From 55fad3b7889f943599038c3a13e070cd1fcab051 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 4 Jun 2014 08:40:15 +0200
Subject: [PATCH] remove ipsets when firewall disabled

And improve status output
---
 src/PVE/Firewall.pm | 22 +++++++++++++++-------
 src/pve-firewall    | 34 +++++++++++++++++++++++++---------
 2 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f4f4377..22cae5a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2971,8 +2971,9 @@ sub get_ruleset_cmdlist {
     }
 
     foreach my $h (qw(INPUT OUTPUT FORWARD)) {
-	if (!$hooks->{$h}) {
-	    $cmdlist .= "-A $h -j PVEFW-$h\n";
+	my $chain = "PVEFW-$h";
+	if ($ruleset->{$chain} && !$hooks->{$h}) {
+	    $cmdlist .= "-A $h -j $chain\n";
 	}
     }
 
@@ -3172,6 +3173,17 @@ sub remove_pvefw_chains {
     $cmdlist .= "COMMIT\n";
 
     iptables_restore_cmdlist($cmdlist);
+
+    my $ipset_chains = ipset_get_chains();
+
+    $cmdlist = "";
+ 
+    foreach my $chain (keys %$ipset_chains) {
+       $cmdlist .= "flush $chain\n";
+       $cmdlist .= "destroy $chain\n";
+    }
+
+    ipset_restore_cmdlist($cmdlist) if $cmdlist; 
 }
 
 sub init {
@@ -3190,11 +3202,7 @@ sub update {
 	my $cluster_conf = load_clusterfw_conf();
 	my $cluster_options = $cluster_conf->{options};
 
-	my $enable = $cluster_options->{enable};
-
-	die "Firewall is disabled - cannot start\n" if !$enable;
-
-	if (!$enable) {
+	if (!$cluster_options->{enable}) {
 	    PVE::Firewall::remove_pvefw_chains();
 	    return;
 	}
diff --git a/src/pve-firewall b/src/pve-firewall
index d401b99..befee44 100755
--- a/src/pve-firewall
+++ b/src/pve-firewall
@@ -311,7 +311,11 @@ __PACKAGE__->register_method ({
 	properties => {
 	    status => {
 		type => 'string',
-		enum => ['unknown', 'stopped', 'active'],
+		enum => ['unknown', 'stopped', 'running'],
+	    },
+	    enable => {
+		description => "Firewall is enabled (in 'cluster.fw')",
+		type => 'boolean',
 	    },
 	    changes => {
 		description => "Set when there are pending changes.",
@@ -330,17 +334,21 @@ __PACKAGE__->register_method ({
 	    my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
 	    my $running = PVE::ProcFSTools::check_process_running($pid);
 
-	    my $status = $running ? 'active' : 'stopped';
+	    my $status = $running ? 'running' : 'stopped';
 
 	    my $res = { status => $status };
-	    if ($status eq 'active') {
+
+	    my $verbose = 1; # show syntax errors 
+	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); 
+	    $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0;
+
+	    if ($status eq 'running') {
 		
-		my $verbose = 1; # show syntax errors 
-		my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose);
+		my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
 
 		$verbose = 0; # do not show iptables details
 		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
-		my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
+		my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
 	      
 		$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
 	    }
@@ -371,15 +379,21 @@ __PACKAGE__->register_method ({
 
 	    my $verbose = 1;
 
-	    my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile(undef, undef, undef, $verbose);
+	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); 
+	    my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
 
 	    my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
 	    my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
+
 	    if ($ipset_changes || $ruleset_changes) {
 		print "detected changes\n";
 	    } else {
 		print "no changes\n";
 	    }
+	    if (!$cluster_conf->{options}->{enable}) {
+		print "firewall disabled\n";
+	    }
+
 	};
 
 	PVE::Firewall::run_locked($code);
@@ -542,10 +556,12 @@ my $cmddef = {
     localnet => [ __PACKAGE__, 'localnet', []],
     status => [ __PACKAGE__, 'status', [], undef, sub {
 	my $res = shift;
+	my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status};
+	
 	if ($res->{changes}) {
-	    print "Status: $res->{status} (pending changes)\n";
+	    print "Status: $status (pending changes)\n";
 	} else {
-	    print "Status: $res->{status}\n";
+	    print "Status: $status\n";
 	}
     }],
  };
-- 
2.39.2