Am 17/07/2024 um 15:16 schrieb Stefan Hanreich: > When disabling the nftables firewall again, there is a race condition > where the nftables ruleset never gets flushed and persists after > disabling. > > The nftables firewall update loop does a noop when the force disable > file exists. It only flushes the ruleset when nftables is disabled in > the configuration file but the force disable file does not yet exist. > > This can lead to the following situation: > > * nftables is activated and created its ruleset > * user switches from nftables firewall back to iptables firewall > * pve-firewall runs and creates the force disable file > * proxmox-firewall sees that the file exists and does nothing > > Reported-by: Hannes Laimer <h.lai...@proxmox.com> > Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com> > --- > Changes from v2 to v3: > * Use proper debug output formatter > > Changes from v1 to v2: > * Removed misleading/wrong section about the probability of this > happening > * Added a detailed description of the scenario this commit prevents > > proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++ > 1 file changed, 4 insertions(+) > >
applied, thanks! _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
