From c4a2e5aeb5f0e6eab8e02796d3e703a5481d8618 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 31 Mar 2014 11:35:12 +0200
Subject: [PATCH] avoid calls to iptables_rule_exist

We can return that info with iptables_get_chains().
---
 example/cluster.fw  |  8 ++++++++
 src/PVE/Firewall.pm | 31 +++++++++++++++++++++++++++++--
 src/pvefw           | 28 +---------------------------
 3 files changed, 38 insertions(+), 29 deletions(-)

diff --git a/example/cluster.fw b/example/cluster.fw
index b9c088f..fe283fc 100644
--- a/example/cluster.fw
+++ b/example/cluster.fw
@@ -1,3 +1,11 @@
+[OPTIONS]
+
+enable: 1
+
+[RULES]
+
+IN  SSH(ACCEPT) vmbr0
+
 [group group1]
 
 IN  ACCEPT - - tcp 22 -
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 02c602f..126717d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -833,6 +833,8 @@ sub iptables_get_chains {
 
     my $table = '';
 
+    my $hooks = {};
+
     my $parser = sub {
 	my $line = shift;
 
@@ -854,6 +856,8 @@ sub iptables_get_chains {
 	    my ($chain, $sig) = ($1, $2);
 	    return if !&$is_pvefw_chain($chain);
 	    $res->{$chain} = $sig;
+	} elsif ($line =~ m/^-A\s+(INPUT|OUTPUT|FORWARD)\s+-j\s+PVEFW-\1$/) {
+	    $hooks->{$1} = 1;
 	} else {
 	    # simply ignore the rest
 	    return;
@@ -862,7 +866,7 @@ sub iptables_get_chains {
 
     run_command("/sbin/iptables-save", outfunc => $parser);
 
-    return $res;
+    return wantarray ? ($res, $hooks) : $res;
 }
 
 sub ipset_chain_digest {
@@ -1770,7 +1774,7 @@ sub parse_cluster_fw_rules {
     my $section;
     my $group;
 
-    my $res = { rules => {}, options => {}, groups => {}, ipset => {} };
+    my $res = { rules => [], options => {}, groups => {}, ipset => {} };
 
     my $digest = Digest::SHA->new('sha1');
 
@@ -2465,6 +2469,29 @@ sub update_nf_conntrack_max {
     }
 }
 
+sub remove_pvefw_chains {
+
+    my ($chash, $hooks) = iptables_get_chains();
+    my $cmdlist = "*filter\n";
+
+    foreach my $h (qw(INPUT OUTPUT FORWARD)) {
+	if ($hooks->{$h}) {
+	    $cmdlist .= "-D $h -j PVEFW-$h\n";
+	}
+    }
+ 
+    foreach my $chain (keys %$chash) {
+	$cmdlist .= "-F $chain\n";
+    }
+
+    foreach my $chain (keys %$chash) {
+	$cmdlist .= "-X $chain\n";
+    }
+    $cmdlist .= "COMMIT\n";
+
+    iptables_restore_cmdlist($cmdlist);
+}
+
 sub update {
     my ($start, $verbose) = @_;
 
diff --git a/src/pvefw b/src/pvefw
index f700e95..a87bafb 100755
--- a/src/pvefw
+++ b/src/pvefw
@@ -196,33 +196,7 @@ __PACKAGE__->register_method ({
 	my ($param) = @_;
 
 	my $code = sub {
-
-	    my $chash = PVE::Firewall::iptables_get_chains();
-	    my $cmdlist = "*filter\n";
-	    my $rule = "INPUT -j PVEFW-INPUT";
-	    if (PVE::Firewall::iptables_rule_exist($rule)) {
-		$cmdlist .= "-D $rule\n";
-	    }
-	    $rule = "OUTPUT -j PVEFW-OUTPUT";
-	    if (PVE::Firewall::iptables_rule_exist($rule)) {
-		$cmdlist .= "-D $rule\n";
-	    }
-
-	    $rule = "FORWARD -j PVEFW-FORWARD";
-	    if (PVE::Firewall::iptables_rule_exist($rule)) {
-		$cmdlist .= "-D $rule\n";
-	    }
-
-	    foreach my $chain (keys %$chash) {
-		$cmdlist .= "-F $chain\n";
-	    }
-	    foreach my $chain (keys %$chash) {
-		$cmdlist .= "-X $chain\n";
-	    }
-	    $cmdlist .= "COMMIT\n";
-
-	    PVE::Firewall::iptables_restore_cmdlist($cmdlist);
-
+	    PVE::Firewall::remove_pvefw_chains();
 	    PVE::Firewall::save_pvefw_status('stopped');
 	};
 
-- 
2.39.2