When disabling the nftables firewall again, there is a race condition
where the nftables ruleset never gets flushed and persists after
disabling. In practice this almost never happens due to pve-firewall
running every 10 seconds, and proxmox-firewall running every 5
seconds, so the proxmox-firewall main loop almost always runs at least
once before the force disable file gets created and flushes the
ruleset.
Reported-by: Hannes Laimer <h.lai...@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs
b/proxmox-firewall/src/bin/proxmox-firewall.rs
index f7e816e..5133cbf 100644
--- a/proxmox-firewall/src/bin/proxmox-firewall.rs
+++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
@@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
while !term.load(Ordering::Relaxed) {
if force_disable_flag.exists() {
+ if let Err(error) = remove_firewall() {
+ log::error!("unable to disable firewall: {error:#}");
+ }
+
std::thread::sleep(Duration::from_secs(5));
continue;
}
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
