X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2Fpve-firewall;h=6e5eb1633cb2ff033fa8b93c0671d09b4c58d6ec;hp=d401b993ea5dd2d6b0d637cc339efa2f6650e8a2;hb=a2dbb47b4ca3a584a353ceacc3e4a1a40e1a1446;hpb=d4cda423ca8122954bd7921a07c8e2fffa01e1fb diff --git a/src/pve-firewall b/src/pve-firewall index d401b99..6e5eb16 100755 --- a/src/pve-firewall +++ b/src/pve-firewall @@ -311,7 +311,11 @@ __PACKAGE__->register_method ({ properties => { status => { type => 'string', - enum => ['unknown', 'stopped', 'active'], + enum => ['unknown', 'stopped', 'running'], + }, + enable => { + description => "Firewall is enabled (in 'cluster.fw')", + type => 'boolean', }, changes => { description => "Set when there are pending changes.", @@ -330,19 +334,24 @@ __PACKAGE__->register_method ({ my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0); my $running = PVE::ProcFSTools::check_process_running($pid); - my $status = $running ? 'active' : 'stopped'; + my $status = $running ? 'running' : 'stopped'; my $res = { status => $status }; - if ($status eq 'active') { + + my $verbose = 1; # show syntax errors + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); + $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0; + + if ($status eq 'running') { - my $verbose = 1; # show syntax errors - my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose); + my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); $verbose = 0; # do not show iptables details my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); - my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); - - $res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0; + my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); + my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables"); + + $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6) ? 1 : 0; } return $res; @@ -371,15 +380,22 @@ __PACKAGE__->register_method ({ my $verbose = 1; - my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose); + my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); + my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); - if ($ipset_changes || $ruleset_changes) { + my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables"); + + if ($ipset_changes || $ruleset_changes || $ruleset_changesv6) { print "detected changes\n"; } else { print "no changes\n"; } + if (!$cluster_conf->{options}->{enable}) { + print "firewall disabled\n"; + } + }; PVE::Firewall::run_locked($code); @@ -488,7 +504,7 @@ __PACKAGE__->register_method ({ local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog - my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose}); + my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose}); PVE::FirewallSimulator::debug($param->{verbose} || 0); @@ -542,10 +558,12 @@ my $cmddef = { localnet => [ __PACKAGE__, 'localnet', []], status => [ __PACKAGE__, 'status', [], undef, sub { my $res = shift; + my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status}; + if ($res->{changes}) { - print "Status: $res->{status} (pending changes)\n"; + print "Status: $status (pending changes)\n"; } else { - print "Status: $res->{status}\n"; + print "Status: $status\n"; } }], };