From: Dietmar Maurer Date: Fri, 14 Feb 2014 14:02:41 +0000 (+0100) Subject: implement stop command using new iptables_get_chains X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=b16e818ea730142f89b8d7b170a444edb385e531 implement stop command using new iptables_get_chains --- diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 16ded99..8a83dcb 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -146,12 +146,8 @@ sub iptables { run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {}); } -sub iptables_restore { - - unshift (@ruleset, '*filter'); - push (@ruleset, 'COMMIT'); - - my $cmdlist = join("\n", @ruleset) . "\n"; +sub iptables_restore_cmdlist { + my ($cmdlist) = @_; my $verbose = 1; # fixme: how/when do we set this @@ -163,6 +159,16 @@ sub iptables_restore { } } +sub iptables_restore { + + unshift (@ruleset, '*filter'); + push (@ruleset, 'COMMIT'); + + my $cmdlist = join("\n", @ruleset) . "\n"; + + iptables_restore_cmdlist($cmdlist); +} + # experimental code to read existing chains and compute SHA1 checksum # for each chain. sub iptables_get_chains { @@ -176,6 +182,7 @@ sub iptables_get_chains { return 1 if $name =~ m/^BRIDGEFW-(:?IN|OUT)$/; return 1 if $name =~ m/^proxmoxfw-\S+$/; return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; + return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/; return undef; }; diff --git a/pvefw b/pvefw index e33518d..90c24f6 100755 --- a/pvefw +++ b/pvefw @@ -267,7 +267,19 @@ __PACKAGE__->register_method ({ my ($param) = @_; my $code = sub { - die "implement me"; + my $chash = PVE::Firewall::iptables_get_chains(); + my $cmdlist = "*filter\n"; + $cmdlist .= "-D INPUT -j proxmoxfw-INPUT\n"; + $cmdlist .= "-D FORWARD -j proxmoxfw-FORWARD\n"; + foreach my $chain (keys %$chash) { + $cmdlist .= "-F $chain\n"; + } + foreach my $chain (keys %$chash) { + $cmdlist .= "-X $chain\n"; + } + $cmdlist .= "COMMIT\n"; + + PVE::Firewall::iptables_restore_cmdlist($cmdlist); }; PVE::Firewall::run_locked($code);