From f5d28682f6a611bc3aaa94e778991f3838cbd21a Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 19 Feb 2014 08:26:22 +0100
Subject: [PATCH] correctly remove stale chains

---
 PVE/Firewall.pm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index d266bd6..d24ca63 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -746,8 +746,7 @@ sub apply_ruleset {
 	    }
 	    $cmdlist .= print_sig_rule($chain, $stat->{sig});
 	} elsif ($stat->{action} eq 'delete') {
-	    $cmdlist .= "-F $chain\n";
-	    $cmdlist .= "-X $chain\n";
+	    die "internal error"; # this should not happen
 	} elsif ($stat->{action} eq 'exists') {
 	    # do nothing
 	} else {
@@ -755,6 +754,15 @@ sub apply_ruleset {
 	}
     }
 
+    foreach my $chain (keys %$statushash) {
+	next if $statushash->{$chain}->{action} ne 'delete';
+	$cmdlist .= "-F $chain\n";
+    }
+    foreach my $chain (keys %$statushash) {
+	next if $statushash->{$chain}->{action} ne 'delete';
+	$cmdlist .= "-X $chain\n";
+    }
+
     $cmdlist .= "COMMIT\n";
 
     print $cmdlist if $verbose;
-- 
2.39.2