And improve status output
}
foreach my $h (qw(INPUT OUTPUT FORWARD)) {
}
foreach my $h (qw(INPUT OUTPUT FORWARD)) {
- if (!$hooks->{$h}) {
- $cmdlist .= "-A $h -j PVEFW-$h\n";
+ my $chain = "PVEFW-$h";
+ if ($ruleset->{$chain} && !$hooks->{$h}) {
+ $cmdlist .= "-A $h -j $chain\n";
$cmdlist .= "COMMIT\n";
iptables_restore_cmdlist($cmdlist);
$cmdlist .= "COMMIT\n";
iptables_restore_cmdlist($cmdlist);
+
+ my $ipset_chains = ipset_get_chains();
+
+ $cmdlist = "";
+
+ foreach my $chain (keys %$ipset_chains) {
+ $cmdlist .= "flush $chain\n";
+ $cmdlist .= "destroy $chain\n";
+ }
+
+ ipset_restore_cmdlist($cmdlist) if $cmdlist;
my $cluster_conf = load_clusterfw_conf();
my $cluster_options = $cluster_conf->{options};
my $cluster_conf = load_clusterfw_conf();
my $cluster_options = $cluster_conf->{options};
- my $enable = $cluster_options->{enable};
-
- die "Firewall is disabled - cannot start\n" if !$enable;
-
- if (!$enable) {
+ if (!$cluster_options->{enable}) {
PVE::Firewall::remove_pvefw_chains();
return;
}
PVE::Firewall::remove_pvefw_chains();
return;
}
properties => {
status => {
type => 'string',
properties => {
status => {
type => 'string',
- enum => ['unknown', 'stopped', 'active'],
+ enum => ['unknown', 'stopped', 'running'],
+ },
+ enable => {
+ description => "Firewall is enabled (in 'cluster.fw')",
+ type => 'boolean',
},
changes => {
description => "Set when there are pending changes.",
},
changes => {
description => "Set when there are pending changes.",
my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
my $running = PVE::ProcFSTools::check_process_running($pid);
my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
my $running = PVE::ProcFSTools::check_process_running($pid);
- my $status = $running ? 'active' : 'stopped';
+ my $status = $running ? 'running' : 'stopped';
my $res = { status => $status };
my $res = { status => $status };
- if ($status eq 'active') {
+
+ my $verbose = 1; # show syntax errors
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose);
+ $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;
+
+ if ($status eq 'running') {
- my $verbose = 1; # show syntax errors
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose);
+ my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
$verbose = 0; # do not show iptables details
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
$verbose = 0; # do not show iptables details
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
- my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
+ my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
}
$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
}
- my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose);
+ my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose);
+ my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
if ($ipset_changes || $ruleset_changes) {
print "detected changes\n";
} else {
print "no changes\n";
}
if ($ipset_changes || $ruleset_changes) {
print "detected changes\n";
} else {
print "no changes\n";
}
+ if (!$cluster_conf->{options}->{enable}) {
+ print "firewall disabled\n";
+ }
+
};
PVE::Firewall::run_locked($code);
};
PVE::Firewall::run_locked($code);
localnet => [ __PACKAGE__, 'localnet', []],
status => [ __PACKAGE__, 'status', [], undef, sub {
my $res = shift;
localnet => [ __PACKAGE__, 'localnet', []],
status => [ __PACKAGE__, 'status', [], undef, sub {
my $res = shift;
+ my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status};
+
- print "Status: $res->{status} (pending changes)\n";
+ print "Status: $status (pending changes)\n";
- print "Status: $res->{status}\n";
+ print "Status: $status\n";
projects / pve-firewall.git / commitdiff