X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=pvefw;h=25c4f8a8b0b8e80a65d759673343414877296de0;hp=fdf72468e109e072d1837fa84907bcba4ec48ba8;hb=0bd5f13736bfe072a529ce08f43e27c31df03c50;hpb=35544360473cba31bbe3569438dbed67e6d61e93 diff --git a/pvefw b/pvefw index fdf7246..25c4f8a 100755 --- a/pvefw +++ b/pvefw @@ -3,15 +3,11 @@ use strict; use lib qw(.); use PVE::Firewall; -use File::Path; -use IO::File; -use Data::Dumper; use PVE::SafeSyslog; use PVE::Cluster; use PVE::INotify; use PVE::RPCEnvironment; -use PVE::QemuServer; use PVE::JSONSchema qw(get_standard_option); @@ -33,106 +29,101 @@ $rpcenv->init_request(); $rpcenv->set_language($ENV{LANG}); $rpcenv->set_user('root@pam'); -sub parse_fw_rules { - my ($filename, $fh) = @_; - - my $section; - - my $res = { in => [], out => [] }; - - while (defined(my $line = <$fh>)) { - next if $line =~ m/^#/; - next if $line =~ m/^\s*$/; - - if ($line =~ m/^\[(in|out)\]\s*$/i) { - $section = lc($1); - next; - } - next if !$section; - - my ($action, $iface, $source, $dest, $proto, $dport, $sport) = - split(/\s+/, $line); - - if (!($action && $iface && $source && $dest)) { - warn "skip incomplete line\n"; - next; - } - - if ($action !~ m/^(ACCEPT|DROP)$/) { - warn "unknown action '$action'\n"; -# next; - } - - if ($iface !~ m/^(all|net0|net1|net2|net3|net4|net5)$/) { - warn "unknown interface '$iface'\n"; - next; - } +__PACKAGE__->register_method({ + name => 'enabletaprules', + path => 'enabletaprules', + method => 'POST', + parameters => { + additionalProperties => 0, + properties => { + vmid => get_standard_option('pve-vmid'), + netid => { + type => 'string', + }, + + }, + }, + returns => { type => 'null' }, + code => sub { + my ($param) = @_; - if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) { - warn "unknown protokol '$proto'\n"; - next; - } + # test if VM exists + my $vmid = $param->{vmid}; + my $netid = $param->{netid}; - if ($source !~ m/^(any)$/) { - warn "unknown source '$source'\n"; - next; - } + my $conf = PVE::QemuServer::load_config($vmid); + my $net = PVE::QemuServer::parse_net($conf->{$netid}); - if ($dest !~ m/^(any)$/) { - warn "unknown destination '$dest'\n"; - next; - } + PVE::Firewall::generate_tap_rules($net, $netid, $vmid); - my $rule = { - action => $action, - iface => $iface, - source => $source, - dest => $dest, - proto => $proto, - dport => $dport, - sport => $sport, - }; + return undef; + }}); - push @{$res->{$section}}, $rule; - } +__PACKAGE__->register_method({ + name => 'disabletaprules', + path => 'disabletaprules', + method => 'POST', + parameters => { + additionalProperties => 0, + properties => { + vmid => get_standard_option('pve-vmid'), + netid => { + type => 'string', + }, + + }, + }, + returns => { type => 'null' }, + code => sub { + my ($param) = @_; - return $res; -} + # test if VM exists + my $vmid = $param->{vmid}; + my $netid = $param->{netid}; -sub read_local_vm_config { + my $conf = PVE::QemuServer::load_config($vmid); + my $net = PVE::QemuServer::parse_net($conf->{$netid}); - my $openvz = {}; + PVE::Firewall::flush_tap_rules($net, $netid, $vmid); - my $qemu = {}; + return undef; + }}); - my $list = PVE::QemuServer::config_list(); +__PACKAGE__->register_method({ + name => 'enablehostfw', + path => 'enablehostfw', + method => 'POST', + parameters => { + additionalProperties => 0, + properties => {}, + }, + returns => { type => 'null' }, - foreach my $vmid (keys %$list) { - my $cfspath = PVE::QemuServer::cfs_config_path($vmid); - if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) { - $qemu->{$vmid} = $conf; - } - } + code => sub { + my ($param) = @_; - my $vmdata = { openvz => $openvz, qemu => $qemu }; + PVE::Firewall::enablehostfw(); - return $vmdata; -}; + return undef; + }}); -sub read_vm_firewall_rules { - my ($vmdata) = @_; +__PACKAGE__->register_method({ + name => 'disablehostfw', + path => 'disablehostfw', + method => 'POST', + parameters => { + additionalProperties => 0, + properties => {}, + }, + returns => { type => 'null' }, - my $rules = {}; - foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $filename = "/etc/pve/$vmid.fw"; - my $fh = IO::File->new($filename, O_RDONLY); - next if !$fh; + code => sub { + my ($param) = @_; - $rules->{$vmid} = parse_fw_rules($filename, $fh); - } + PVE::Firewall::disablehostfw(); - return $rules; -} + return undef; + }}); __PACKAGE__->register_method ({ name => 'compile', @@ -148,27 +139,35 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - my $vmdata = read_local_vm_config(); - my $rules = read_vm_firewall_rules(); + PVE::Firewall::compile(); - # print Dumper($vmdata); + return undef; + }}); - my $swdir = '/etc/shorewall'; - mkdir $swdir; +__PACKAGE__->register_method ({ + name => 'start', + path => 'start', + method => 'POST', + description => "Start firewall.", + parameters => { + additionalProperties => 0, + properties => {}, + }, + returns => { type => 'null' }, - PVE::Firewall::compile($swdir, $vmdata, $rules); + code => sub { + my ($param) = @_; - PVE::Tools::run_command(['shorewall', 'compile']); + PVE::Firewall::compile_and_start(); return undef; - }}); __PACKAGE__->register_method ({ - name => 'start', - path => 'start', + name => 'restart', + path => 'restart', method => 'POST', - description => "Start firewall.", + description => "Restart firewall.", parameters => { additionalProperties => 0, properties => {}, @@ -178,7 +177,7 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - PVE::Tools::run_command(['shorewall', 'start']); + PVE::Firewall::compile_and_start(1); return undef; }}); @@ -226,8 +225,13 @@ my $nodename = PVE::INotify::nodename(); my $cmddef = { compile => [ __PACKAGE__, 'compile', []], start => [ __PACKAGE__, 'start', []], + restart => [ __PACKAGE__, 'restart', []], stop => [ __PACKAGE__, 'stop', []], clear => [ __PACKAGE__, 'clear', []], + enabletaprules => [ __PACKAGE__, 'enabletaprules', []], + disabletaprules => [ __PACKAGE__, 'disabletaprules', []], + enablehostfw => [ __PACKAGE__, 'enablehostfw', []], + disablehostfw => [ __PACKAGE__, 'disablehostfw', []], }; my $cmd = shift;