my $table = '';
+ my $hooks = {};
+
my $parser = sub {
my $line = shift;
my ($chain, $sig) = ($1, $2);
return if !&$is_pvefw_chain($chain);
$res->{$chain} = $sig;
+ } elsif ($line =~ m/^-A\s+(INPUT|OUTPUT|FORWARD)\s+-j\s+PVEFW-\1$/) {
+ $hooks->{$1} = 1;
} else {
# simply ignore the rest
return;
run_command("/sbin/iptables-save", outfunc => $parser);
- return $res;
+ return wantarray ? ($res, $hooks) : $res;
}
sub ipset_chain_digest {
my $section;
my $group;
- my $res = { rules => {}, options => {}, groups => {}, ipset => {} };
+ my $res = { rules => [], options => {}, groups => {}, ipset => {} };
my $digest = Digest::SHA->new('sha1');
}
}
+sub remove_pvefw_chains {
+
+ my ($chash, $hooks) = iptables_get_chains();
+ my $cmdlist = "*filter\n";
+
+ foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+ if ($hooks->{$h}) {
+ $cmdlist .= "-D $h -j PVEFW-$h\n";
+ }
+ }
+
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-F $chain\n";
+ }
+
+ foreach my $chain (keys %$chash) {
+ $cmdlist .= "-X $chain\n";
+ }
+ $cmdlist .= "COMMIT\n";
+
+ iptables_restore_cmdlist($cmdlist);
+}
+
sub update {
my ($start, $verbose) = @_;
my ($param) = @_;
my $code = sub {
-
- my $chash = PVE::Firewall::iptables_get_chains();
- my $cmdlist = "*filter\n";
- my $rule = "INPUT -j PVEFW-INPUT";
- if (PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-D $rule\n";
- }
- $rule = "OUTPUT -j PVEFW-OUTPUT";
- if (PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-D $rule\n";
- }
-
- $rule = "FORWARD -j PVEFW-FORWARD";
- if (PVE::Firewall::iptables_rule_exist($rule)) {
- $cmdlist .= "-D $rule\n";
- }
-
- foreach my $chain (keys %$chash) {
- $cmdlist .= "-F $chain\n";
- }
- foreach my $chain (keys %$chash) {
- $cmdlist .= "-X $chain\n";
- }
- $cmdlist .= "COMMIT\n";
-
- PVE::Firewall::iptables_restore_cmdlist($cmdlist);
-
+ PVE::Firewall::remove_pvefw_chains();
PVE::Firewall::save_pvefw_status('stopped');
};