correctly remove stale chains

[pve-firewall.git] / PVE / Firewall.pm

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index d266bd66fc325088dbe453c6d588be05d1125407..d24ca6322615fdde4084a8ec08f20d41bc2bdc0d 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -746,8 +746,7 @@ sub apply_ruleset {
            }
            $cmdlist .= print_sig_rule($chain, $stat->{sig});
        } elsif ($stat->{action} eq 'delete') {
-           $cmdlist .= "-F $chain\n";
-           $cmdlist .= "-X $chain\n";
+           die "internal error"; # this should not happen
        } elsif ($stat->{action} eq 'exists') {
            # do nothing
        } else {
@@ -755,6 +754,15 @@ sub apply_ruleset {
        }
     }
 
+    foreach my $chain (keys %$statushash) {
+       next if $statushash->{$chain}->{action} ne 'delete';
+       $cmdlist .= "-F $chain\n";
+    }
+    foreach my $chain (keys %$statushash) {
+       next if $statushash->{$chain}->{action} ne 'delete';
+       $cmdlist .= "-X $chain\n";
+    }
+
     $cmdlist .= "COMMIT\n";
 
     print $cmdlist if $verbose;