X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=22cae5a8c7ee50eafe1073f063339837353d1199;hp=f4f4377b64e3a9f67ca9b24bf2386bfeb510abdb;hb=55fad3b7889f943599038c3a13e070cd1fcab051;hpb=085fd492bf2bb317d50c7de1041958a7d4e78669

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f4f4377..22cae5a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2971,8 +2971,9 @@ sub get_ruleset_cmdlist {
     }
 
     foreach my $h (qw(INPUT OUTPUT FORWARD)) {
-	if (!$hooks->{$h}) {
-	    $cmdlist .= "-A $h -j PVEFW-$h\n";
+	my $chain = "PVEFW-$h";
+	if ($ruleset->{$chain} && !$hooks->{$h}) {
+	    $cmdlist .= "-A $h -j $chain\n";
 	}
     }
 
@@ -3172,6 +3173,17 @@ sub remove_pvefw_chains {
     $cmdlist .= "COMMIT\n";
 
     iptables_restore_cmdlist($cmdlist);
+
+    my $ipset_chains = ipset_get_chains();
+
+    $cmdlist = "";
+ 
+    foreach my $chain (keys %$ipset_chains) {
+       $cmdlist .= "flush $chain\n";
+       $cmdlist .= "destroy $chain\n";
+    }
+
+    ipset_restore_cmdlist($cmdlist) if $cmdlist; 
 }
 
 sub init {
@@ -3190,11 +3202,7 @@ sub update {
 	my $cluster_conf = load_clusterfw_conf();
 	my $cluster_options = $cluster_conf->{options};
 
-	my $enable = $cluster_options->{enable};
-
-	die "Firewall is disabled - cannot start\n" if !$enable;
-
-	if (!$enable) {
+	if (!$cluster_options->{enable}) {
 	    PVE::Firewall::remove_pvefw_chains();
 	    return;
 	}