my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
-sub iptables {
- my ($cmd) = @_;
-
- run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
-}
-
sub iptables_restore_cmdlist {
my ($cmdlist) = @_;
sub ipset_chain_digest {
my ($rules) = @_;
+
my $digest = Digest::SHA->new('sha1');
foreach my $rule (sort @$rules) { # note: sorted
$digest->add($rule);
return $res;
}
-sub iptables_chain_exist {
- my ($chain) = @_;
-
- eval{
- iptables("-n --list $chain");
- };
- return undef if $@;
-
- return 1;
-}
-
-sub iptables_rule_exist {
- my ($rule) = @_;
-
- eval{
- iptables("-C $rule");
- };
- return undef if $@;
-
- return 1;
-}
-
sub ruleset_generate_cmdstr {
my ($ruleset, $chain, $rule, $actions, $goto) = @_;
}
sub get_ruleset_status {
- my ($ruleset, $verbose, $ipset) = @_;
-
- my $active_chains = undef;
- if($ipset){
- $active_chains = ipset_get_chains();
- }else{
- $active_chains = iptables_get_chains();
- }
+ my ($ruleset, $active_chains, $digest_fn, $verbose) = @_;
my $statushash = {};
foreach my $chain (sort keys %$ruleset) {
- my $sig;
- if ($ipset) {
- $sig = ipset_chain_digest($ruleset->{$chain});
- } else {
- $sig = iptables_chain_digest($ruleset->{$chain});
- }
+ my $sig = &$digest_fn($ruleset->{$chain});
$statushash->{$chain}->{sig} = $sig;
my ($ruleset, $verbose) = @_;
my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
-
- my $statushash = get_ruleset_status($ruleset, $verbose);
+
+ my ($active_chains, $hooks) = iptables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
# create missing chains first
foreach my $chain (sort keys %$ruleset) {
$cmdlist .= ":$chain - [0:0]\n";
}
- my $rule = "INPUT -j PVEFW-INPUT";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
- }
- $rule = "OUTPUT -j PVEFW-OUTPUT";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
- }
-
- $rule = "FORWARD -j PVEFW-FORWARD";
- if (!PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-A $rule\n";
+ foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+ if (!$hooks->{$h}) {
+ $cmdlist .= "-A $h -j PVEFW-$h\n";
+ }
}
foreach my $chain (sort keys %$ruleset) {
}
my $changes = $cmdlist ne "*filter\n" ? 1 : 0;
-
+
$cmdlist .= "COMMIT\n";
return wantarray ? ($cmdlist, $changes) : $cmdlist;
my $cmdlist = "";
- my $statushash = get_ruleset_status($ruleset, $verbose, 1);
+ my $active_chains = ipset_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose);
foreach my $chain (sort keys %$ruleset) {
my $stat = $statushash->{$chain};
iptables_restore_cmdlist($cmdlist);
# test: re-read status and check if everything is up to date
- my $statushash = get_ruleset_status($ruleset);
+ my $active_chains = iptables_get_chains();
+ my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
my $errors;
foreach my $chain (sort keys %$ruleset) {
projects / pve-firewall.git / blobdiff