minimally fixes #1764, by introducing ebtables_enable as option in cluster.fw
Signed-off-by: Stoiko Ivanov <s.iva...@proxmox.com>
---
Note: A better option would be to just not overwrite any output of
ebtables-save, not containing pve-specific interface names or PVE, however
this patch should at least fix the problem describend in #1764.
src/PVE/Firewall.pm | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 96cf9bd..4bd1f89 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2667,6 +2667,9 @@ sub parse_clusterfw_option {
if (($value > 1) && ((time() - $value) > 60)) {
$value = 0
}
+ } elsif ($line =~ m/^(ebtables_enable):\s*(0|1)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
} elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
$opt = lc($1);
$value = uc($3);
@@ -3422,7 +3425,7 @@ sub compile {
$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef,
$verbose);
}
- return ({},{},{}) if !$cluster_conf->{options}->{enable};
+ return ({},{},{},{}) if !$cluster_conf->{options}->{enable};
my $localnet;
if ($cluster_conf->{aliases}->{local_network}) {
@@ -3441,7 +3444,6 @@ sub compile {
my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf,
$vmfw_configs, $vmdata, 6, $verbose);
my $ebtables_ruleset = compile_ebtables_filter($cluster_conf,
$hostfw_conf, $vmfw_configs, $vmdata, $verbose);
my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
-
return ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
}
@@ -3657,13 +3659,14 @@ sub compile_ipsets {
sub compile_ebtables_filter {
my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose) = @_;
- return ({}, {}) if !$cluster_conf->{options}->{enable};
+ if (!($cluster_conf->{options}->{ebtables_enable} // 1)) {
+ return {};
+ }
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-
ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
#for ipv4 and ipv6, check macaddress in iptables, so we use conntrack
'ESTABLISHED', to speedup rules
ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-p IPv4', '-j ACCEPT');
@@ -3852,6 +3855,7 @@ sub get_ruleset_cmdlist {
sub get_ebtables_cmdlist {
my ($ruleset, $verbose) = @_;
+ return (wantarray ? ('', 0) : '') if ! keys (%$ruleset);
my $changes = 0;
my $cmdlist = "*filter\n";
@@ -3995,7 +3999,7 @@ sub apply_ruleset {
ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
- ebtables_restore_cmdlist($ebtables_cmdlist);
+ ebtables_restore_cmdlist($ebtables_cmdlist) if $ebtables_cmdlist;
$tmpfile = "$pve_fw_status_dir/ebtablescmdlist";
PVE::Tools::file_set_contents($tmpfile, $ebtables_cmdlist || '');
--
2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
