return wantarray ? ($res, $hooks) : $res;
}
+sub iptables_chain_digest {
+ my ($rules) = @_;
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $rule (@$rules) { # order is important
+ $digest->add($rule);
+ }
+ return $digest->b64digest;
+}
+
sub ipset_chain_digest {
my ($rules) = @_;
my $digest = Digest::SHA->new('sha1');
my $statushash = {};
foreach my $chain (sort keys %$ruleset) {
- my $sig = ipset_chain_digest($ruleset->{$chain});
+ my $sig;
+ if ($ipset) {
+ $sig = ipset_chain_digest($ruleset->{$chain});
+ } else {
+ $sig = iptables_chain_digest($ruleset->{$chain});
+ }
+
$statushash->{$chain}->{sig} = $sig;
my $oldsig = $active_chains->{$chain};
return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
}
-sub get_rulset_cmdlist {
+sub get_ruleset_cmdlist {
my ($ruleset, $verbose) = @_;
my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
my $ipsetcmdlist = get_ipset_cmdlist($ipset_ruleset, $verbose);
- my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
+ my $cmdlist = get_ruleset_cmdlist($ruleset, $verbose);
print $ipsetcmdlist if $verbose;