If the cluster configuration does not exist, but in other firewall
configuration files there are rules referencing SDN IPsets, validation
for those rules fails, because the cluster configuration does not
contain the SDN IPSets. This is because generic_fw_config_parser
returns an empty hash when there is no cluster configuration file.
Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
src/PVE/Firewall.pm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 6437db0..7636798 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3658,6 +3658,9 @@ sub load_clusterfw_conf {
my ($filename) = @_;
$filename = $clusterfw_conf_filename if !defined($filename);
+
+ my $sdn_conf = load_sdn_conf();
+
my $empty_conf = {
rules => [],
options => {},
@@ -3666,12 +3669,16 @@ sub load_clusterfw_conf {
group_comments => {},
ipset => {} ,
ipset_comments => {},
- sdn => load_sdn_conf(),
+ sdn => $sdn_conf,
};
my $cluster_conf = generic_fw_config_parser($filename, $empty_conf,
$empty_conf, 'cluster');
$set_global_log_ratelimit->($cluster_conf->{options});
+ if (!$cluster_conf->{sdn}) {
+ $cluster_conf->{sdn} = $sdn_conf;
+ }
+
return $cluster_conf;
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
