X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=pvefw;h=e33518de64c13db1e7463a8382505bd47a8afab6;hp=2d4d4503481824e6c1103d9c560771f04705386e;hb=64568ce0ba3e01ccea2c7c4d8135c7ee1a7fcfcd;hpb=462a6553535a43ee48ce5f1b487a5eee0d2cdc3f

diff --git a/pvefw b/pvefw
index 2d4d450..e33518d 100755
--- a/pvefw
+++ b/pvefw
@@ -51,17 +51,21 @@ __PACKAGE__->register_method({
         my $vmid = $param->{vmid};
         my $netid = $param->{netid};
 
-	my $conf = PVE::QemuServer::load_config($vmid);
-
-	foreach my $opt (keys %$conf) {
-            next if $opt !~ m/^net(\d+)$/;
-            my $net = PVE::QemuServer::parse_net($conf->{$opt});
-            next if !$net;
-	    next if $netid && $opt != $netid;
-	    PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
-	}
-
-        return undef;
+	my $code = sub {
+	    my $conf = PVE::QemuServer::load_config($vmid);
+
+	    foreach my $opt (keys %$conf) {
+		next if $opt !~ m/^net(\d+)$/;
+		my $net = PVE::QemuServer::parse_net($conf->{$opt});
+		next if !$net;
+		next if $netid && $opt != $netid;
+		PVE::Firewall::generate_tap_rules($net, $opt, $vmid);
+	    }
+	};
+
+	PVE::Firewall::run_locked($code);
+        
+	return undef;
     }});
 
 __PACKAGE__->register_method({
@@ -87,60 +91,81 @@ __PACKAGE__->register_method({
         my $vmid = $param->{vmid};
         my $netid = $param->{netid};
 
-	my $conf = PVE::QemuServer::load_config($vmid);
 
-	foreach my $opt (keys %$conf) {
-            next if $opt !~ m/^net(\d+)$/;
-            my $net = PVE::QemuServer::parse_net($conf->{$opt});
-            next if !$net;
-	    next if $netid && $opt != $netid;
-	    PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
-	}
+	my $code = sub {
+	    my $conf = PVE::QemuServer::load_config($vmid);
+
+	    foreach my $opt (keys %$conf) {
+		next if $opt !~ m/^net(\d+)$/;
+		my $net = PVE::QemuServer::parse_net($conf->{$opt});
+		next if !$net;
+		next if $netid && $opt != $netid;
+		PVE::Firewall::flush_tap_rules($net, $opt, $vmid);
+	    }
+	};
+
+	PVE::Firewall::run_locked($code);
 
         return undef;
     }});
 
 __PACKAGE__->register_method({
-    name => 'enablehostfw',
-    path => 'enablehostfw',
+    name => 'enablegroup',
+    path => 'enablegroup',
     method => 'POST',
     parameters => {
-    	additionalProperties => 0,
-	properties => {},
+        additionalProperties => 0,
+        properties => {
+            securitygroup => {
+                type => 'string',
+            },
+        },
     },
     returns => { type => 'null' },
-
     code => sub {
-	my ($param) = @_;
+        my ($param) = @_;
 
-	PVE::Firewall::enablehostfw();
+	my $code = sub {
+	    my $group = $param->{securitygroup};
+	    PVE::Firewall::enable_group_rules($group);
+	};
 
-	return undef;
+	PVE::Firewall::run_locked($code);
+	
+        return undef;
     }});
 
 __PACKAGE__->register_method({
-    name => 'disablehostfw',
-    path => 'disablehostfw',
+    name => 'disablegroup',
+    path => 'disablegroup',
     method => 'POST',
     parameters => {
-    	additionalProperties => 0,
-	properties => {},
+        additionalProperties => 0,
+        properties => {
+            securitygroup => {
+                type => 'string',
+            },
+
+        },
     },
     returns => { type => 'null' },
-
     code => sub {
-	my ($param) = @_;
+        my ($param) = @_;
 
-	PVE::Firewall::disablehostfw();
+	my $code = sub {
+	    my $group = $param->{securitygroup};
+	    PVE::Firewall::disable_group_rules($group);
+	};
 
-	return undef;
+	PVE::Firewall::run_locked($code);
+
+        return undef;
     }});
 
-__PACKAGE__->register_method ({
-    name => 'compile',
-    path => 'compile',
+__PACKAGE__->register_method({
+    name => 'enablehostfw',
+    path => 'enablehostfw',
     method => 'POST',
-    description => "Compile firewall rules.",
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -150,16 +175,19 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	PVE::Firewall::compile();
+	my $code = sub {
+	    PVE::Firewall::enablehostfw();
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
 
-__PACKAGE__->register_method ({
-    name => 'start',
-    path => 'start',
+__PACKAGE__->register_method({
+    name => 'disablehostfw',
+    path => 'disablehostfw',
     method => 'POST',
-    description => "Start firewall.",
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -169,16 +197,20 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	PVE::Firewall::compile_and_start();
+	my $code = sub {
+	    PVE::Firewall::disablehostfw();
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
 
 __PACKAGE__->register_method ({
-    name => 'restart',
-    path => 'restart',
+    name => 'compile',
+    path => 'compile',
     method => 'POST',
-    description => "Restart firewall.",
+    description => "Compile firewall rules.",
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -188,16 +220,20 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	PVE::Firewall::compile_and_start(1);
+	my $code = sub {
+	    PVE::Firewall::compile();
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
 
 __PACKAGE__->register_method ({
-    name => 'stop',
-    path => 'stop',
+    name => 'start',
+    path => 'start',
     method => 'POST',
-    description => "Stop firewall.",
+    description => "Start (or restart if already active) firewall.",
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -207,16 +243,20 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	PVE::Tools::run_command(['shorewall', 'stop']);
+	my $code = sub {
+	    PVE::Firewall::compile_and_start();
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
 
 __PACKAGE__->register_method ({
-    name => 'clear',
-    path => 'clear',
+    name => 'stop',
+    path => 'stop',
     method => 'POST',
-    description => "Clear will remove all rules installed by this script. The host is then unprotected.",
+    description => "Stop firewall. This will remove all rules installed by this script. The host is then unprotected.",
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -226,7 +266,11 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	PVE::Tools::run_command(['shorewall', 'clear']);
+	my $code = sub {
+	    die "implement me";
+	};
+
+	PVE::Firewall::run_locked($code);
 
 	return undef;
     }});
@@ -238,11 +282,12 @@ my $cmddef = {
     start => [ __PACKAGE__, 'start', []],
     restart => [ __PACKAGE__, 'restart', []],
     stop => [ __PACKAGE__, 'stop', []],
-    clear => [ __PACKAGE__, 'clear', []],
     enablevmfw => [ __PACKAGE__, 'enablevmfw', []],
     disablevmfw => [ __PACKAGE__, 'disablevmfw', []],
     enablehostfw => [ __PACKAGE__, 'enablehostfw', []],
     disablehostfw => [ __PACKAGE__, 'disablehostfw', []],
+    enablegroup => [ __PACKAGE__, 'enablegroup', []],
+    disablegroup => [ __PACKAGE__, 'disablegroup', []],
 };
 
 my $cmd = shift;