[pve-devel] [RFC firewall 0/8] rebased ebtables patches

[Wolfgang Bumiller]

On Thu, Mar 29, 2018 at 08:02:47AM +0200, Thomas Lamprecht wrote:
> On 3/28/18 10:53 AM, Wolfgang Bumiller wrote:
> I get the following error periodically:
> 
>  > ebtables : unable to update chain 'PVEFW-FWBR-OUT'

Ah, apparently I never tested without having any VM with a firewalled
interface. One more thing caused by the inability to add signature
comments in ebtables. Fixed by this followup patch:

--->8---
From: Wolfgang Bumiller <w.bumiller at proxmox.com>
Date: Thu, 29 Mar 2018 09:48:28 +0200
Subject: [PATCH firewall 9/9] ebtables_get_chains: deal with empty chains

Since we don't have signatures in ebtables we need to also
see empty chains to not think we have to create them.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/Firewall.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index b8ade7c..8f545e7 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1836,7 +1836,10 @@ sub ebtables_get_chains {
 	my $line = shift;
 	return if $line =~ m/^#/;
 	return if $line =~ m/^\s*$/;
-	if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
+	if ($line =~ m/^:(\S+)\s\S+$/) {
+	    # Make sure we know chains exist even if they're empty.
+	    $chains->{$1} //= [];
+	} elsif ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
 	    my $chain = $1;
 	    $line =~ s/\s+$//;
 	    push @{$chains->{$chain}}, $line;
-- 
2.11.0