[pve-devel] [PATCH 15/19] ip6tables : remove_pvefw_chains
Alexandre Derumier
aderumier at odiso.com
Wed Jul 16 01:14:31 CEST 2014
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
src/PVE/Firewall.pm | 36 ++++++++++++++++++++++++++++++------
1 file changed, 30 insertions(+), 6 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e3632a..9248ced 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3417,7 +3417,16 @@ sub update_nf_conntrack_tcp_timeout_established {
sub remove_pvefw_chains {
- my ($chash, $hooks) = iptables_get_chains();
+ PVE::Firewall::remove_pvefw_chains_iptables("iptables");
+ PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
+ PVE::Firewall::remove_pvefw_chains_ipset();
+
+}
+
+sub remove_pvefw_chains_iptables {
+ my ($iptablescmd) = @_;
+
+ my ($chash, $hooks) = iptables_get_chains($iptablescmd);
my $cmdlist = "*filter\n";
foreach my $h (qw(INPUT OUTPUT FORWARD)) {
@@ -3435,18 +3444,33 @@ sub remove_pvefw_chains {
}
$cmdlist .= "COMMIT\n";
- iptables_restore_cmdlist($cmdlist);
+ if($iptablescmd eq "ip6tables") {
+ ip6tables_restore_cmdlist($cmdlist);
+ } else {
+ iptables_restore_cmdlist($cmdlist);
+ }
+}
+
+sub remove_pvefw_chains_ipset {
my $ipset_chains = ipset_get_chains();
- $cmdlist = "";
+ my $sub_cmdlist = "";
+ my $cmdlist = "";
foreach my $chain (keys %$ipset_chains) {
- $cmdlist .= "flush $chain\n";
- $cmdlist .= "destroy $chain\n";
+ if ($chain =~ m/^PVEFW-\S+\-(v4|v6)$/) {
+ $sub_cmdlist .= "flush $chain\n";
+ $sub_cmdlist .= "destroy $chain\n";
+ }else{
+ $cmdlist .= "flush $chain\n";
+ $cmdlist .= "destroy $chain\n";
+ }
}
- ipset_restore_cmdlist($cmdlist) if $cmdlist;
+ $cmdlist .= $sub_cmdlist;
+
+ ipset_restore_cmdlist($cmdlist) if $cmdlist;
}
sub init {
--
1.7.10.4
More information about the pve-devel
mailing list