[pve-devel] [PATCH firewall] ebtables: keep policy of custom chains

Tue, 02 Jun 2020 01:07:07 -0700 

currently all ebtalbes chains are created with a hardcoded policy of ACCEPT.
This patch changes the functionality to store the configured policy of a
chain while reading the 'ebtables-save' output and uses this policy when
creating the command list.

This is only relevant for ebtablers chains not generated by pve-firewall (the
ones having an action of 'ignore' in the status-hash).

Reported on the pve-user list:
https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html

Minimally tested with the example from the thread.

Signed-off-by: Stoiko Ivanov <s.iva...@proxmox.com>
---
 src/PVE/Firewall.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a2105e5..97670fd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1944,9 +1944,10 @@ sub ebtables_get_chains {
        my $line = shift;
        return if $line =~ m/^#/;
        return if $line =~ m/^\s*$/;
-       if ($line =~ m/^:(\S+)\s\S+$/) {
+       if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
            # Make sure we know chains exist even if they're empty.
            $chains->{$1} //= [];
+           $res->{$1}->{policy} = $2;
        } elsif ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) {
            my $chain = $1;
            $line =~ s/\s+$//;
@@ -4063,6 +4064,7 @@ sub get_ruleset_status {
        if (defined($change_only_regex)) {
            $action = 'ignore' if ($chain !~ m/$change_only_regex/);
            $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules};
+           $statushash->{$chain}->{policy} = 
$active_chains->{$chain}->{policy};
            $sig = $sig->{sig};
        }
        $statushash->{$chain}->{action} = $action;
@@ -4163,7 +4165,8 @@ sub get_ebtables_cmdlist {
     my $pve_include = 0;
     foreach my $chain (sort keys %$statushash) {
        next if ($statushash->{$chain}->{action} eq 'delete');
-       $cmdlist .= ":$chain ACCEPT\n";
+       my $policy = $statushash->{$chain}->{policy} // 'ACCEPT';
+       $cmdlist .= ":$chain $policy\n";
        $pve_include = 1 if ($chain eq 'PVEFW-FORWARD');
     }
 
-- 
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to