X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2Fpvefw;h=754a4eafd791a669df60859ce4e983e2a9160a87;hp=d0f1e6023fd8042e75daf2e3456d5c63f9df4b54;hb=3dfa8a7f6d1c3eae51fa410eb818fcc1bd0b7ed2;hpb=11388be71bcefa1d0e690ab3be3722705e6207b3

diff --git a/src/pvefw b/src/pvefw
index d0f1e60..754a4ea 100755
--- a/src/pvefw
+++ b/src/pvefw
@@ -14,9 +14,12 @@ use PVE::RPCEnvironment;
 use PVE::JSONSchema qw(get_standard_option);
 
 use PVE::CLIHandler;
+use PVE::API2::Firewall::Groups;
 
 use base qw(PVE::CLIHandler);
 
+use Data::Dumper;
+
 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
 
 initlog ('pvefw');
@@ -57,8 +60,17 @@ __PACKAGE__->register_method ({
 	    if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
 
 	my $code = sub {
-	    my $ruleset = PVE::Firewall::compile();
-	    PVE::Firewall::get_ruleset_status($ruleset, 1) if $param->{verbose};
+	    my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
+
+	    if ($param->{verbose}) {
+		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
+		my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, 1);
+		if ($ipset_changes || $ruleset_changes) {
+		    print "detected changes\n";
+		} else {
+		    print "no changes\n";
+		}
+	    }
 	};
 
 	PVE::Firewall::run_locked($code);
@@ -103,12 +115,12 @@ __PACKAGE__->register_method ({
 
 	    my $res = { status => $status };
 	    if ($status eq 'active') {
-		my $ruleset = PVE::Firewall::compile();
-		my $cmdlist = PVE::Firewall::get_rulset_cmdlist($ruleset);
+		my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
 
-		if ($cmdlist ne "*filter\nCOMMIT\n") {
-		    $res->{changes} = 1;
-		}
+		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
+		my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);
+		# fixme: ipset changes
+		$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
 	    } 
 
 	    return $res;
@@ -184,33 +196,7 @@ __PACKAGE__->register_method ({
 	my ($param) = @_;
 
 	my $code = sub {
-
-	    my $chash = PVE::Firewall::iptables_get_chains();
-	    my $cmdlist = "*filter\n";
-	    my $rule = "INPUT -j PVEFW-INPUT";
-	    if (PVE::Firewall::iptables_rule_exist($rule)) {
-		$cmdlist .= "-D $rule\n";
-	    }
-	    $rule = "OUTPUT -j PVEFW-OUTPUT";
-	    if (PVE::Firewall::iptables_rule_exist($rule)) {
-		$cmdlist .= "-D $rule\n";
-	    }
-
-	    $rule = "FORWARD -j PVEFW-FORWARD";
-	    if (PVE::Firewall::iptables_rule_exist($rule)) {
-		$cmdlist .= "-D $rule\n";
-	    }
-
-	    foreach my $chain (keys %$chash) {
-		$cmdlist .= "-F $chain\n";
-	    }
-	    foreach my $chain (keys %$chash) {
-		$cmdlist .= "-X $chain\n";
-	    }
-	    $cmdlist .= "COMMIT\n";
-
-	    PVE::Firewall::iptables_restore_cmdlist($cmdlist);
-
+	    PVE::Firewall::remove_pvefw_chains();
 	    PVE::Firewall::save_pvefw_status('stopped');
 	};
 
@@ -234,6 +220,18 @@ my $cmddef = {
 	}
     }],
     stop => [ __PACKAGE__, 'stop', []],
+
+    # This is for debugging 
+    listgroups => [ 'PVE::API2::Firewall::Groups', 'list', [], 
+		    { node => $nodename }, sub {
+			my $res = shift;
+			print Dumper($res);
+		    }],
+    grouprules => [ 'PVE::API2::Firewall::Groups', 'get_rules', ['group'], 
+		    { node => $nodename }, sub {
+			my $res = shift;
+			print Dumper($res);
+		    }],
 };
 
 my $cmd = shift;