+my $ipv4_mask_hash_localnet = {
+ '255.255.0.0' => 16,
+ '255.255.128.0' => 17,
+ '255.255.192.0' => 18,
+ '255.255.224.0' => 19,
+ '255.255.240.0' => 20,
+ '255.255.248.0' => 21,
+ '255.255.252.0' => 22,
+ '255.255.254.0' => 23,
+ '255.255.255.0' => 24,
+ '255.255.255.128' => 25,
+ '255.255.255.192' => 26,
+ '255.255.255.224' => 27,
+ '255.255.255.240' => 28,
+ '255.255.255.248' => 29,
+ '255.255.255.252' => 30,
+};
+
+my $__local_network;
+
+sub local_network {
+ my ($new_value) = @_;
+
+ $__local_network = $new_value if defined($new_value);
+
+ return $__local_network if defined($__local_network);
+
+ eval {
+ my $nodename = PVE::INotify::nodename();
+
+ my $ip = PVE::Cluster::remote_node_ip($nodename);
+
+ my $testip = Net::IP->new($ip);
+
+ my $routes = PVE::ProcFSTools::read_proc_net_route();
+ foreach my $entry (@$routes) {
+ my $mask = $ipv4_mask_hash_localnet->{$entry->{mask}};
+ next if !defined($mask);
+ return if $mask eq '0.0.0.0';
+ my $cidr = "$entry->{dest}/$mask";
+ my $testnet = Net::IP->new($cidr);
+ if ($testnet->overlaps($testip)) {
+ $__local_network = $cidr;
+ return;
+ }
+ }
+ };
+ warn $@ if $@;
+
+ return $__local_network;
+}
+
+# ipset names are limited to 31 characters, and we use '_swap'
+# suffix for atomic update, for example PVEFW-${VMID}-${ipset_name}_swap
+
+my $max_iptables_ipset_name_length = 31 - length("_swap");
+
+sub compute_ipset_chain_name {
+ my ($vmid, $ipset_name) = @_;
+
+ $vmid = 0 if !defined($vmid);
+
+ my $id = "$vmid-${ipset_name}";
+
+
+ if ((length($id) + 6) > $max_iptables_ipset_name_length) {
+ $id = PVE::Tools::fnv31a_hex($id);
+ }
+
+ return "PVEFW-$id";
+}
+
+sub compute_ipfilter_ipset_name {
+ my ($iface) = @_;
+
+ return "ipfilter-$iface";
+}
+