+ #print Dumper($rules);
+
+ my $ruleset = {};
+
+ # setup host firewall rules
+ ruleset_create_chain($ruleset, "PVEFW-INPUT");
+ ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
+
+ enablehostfw($ruleset);
+
+ # generate firewall rules for QEMU VMs
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ next if !$rules->{$vmid};
+
+ foreach my $netid (keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net;
+ my $iface = "tap${vmid}i$1";
+
+ my $bridge = $net->{bridge};
+ next if !$bridge; # fixme: ?
+
+ $bridge .= "v$net->{tag}" if $net->{tag};
+
+ generate_bridge_chains($ruleset, $bridge);
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
+ }
+ }
+ return $ruleset;
+}
+
+sub get_ruleset_status {
+ my ($ruleset, $verbose) = @_;
+
+ my $active_chains = iptables_get_chains();
+
+ my $statushash = {};
+
+ foreach my $chain (sort keys %$ruleset) {
+ my $digest = Digest::SHA->new('sha1');
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ $digest->add("$cmd\n");
+ }
+ my $sig = $digest->b64digest;
+ $statushash->{$chain}->{sig} = $sig;
+
+ my $oldsig = $active_chains->{$chain};
+ if (!defined($oldsig)) {
+ $statushash->{$chain}->{action} = 'create';
+ } else {
+ if ($oldsig eq $sig) {
+ $statushash->{$chain}->{action} = 'exists';
+ } else {
+ $statushash->{$chain}->{action} = 'update';
+ }
+ }
+ print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
+ foreach my $cmd (@{$ruleset->{$chain}}) {
+ print "\t$cmd\n" if $verbose;
+ }
+ }
+
+ foreach my $chain (sort keys %$active_chains) {
+ if (!defined($ruleset->{$chain})) {
+ my $sig = $active_chains->{$chain};
+ $statushash->{$chain}->{action} = 'delete';
+ $statushash->{$chain}->{sig} = $sig;
+ print "delete $chain ($sig)\n" if $verbose;
+ }
+ }
+
+ return $statushash;
+}
+
+sub print_ruleset {
+ my ($ruleset) = @_;