with bug # added to commit subject. sorry for the delay, and thanks for the fix!
On June 2, 2020 10:06 am, Stoiko Ivanov wrote: > currently all ebtalbes chains are created with a hardcoded policy of ACCEPT. > This patch changes the functionality to store the configured policy of a > chain while reading the 'ebtables-save' output and uses this policy when > creating the command list. > > This is only relevant for ebtablers chains not generated by pve-firewall (the > ones having an action of 'ignore' in the status-hash). > > Reported on the pve-user list: > https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html > > Minimally tested with the example from the thread. > > Signed-off-by: Stoiko Ivanov <s.iva...@proxmox.com> > --- > src/PVE/Firewall.pm | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm > index a2105e5..97670fd 100644 > --- a/src/PVE/Firewall.pm > +++ b/src/PVE/Firewall.pm > @@ -1944,9 +1944,10 @@ sub ebtables_get_chains { > my $line = shift; > return if $line =~ m/^#/; > return if $line =~ m/^\s*$/; > - if ($line =~ m/^:(\S+)\s\S+$/) { > + if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) { > # Make sure we know chains exist even if they're empty. > $chains->{$1} //= []; > + $res->{$1}->{policy} = $2; > } elsif ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) { > my $chain = $1; > $line =~ s/\s+$//; > @@ -4063,6 +4064,7 @@ sub get_ruleset_status { > if (defined($change_only_regex)) { > $action = 'ignore' if ($chain !~ m/$change_only_regex/); > $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules}; > + $statushash->{$chain}->{policy} = > $active_chains->{$chain}->{policy}; > $sig = $sig->{sig}; > } > $statushash->{$chain}->{action} = $action; > @@ -4163,7 +4165,8 @@ sub get_ebtables_cmdlist { > my $pve_include = 0; > foreach my $chain (sort keys %$statushash) { > next if ($statushash->{$chain}->{action} eq 'delete'); > - $cmdlist .= ":$chain ACCEPT\n"; > + my $policy = $statushash->{$chain}->{policy} // 'ACCEPT'; > + $cmdlist .= ":$chain $policy\n"; > $pve_include = 1 if ($chain eq 'PVEFW-FORWARD'); > } > > -- > 2.20.1 > > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
