+ $filename = "/etc/pve/local/host.fw";
+ if (my $fh = IO::File->new($filename, O_RDONLY)) {
+ my $host_rules = parse_host_fw_rules($filename, $fh);
+ enablehostfw($ruleset, $host_rules, $group_rules);
+ }
+
+ # generate firewall rules for QEMU VMs
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ next if !$rules->{$vmid};
+
+ foreach my $netid (keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net;
+ my $iface = "tap${vmid}i$1";
+
+ my $bridge = $net->{bridge};
+ next if !$bridge; # fixme: ?
+
+ $bridge .= "v$net->{tag}" if $net->{tag};
+
+ generate_bridge_chains($ruleset, $bridge);
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
+ }
+ }
+ return $ruleset;
+}
+
+sub get_ruleset_status {
+ my ($ruleset, $verbose) = @_;
+
+ my $active_chains = iptables_get_chains();
+
+ my $statushash = {};
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $digest->add("$cmd\n");
+ }
+ my $sig = $digest->b64digest;
+ $statushash->{$chain}->{sig} = $sig;
+
+ my $oldsig = $active_chains->{$chain};
+ if (!defined($oldsig)) {
+ $statushash->{$chain}->{action} = 'create';
+ } else {
+ if ($oldsig eq $sig) {
+ $statushash->{$chain}->{action} = 'exists';
+ } else {
+ $statushash->{$chain}->{action} = 'update';
+ }
+ }
+ print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ print "\t$cmd\n" if $verbose;
+ }
+ }
+
+ foreach my $chain (sort keys %$active_chains) {
+ if (!defined($ruleset->{$chain})) {
+ my $sig = $active_chains->{$chain};
+ $statushash->{$chain}->{action} = 'delete';
+ $statushash->{$chain}->{sig} = $sig;
+ print "delete $chain ($sig)\n" if $verbose;
+ }
+ }
+
+ return $statushash;
+}
+
+sub print_ruleset {
+ my ($ruleset) = @_;
+
+ get_ruleset_status($ruleset, 1);
+}