[pve-devel] [PATCH v3 firewall 05/13] make $pve_std_chains a copy of $pve_std_chains_conf

Tom Weber pve at junkyard.4t2.com
Mon Oct 9 12:16:23 CEST 2017


create a new $pve_std_chains with $pve_std_chains_conf as template on
every compilation of the rules. This avoids persitant changes to the
$pve_std_chains and makes it easier to read the std_chains configuration
from external config files (later to implement).
---
 src/PVE/Firewall.pm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 634ff90..c7ddd10 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -20,6 +20,7 @@ use IO::File;
 use Net::IP;
 use PVE::Tools qw(run_command lock_file dir_glob_foreach);
 use Encode;
+use Storable qw(dclone);
 
 my $hostfw_conf_filename = "/etc/pve/local/host.fw";
 my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -548,7 +549,8 @@ my $FWACCEPTMARK_ON  = "0x80000000/0x80000000";
 my $FWACCEPTMARK_OFF = "0x00000000/0x80000000";
 
 my $pve_std_chains = {};
-$pve_std_chains->{4} = {
+my $pve_std_chains_conf = {};
+$pve_std_chains_conf->{4} = {
     'PVEFW-SET-ACCEPT-MARK' => [
 	{ target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
     ],
@@ -641,7 +643,7 @@ $pve_std_chains->{4} = {
     ],
 };
 
-$pve_std_chains->{6} = {
+$pve_std_chains_conf->{6} = {
     'PVEFW-SET-ACCEPT-MARK' => [
 	{ target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
     ],
@@ -3354,6 +3356,9 @@ sub compile {
 
     my $vmfw_configs;
 
+    # fixme: once we read standard chains from config this needs to be put in test/standard cases below
+    $pve_std_chains = dclone($pve_std_chains_conf);
+
     if ($vmdata) { # test mode
 	my $testdir = $vmdata->{testdir} || die "no test directory specified";
 	my $filename = "$testdir/cluster.fw";
-- 
2.7.4




More information about the pve-devel mailing list