avoid calls to iptables_rule_exist

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 02c602fe17c037ebc6840612066ce6268e07b3f2..126717d8585fcb8dc0e3a599cb4fc59781358bd1 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -833,6 +833,8 @@ sub iptables_get_chains {
 
     my $table = '';
 
+    my $hooks = {};
+
     my $parser = sub {
        my $line = shift;
 
@@ -854,6 +856,8 @@ sub iptables_get_chains {
            my ($chain, $sig) = ($1, $2);
            return if !&$is_pvefw_chain($chain);
            $res->{$chain} = $sig;
+       } elsif ($line =~ m/^-A\s+(INPUT|OUTPUT|FORWARD)\s+-j\s+PVEFW-\1$/) {
+           $hooks->{$1} = 1;
        } else {
            # simply ignore the rest
            return;
@@ -862,7 +866,7 @@ sub iptables_get_chains {
 
     run_command("/sbin/iptables-save", outfunc => $parser);
 
-    return $res;
+    return wantarray ? ($res, $hooks) : $res;
 }
 
 sub ipset_chain_digest {
@@ -1770,7 +1774,7 @@ sub parse_cluster_fw_rules {
     my $section;
     my $group;
 
-    my $res = { rules => {}, options => {}, groups => {}, ipset => {} };
+    my $res = { rules => [], options => {}, groups => {}, ipset => {} };
 
     my $digest = Digest::SHA->new('sha1');
 
@@ -2465,6 +2469,29 @@ sub update_nf_conntrack_max {
     }
 }
 
+sub remove_pvefw_chains {
+
+    my ($chash, $hooks) = iptables_get_chains();
+    my $cmdlist = "*filter\n";
+
+    foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+       if ($hooks->{$h}) {
+           $cmdlist .= "-D $h -j PVEFW-$h\n";
+       }
+    }
+ 
+    foreach my $chain (keys %$chash) {
+       $cmdlist .= "-F $chain\n";
+    }
+
+    foreach my $chain (keys %$chash) {
+       $cmdlist .= "-X $chain\n";
+    }
+    $cmdlist .= "COMMIT\n";
+
+    iptables_restore_cmdlist($cmdlist);
+}
+
 sub update {
     my ($start, $verbose) = @_;