+ if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
+ return 0;
+ }
+
+ $cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
+ $host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
+
+ return $host_conf->{options}->{nftables};
+}
+
+my sub update_force_nftables_disable_flag {
+ my ($cluster_firewall_enabled, $is_nftables) = @_;
+
+ # This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
+ my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
+
+ if (!($cluster_firewall_enabled && $is_nftables)) {
+ if (! -e $FORCE_NFT_DISABLE_FLAG_FILE) {
+ open(my $_fh, '>', $FORCE_NFT_DISABLE_FLAG_FILE)
+ or warn "failed to create flag file '$FORCE_NFT_DISABLE_FLAG_FILE' – $!\n";
+ }
+ } else {
+ unlink($FORCE_NFT_DISABLE_FLAG_FILE)
+ or $!{ENOENT} or warn "failed to unlink flag file '$FORCE_NFT_DISABLE_FLAG_FILE' - $!\n";
+ }
+}
+
+sub is_enabled_and_not_nftables {
+ my ($cluster_conf, $host_conf) = @_;
+
+ $cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
+ $host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
+
+ my $is_nftables = is_nftables($cluster_conf, $host_conf);
+
+ update_force_nftables_disable_flag($cluster_conf->{options}->{enable}, $is_nftables);
+
+ return $cluster_conf->{options}->{enable} && !$is_nftables;
+}
+
+sub init {
+ return if !is_enabled_and_not_nftables();