X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=97b15b064db06fc2d52bb55ef5f74bfdfe9d5bb2;hb=9bf7d929d03458b8c91d4581683d7b01c4016a5c;hp=126717d8585fcb8dc0e3a599cb4fc59781358bd1;hpb=c4a2e5aeb5f0e6eab8e02796d3e703a5481d8618;p=pve-firewall.git

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 126717d..97b15b0 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -869,6 +869,15 @@ sub iptables_get_chains {
     return wantarray ? ($res, $hooks) : $res;
 }
 
+sub iptables_chain_digest {
+    my ($rules) = @_;
+    my $digest = Digest::SHA->new('sha1');
+    foreach my $rule (@$rules) { # order is important
+	$digest->add($rule);
+    }
+    return $digest->b64digest;
+}
+
 sub ipset_chain_digest {
     my ($rules) = @_;
     my $digest = Digest::SHA->new('sha1');
@@ -2261,7 +2270,13 @@ sub get_ruleset_status {
     my $statushash = {};
 
     foreach my $chain (sort keys %$ruleset) {
-	my $sig = ipset_chain_digest($ruleset->{$chain});
+	my $sig;
+	if ($ipset) {
+	    $sig = ipset_chain_digest($ruleset->{$chain});
+	} else {
+	    $sig = iptables_chain_digest($ruleset->{$chain});
+	}
+
 	$statushash->{$chain}->{sig} = $sig;
 
 	my $oldsig = $active_chains->{$chain};
@@ -2299,7 +2314,7 @@ sub print_sig_rule {
     return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
 }
 
-sub get_rulset_cmdlist {
+sub get_ruleset_cmdlist {
     my ($ruleset, $verbose) = @_;
 
     my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
@@ -2420,7 +2435,7 @@ sub apply_ruleset {
 
     my $ipsetcmdlist = get_ipset_cmdlist($ipset_ruleset, $verbose);
 
-    my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
+    my $cmdlist = get_ruleset_cmdlist($ruleset, $verbose);
 
     print $ipsetcmdlist if $verbose;