use Data::Dumper;
-# fixme: remove loglevel settings? NFLOG does not have --loglevel
-
my $nodename = PVE::INotify::nodename();
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
die "no such security group '$group'\n" if !$groups_conf->{$group};
- my $rules = $groups_conf->{$group}->{rules};
+ my $rules = $groups_conf->{rules}->{$group};
my $chain = "GROUP-${group}-IN";
my $section;
my $group;
- my $res = { rules => [] };
+ my $res = { rules => {} };
while (defined(my $line = <$fh>)) {
next if $line =~ m/^#/;
next;
}
- push @{$res->{$group}->{$section}}, @$rules;
+ push @{$res->{$section}->{$group}}, @$rules;
}
return $res;
return $res;
}
-sub compile {
- my $vmdata = read_local_vm_config();
- my $vmfw_configs = read_vm_firewall_configs($vmdata);
-
- my $routing_table = read_proc_net_route();
+sub load_security_groups {
my $groups_conf = {};
my $filename = "/etc/pve/firewall/groups.fw";
$groups_conf = parse_group_fw_rules($filename, $fh);
}
+ return $groups_conf;
+}
+
+sub compile {
+ my $vmdata = read_local_vm_config();
+ my $vmfw_configs = read_vm_firewall_configs($vmdata);
+
+ my $routing_table = read_proc_net_route();
+
+ my $groups_conf = load_security_groups();
+
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");
my $hostfw_options = {};
my $hostfw_conf = {};
- $filename = "/etc/pve/local/host.fw";
+ my $filename = "/etc/pve/local/host.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
$hostfw_conf = parse_host_fw_rules($filename, $fh);
$hostfw_options = $hostfw_conf->{options};