[pve-devel] [RFC firewall 0/8] rebased ebtables patches

[Thomas Lamprecht]

On 3/29/18 9:53 AM, Wolfgang Bumiller wrote:
> On Thu, Mar 29, 2018 at 08:02:47AM +0200, Thomas Lamprecht wrote:
>> On 3/28/18 10:53 AM, Wolfgang Bumiller wrote:
>> I get the following error periodically:
>>
>>  > ebtables : unable to update chain 'PVEFW-FWBR-OUT'
> 
> Ah, apparently I never tested without having any VM with a firewalled
> interface. One more thing caused by the inability to add signature
> comments in ebtables. Fixed by this followup patch:
> 
> --->8---
> From: Wolfgang Bumiller <w.bumiller at proxmox.com>
> Date: Thu, 29 Mar 2018 09:48:28 +0200
> Subject: [PATCH firewall 9/9] ebtables_get_chains: deal with empty chains
> 
> Since we don't have signatures in ebtables we need to also
> see empty chains to not think we have to create them.
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index b8ade7c..8f545e7 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -1836,7 +1836,10 @@ sub ebtables_get_chains {
>  	my $line = shift;
>  	return if $line =~ m/^#/;
>  	return if $line =~ m/^\s*$/;
> -	if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
> +	if ($line =~ m/^:(\S+)\s\S+$/) {
> +	    # Make sure we know chains exist even if they're empty.
> +	    $chains->{$1} //= [];
> +	} elsif ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
>  	    my $chain = $1;
>  	    $line =~ s/\s+$//;
>  	    push @{$chains->{$chain}}, $line;
> 

OK, this fixes my issues, all works now as expected...

Series:
Reviewed-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht at proxmox.com>

@Dietmar
If there aren't any objections I'd apply this.