sub ipset_chain_digest {
my ($rules) = @_;
+
my $digest = Digest::SHA->new('sha1');
foreach my $rule (sort @$rules) { # note: sorted
$digest->add($rule);
}
sub get_ruleset_status {
- my ($ruleset, $verbose, $ipset) = @_;
-
- my $active_chains = undef;
- if($ipset){
- $active_chains = ipset_get_chains();
- }else{
- $active_chains = iptables_get_chains();
- }
+ my ($ruleset, $active_chains, $digest_fn, $verbose) = @_;
my $statushash = {};
foreach my $chain (sort keys %$ruleset) {
- my $sig;
- if ($ipset) {
- $sig = ipset_chain_digest($ruleset->{$chain});
- } else {
- $sig = iptables_chain_digest($ruleset->{$chain});
- }
+ my $sig = &$digest_fn($ruleset->{$chain});
$statushash->{$chain}->{sig} = $sig;
my ($ruleset, $verbose) = @_;
my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
-
- my $statushash = get_ruleset_status($ruleset, $verbose);
+
+ my ($active_chains, $hooks) = iptables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
# create missing chains first
foreach my $chain (sort keys %$ruleset) {
$cmdlist .= ":$chain - [0:0]\n";
}
- my $rule = "INPUT -j PVEFW-INPUT";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
- }
- $rule = "OUTPUT -j PVEFW-OUTPUT";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
- }
-
- $rule = "FORWARD -j PVEFW-FORWARD";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
+ foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+ if (!$hooks->{$h}) {
+ $cmdlist .= "-A $h -j PVEFW-$h\n";
+ }
}
foreach my $chain (sort keys %$ruleset) {
}
my $changes = $cmdlist ne "*filter\n" ? 1 : 0;
-
+
$cmdlist .= "COMMIT\n";
return wantarray ? ($cmdlist, $changes) : $cmdlist;
my $cmdlist = "";
- my $statushash = get_ruleset_status($ruleset, $verbose, 1);
+ my $active_chains = ipset_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose);
foreach my $chain (sort keys %$ruleset) {
my $stat = $statushash->{$chain};
iptables_restore_cmdlist($cmdlist);
# test: re-read status and check if everything is up to date
- my $statushash = get_ruleset_status($ruleset);
+ my $active_chains = iptables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
my $errors;
foreach my $chain (sort keys %$ruleset) {