[pve-devel] [PATCH firewall] introduce ebtables_enable option to cluster config

Thu May 17 17:03:56 CEST 2018

minimally fixes #1764, by introducing ebtables_enable as option in cluster.fw


Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
Note: A better option would be to just not overwrite any output of
ebtables-save, not containing pve-specific interface names or PVE, however
this patch should at least fix the problem describend in #1764.

 src/PVE/Firewall.pm | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 96cf9bd..4bd1f89 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2667,6 +2667,9 @@ sub parse_clusterfw_option {
 	if (($value > 1) && ((time() - $value) > 60)) {
 	    $value = 0
 	}
+    } elsif ($line =~ m/^(ebtables_enable):\s*(0|1)\s*$/i) {
+	$opt = lc($1);
+	$value = int($2);
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
@@ -3422,7 +3425,7 @@ sub compile {
 	$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
     }
 
-    return ({},{},{}) if !$cluster_conf->{options}->{enable};
+    return ({},{},{},{}) if !$cluster_conf->{options}->{enable};
 
     my $localnet;
     if ($cluster_conf->{aliases}->{local_network}) {
@@ -3441,7 +3444,6 @@ sub compile {
     my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
     my $ebtables_ruleset = compile_ebtables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose);
     my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
-
     return ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
 }
 
@@ -3657,13 +3659,14 @@ sub compile_ipsets {
 sub compile_ebtables_filter {
     my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose) = @_;
 
-    return ({}, {}) if !$cluster_conf->{options}->{enable};
+    if (!($cluster_conf->{options}->{ebtables_enable} // 1)) {
+	return {};
+    }
 
     my $ruleset = {};
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-
     ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
     #for ipv4 and ipv6, check macaddress in iptables, so we use conntrack 'ESTABLISHED', to speedup rules
     ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-p IPv4', '-j ACCEPT');
@@ -3852,6 +3855,7 @@ sub get_ruleset_cmdlist {
 sub get_ebtables_cmdlist {
     my ($ruleset, $verbose) = @_;
 
+    return (wantarray ? ('', 0) : '') if ! keys (%$ruleset);
     my $changes = 0;
     my $cmdlist = "*filter\n";
 
@@ -3995,7 +3999,7 @@ sub apply_ruleset {
 
     ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
 
-    ebtables_restore_cmdlist($ebtables_cmdlist);
+    ebtables_restore_cmdlist($ebtables_cmdlist) if $ebtables_cmdlist;
 
     $tmpfile = "$pve_fw_status_dir/ebtablescmdlist";
     PVE::Tools::file_set_contents($tmpfile, $ebtables_cmdlist || '');
-- 
2.11.0



