+ my $active_chains = iptables_get_chains();
+
+ my $statushash = {};
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $digest->add("$cmd\n");
+ }
+ my $sig = $digest->b64digest;
+ $statushash->{$chain}->{sig} = $sig;
+
+ my $oldsig = $active_chains->{$chain};
+ if (!defined($oldsig)) {
+ $statushash->{$chain}->{action} = 'create';
+ } else {
+ if ($oldsig eq $sig) {
+ $statushash->{$chain}->{action} = 'exists';
+ } else {
+ $statushash->{$chain}->{action} = 'update';
+ }
+ }
+ print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ print "\t$cmd\n" if $verbose;
+ }
+ }
+
+ foreach my $chain (sort keys %$active_chains) {
+ if (!defined($ruleset->{$chain})) {
+ my $sig = $active_chains->{$chain};
+ $statushash->{$chain}->{action} = 'delete';
+ $statushash->{$chain}->{sig} = $sig;
+ print "delete $chain ($sig)\n" if $verbose;
+ }
+ }
+
+ return $statushash;
+}
+
+sub print_ruleset {
+ my ($ruleset) = @_;
+
+ get_ruleset_status($ruleset, 1);
+}
+
+sub print_sig_rule {
+ my ($chain, $sig) = @_;
+
+ # We just use this to store a SHA1 checksum used to detect changes
+ return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
+}
+
+sub apply_ruleset {
+ my ($ruleset, $verbose) = @_;
+
+ enable_bridge_firewall();
+
+ my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
+
+ my $statushash = get_ruleset_status($ruleset, $verbose);
+
+ # create missing chains first
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ die "internal error" if !$stat;
+ next if $stat->{action} ne 'create';
+
+ $cmdlist .= ":$chain - [0:0]\n";
+ }
+
+ my $rule = "INPUT -j PVEFW-INPUT";
+ if (!PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-A $rule\n";
+ }
+ $rule = "OUTPUT -j PVEFW-OUTPUT";
+ if (!PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-A $rule\n";
+ }
+
+ $rule = "FORWARD -j PVEFW-FORWARD";
+ if (!PVE::Firewall::iptables_rule_exist($rule)) {
+ $cmdlist .= "-A $rule\n";
+ }
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ die "internal error" if !$stat;
+
+ if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
+ $cmdlist .= "-F $chain\n";
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $cmdlist .= "$cmd\n";
+ }
+ $cmdlist .= print_sig_rule($chain, $stat->{sig});
+ } elsif ($stat->{action} eq 'delete') {
+ die "internal error"; # this should not happen
+ } elsif ($stat->{action} eq 'exists') {
+ # do nothing
+ } else {
+ die "internal error - unknown status '$stat->{action}'";
+ }
+ }
+
+ foreach my $chain (keys %$statushash) {
+ next if $statushash->{$chain}->{action} ne 'delete';
+ $cmdlist .= "-F $chain\n";
+ }
+ foreach my $chain (keys %$statushash) {
+ next if $statushash->{$chain}->{action} ne 'delete';
+ $cmdlist .= "-X $chain\n";
+ }
+
+ $cmdlist .= "COMMIT\n";
+
+ print $cmdlist if $verbose;
+
+ iptables_restore_cmdlist($cmdlist);
+
+ # test: re-read status and check if everything is up to date
+ $statushash = get_ruleset_status($ruleset);
+
+ my $errors;
+ foreach my $chain (sort keys %$ruleset) {
+ my $stat = $statushash->{$chain};
+ if ($stat->{action} ne 'exists') {
+ warn "unable to update chain '$chain'\n";
+ $errors = 1;
+ }
+ }