fix #972: make PVEFW-FWBR-* rule order stable

by sorting the VM/CT IDs and the VM/CT config keys before
iterating over them.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4c1586afec58bb8f91639af7a942b93914c31e06..d8e820de8f3543566b443704c57b090e8ef1a9e9 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3368,13 +3368,13 @@ sub compile_iptables_filter {
     }
 
     # generate firewall rules for QEMU VMs
-    foreach my $vmid (keys %{$vmdata->{qemu}}) {
+    foreach my $vmid (sort keys %{$vmdata->{qemu}}) {
        eval {
            my $conf = $vmdata->{qemu}->{$vmid};
            my $vmfw_conf = $vmfw_configs->{$vmid};
            return if !$vmfw_conf;
 
-           foreach my $netid (keys %$conf) {
+           foreach my $netid (sort keys %$conf) {
                next if $netid !~ m/^net(\d+)$/;
                my $net = PVE::QemuServer::parse_net($conf->{$netid});
                next if !$net->{firewall};
@@ -3391,14 +3391,14 @@ sub compile_iptables_filter {
     }
 
     # generate firewall rules for LXC containers
-    foreach my $vmid (keys %{$vmdata->{lxc}}) {
+    foreach my $vmid (sort keys %{$vmdata->{lxc}}) {
         eval {
             my $conf = $vmdata->{lxc}->{$vmid};
             my $vmfw_conf = $vmfw_configs->{$vmid};
             return if !$vmfw_conf;
 
             if ($vmfw_conf->{options}->{enable}) {
-               foreach my $netid (keys %$conf) {
+               foreach my $netid (sort keys %$conf) {
                     next if $netid !~ m/^net(\d+)$/;
                     my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
                     next if !$net->{firewall};