+ return $ruleset;
+}
+
+sub compile_ipsets {
+ my ($cluster_conf, $vmfw_configs, $vmdata) = @_;
+
+ my $localnet;
+ if ($cluster_conf->{aliases}->{local_network}) {
+ $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+ } else {
+ my $localnet_ver;
+ ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
+
+ $cluster_conf->{aliases}->{local_network} = {
+ name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
+ }
+
+ push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+
+
+ my $ipset_ruleset = {};
+
+ # generate ipsets for QEMU VMs
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ eval {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+
+ generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+ };
+ warn $@ if $@; # just to be sure - should not happen
+ }
+
+ # generate firewall rules for LXC containers
+ foreach my $vmid (keys %{$vmdata->{lxc}}) {
+ eval {
+ my $conf = $vmdata->{lxc}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+
+ generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+ };
+ warn $@ if $@; # just to be sure - should not happen
+ }
+