firewall autodisable

firewall enable parameter type changed from boolean to integer so it can store
the timestamp of the firewall enable call to avoid an admin remote lockout

Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>

diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 0f6b98cea2fffcef505707e0c20bf9eca354213c..b924f4edc22de2250b3db3c7a4e3aa215ce83f04 100644 (file)
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -73,7 +73,8 @@ __PACKAGE__->register_method({
 
 my $option_properties = {
     enable => {
-       type => 'boolean',
+       type => 'integer',
+       minimum => 0,
        optional => 1,
     },
     policy_in => {
@@ -163,8 +164,8 @@ __PACKAGE__->register_method({
            }
        }
 
-       if (defined($param->{enable})) {
-           $param->{enable} = $param->{enable} ? 1 : 0;
+       if (defined($param->{enable}) && ($param->{enable} > 1)) {
+           $param->{enable} = time();
        }
 
        foreach my $k (keys %$option_properties) {

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f0c105e0b1fb8346aee87a93f10df9e2c4eca5ac..93c22867c6db2259f210da48859962716fd192da 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1106,7 +1106,8 @@ my $rule_properties = {
        optional => 1,
     },
     enable => {
-       type => 'boolean',
+        type => 'integer',
+       minimum => 0,
        optional => 1,
     },
     sport => {
@@ -2360,9 +2361,12 @@ sub parse_clusterfw_option {
 
     my ($opt, $value);
 
-    if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable):\s*(\d+)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
+       if (($value > 1) && ((time() - $value) > 60)) {
+           $value = 0
+       }
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
        $opt = lc($1);
        $value = uc($3);