlist .= "-D INPUT -j proxmoxfw-INPUT\n";
-	    $cmdlist .= "-D FORWARD -j proxmoxfw-FORWARD\n";
+	    my $rule = "INPUT -j PVEFW-INPUT";
+	    if (PVE::Firewall::iptables_rule_exist($rule)) {
+		$cmdlist .= "-D $rule\n";
+	    }
+	    $rule = "OUTPUT -j PVEFW-OUTPUT";
+	    if (PVE::Firewall::iptables_rule_exist($rule)) {
+		$cmdlist .= "-D $rule\n";
+	    }
+
+	    $rule = "FORWARD -j PVEFW-FORWARD";
+	    if (PVE::Firewall::iptables_rule_exist($rule)) {
+		$cmdlist .= "-D $rule\n";
+	    }
+
 	    foreach my $chain (keys %$chash) {
 		$cmdlist .= "-F $chain\n";
 	    }
@@ -292,14 +143,7 @@ my $nodename = PVE::INotify::nodename();
 my $cmddef = {
     compile => [ __PACKAGE__, 'compile', []],
     start => [ __PACKAGE__, 'start', []],
-    restart => [ __PACKAGE__, 'restart', []],
     stop => [ __PACKAGE__, 'stop', []],
-    enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
-    disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
-    enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
-    disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
-    enablegroup => [ __PACKAGE__, 'enablegroup', []],
-    disablegroup => [ __PACKAGE__, 'disablegroup', []],
 };
 
 my $cmd = shift;