[pve-devel] [PATCH] add -full option to pve-firewall compile

[Alexandre Derumier]

this apply ipset and iptables rules,
display verbose ipset and iptables command and display errors

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   24 ++++++++++++++++++------
 src/pve-firewall    |   14 ++++++++++++--
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index dc8664d..7f709bb 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1230,15 +1230,27 @@ sub enable_bridge_firewall {
 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
 
 sub iptables_restore_cmdlist {
-    my ($cmdlist) = @_;
+    my ($cmdlist, $verbose) = @_;
 
-    run_command("/sbin/iptables-restore -n", input => $cmdlist);
+    my $errfunc = sub {
+	return if !$verbose;
+	my $line = shift;
+	print $line."\n";
+    };
+
+    run_command("/sbin/iptables-restore -n", errfunc => $errfunc, input => $cmdlist);
 }
 
 sub ipset_restore_cmdlist {
-    my ($cmdlist) = @_;
+    my ($cmdlist, $verbose) = @_;
 
-    run_command("/usr/sbin/ipset restore", input => $cmdlist);
+    my $errfunc = sub {
+	return if !$verbose;
+	my $line = shift;
+	print $line."\n";
+    };
+
+    run_command("/usr/sbin/ipset restore", errfunc => $errfunc, input => $cmdlist);
 }
 
 sub iptables_get_chains {
@@ -3114,9 +3126,9 @@ sub apply_ruleset {
 	}
     }
 
-    ipset_restore_cmdlist($ipset_create_cmdlist);
+    ipset_restore_cmdlist($ipset_create_cmdlist, $verbose);
 
-    iptables_restore_cmdlist($cmdlist);
+    iptables_restore_cmdlist($cmdlist, $verbose);
 
     ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
 
diff --git a/src/pve-firewall b/src/pve-firewall
index befee44..62d5768 100755
--- a/src/pve-firewall
+++ b/src/pve-firewall
@@ -366,7 +366,14 @@ __PACKAGE__->register_method ({
     description => "Compile and print firewall rules. This is useful for testing.",
     parameters => {
     	additionalProperties => 0,
-	properties => {},
+        properties => {
+            full => {
+                optional => 1,
+                type => 'boolean',
+                description => "Full compilation test with iptables and ipset restore",
+                default => 0,
+            },
+	}
     },
     returns => { type => 'null' },
 
@@ -393,7 +400,10 @@ __PACKAGE__->register_method ({
 	    if (!$cluster_conf->{options}->{enable}) {
 		print "firewall disabled\n";
 	    }
-
+	    if ( $param->{full}){
+		my $hostfw_conf = PVE::Firewall::load_hostfw_conf();
+		PVE::Firewall::apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, 1);
+	    }
 	};
 
 	PVE::Firewall::run_locked($code);
-- 
1.7.10.4