We also need an ebtables-equivalent for 'remove_pvefw_chains' otherwise
the previous rules aren't removed when disabling ebtables after having
had them enabled for a while.
On Thu, May 17, 2018 at 05:03:56PM +0200, Stoiko Ivanov wrote:
> minimally fixes #1764, by introducing ebtables_enable as option in cluster.fw
>
>
> Signed-off-by: Stoiko Ivanov <s.iva...@proxmox.com>
> ---
> Note: A better option would be to just not overwrite any output of
> ebtables-save, not containing pve-specific interface names or PVE, however
> this patch should at least fix the problem describend in #1764.
>
> src/PVE/Firewall.pm | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 96cf9bd..4bd1f89 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2667,6 +2667,9 @@ sub parse_clusterfw_option {
> if (($value > 1) && ((time() - $value) > 60)) {
> $value = 0
> }
> + } elsif ($line =~ m/^(ebtables_enable):\s*(0|1)\s*$/i) {
> + $opt = lc($1);
> + $value = int($2);
> } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
> $opt = lc($1);
> $value = uc($3);
> @@ -3422,7 +3425,7 @@ sub compile {
> $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef,
> $verbose);
> }
>
> - return ({},{},{}) if !$cluster_conf->{options}->{enable};
> + return ({},{},{},{}) if !$cluster_conf->{options}->{enable};
>
> my $localnet;
> if ($cluster_conf->{aliases}->{local_network}) {
> @@ -3441,7 +3444,6 @@ sub compile {
> my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf,
> $vmfw_configs, $vmdata, 6, $verbose);
> my $ebtables_ruleset = compile_ebtables_filter($cluster_conf,
> $hostfw_conf, $vmfw_configs, $vmdata, $verbose);
> my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs,
> $vmdata);
> -
> return ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
> }
>
> @@ -3657,13 +3659,14 @@ sub compile_ipsets {
> sub compile_ebtables_filter {
> my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose) = @_;
>
> - return ({}, {}) if !$cluster_conf->{options}->{enable};
> + if (!($cluster_conf->{options}->{ebtables_enable} // 1)) {
> + return {};
> + }
>
> my $ruleset = {};
>
> ruleset_create_chain($ruleset, "PVEFW-FORWARD");
>
> -
> ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
> #for ipv4 and ipv6, check macaddress in iptables, so we use conntrack
> 'ESTABLISHED', to speedup rules
> ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-p IPv4', '-j ACCEPT');
> @@ -3852,6 +3855,7 @@ sub get_ruleset_cmdlist {
> sub get_ebtables_cmdlist {
> my ($ruleset, $verbose) = @_;
>
> + return (wantarray ? ('', 0) : '') if ! keys (%$ruleset);
> my $changes = 0;
> my $cmdlist = "*filter\n";
>
> @@ -3995,7 +3999,7 @@ sub apply_ruleset {
>
> ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
>
> - ebtables_restore_cmdlist($ebtables_cmdlist);
> + ebtables_restore_cmdlist($ebtables_cmdlist) if $ebtables_cmdlist;
>
> $tmpfile = "$pve_fw_status_dir/ebtablescmdlist";
> PVE::Tools::file_set_contents($tmpfile, $ebtables_cmdlist || '');
> --
> 2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
