From: Dietmar Maurer <dietmar@proxmox.com>
Date: Fri, 14 Feb 2014 13:22:50 +0000 (+0100)
Subject: experimental code to read existing chains and compute SHA1 checksum
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=de2a57cdcf099c30feecb5c095328a82d1d154e1

experimental code to read existing chains and compute SHA1 checksum
---

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index c6d4537..16ded99 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -3,6 +3,7 @@ package PVE::Firewall;
 use warnings;
 use strict;
 use Data::Dumper;
+use Digest::SHA;
 use PVE::Tools;
 use PVE::QemuServer;
 use File::Path;
@@ -162,6 +163,65 @@ sub iptables_restore {
     }
 }
 
+# experimental code to read existing chains and compute SHA1 checksum
+# for each chain. 
+sub iptables_get_chains {
+
+    my $res = {};
+
+    # check what chains we want to track
+    my $is_pvefw_chain = sub {
+	my $name = shift;
+
+	return 1 if $name =~ m/^BRIDGEFW-(:?IN|OUT)$/;
+	return 1 if $name =~ m/^proxmoxfw-\S+$/;
+	return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
+
+	return undef;
+    };
+
+    my $table = '';
+
+    my $dhash = {};
+
+    my $parser = sub {
+	my $line = shift;
+
+	return if $line =~ m/^#/;
+	return if $line =~ m/^\s*$/;
+
+	if ($line =~ m/^\*(\S+)$/) {
+	    $table = $1;
+	    return;
+	}
+
+	return if $table ne 'filter';
+
+	if ($line =~ m/^:(\S+)\s/) {
+	    my $chain = $1;
+	    return if !&$is_pvefw_chain($chain);
+	    $dhash->{$chain} = Digest::SHA->new('sha1');
+	} elsif ($line =~ m/^-([A-Z]) (\S+)\s/) {
+	    my $chain = $2;
+	    return if !&$is_pvefw_chain($chain);
+	    my $sha = $dhash->{$chain} || die "undefined chain '$chain'";
+	    $sha->add_bits("$line\n");
+	} else {
+	    # simply ignore the rest
+	    return;
+	}
+    };
+
+    run_command("/sbin/iptables-save", outfunc => $parser);
+
+    foreach my $chain (keys %$dhash) {
+	my $sha = $dhash->{$chain};
+	$res->{$chain} = $sha->b64digest;
+    }
+
+    return $res;
+}
+
 sub iptables_addrule {
    my ($rule) = @_;