[pve-devel] [PATCH firewall] introduce ebtables_enable option to cluster config

Wolfgang Bumiller w.bumiller at proxmox.com
Tue May 22 14:21:07 CEST 2018


We also need an ebtables-equivalent for 'remove_pvefw_chains' otherwise
the previous rules aren't removed when disabling ebtables after having
had them enabled for a while.

On Thu, May 17, 2018 at 05:03:56PM +0200, Stoiko Ivanov wrote:
> minimally fixes #1764, by introducing ebtables_enable as option in cluster.fw
> 
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> Note: A better option would be to just not overwrite any output of
> ebtables-save, not containing pve-specific interface names or PVE, however
> this patch should at least fix the problem describend in #1764.
> 
>  src/PVE/Firewall.pm | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 96cf9bd..4bd1f89 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2667,6 +2667,9 @@ sub parse_clusterfw_option {
>  	if (($value > 1) && ((time() - $value) > 60)) {
>  	    $value = 0
>  	}
> +    } elsif ($line =~ m/^(ebtables_enable):\s*(0|1)\s*$/i) {
> +	$opt = lc($1);
> +	$value = int($2);
>      } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
>  	$opt = lc($1);
>  	$value = uc($3);
> @@ -3422,7 +3425,7 @@ sub compile {
>  	$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
>      }
>  
> -    return ({},{},{}) if !$cluster_conf->{options}->{enable};
> +    return ({},{},{},{}) if !$cluster_conf->{options}->{enable};
>  
>      my $localnet;
>      if ($cluster_conf->{aliases}->{local_network}) {
> @@ -3441,7 +3444,6 @@ sub compile {
>      my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
>      my $ebtables_ruleset = compile_ebtables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose);
>      my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
> -
>      return ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
>  }
>  
> @@ -3657,13 +3659,14 @@ sub compile_ipsets {
>  sub compile_ebtables_filter {
>      my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose) = @_;
>  
> -    return ({}, {}) if !$cluster_conf->{options}->{enable};
> +    if (!($cluster_conf->{options}->{ebtables_enable} // 1)) {
> +	return {};
> +    }
>  
>      my $ruleset = {};
>  
>      ruleset_create_chain($ruleset, "PVEFW-FORWARD");
>  
> -
>      ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
>      #for ipv4 and ipv6, check macaddress in iptables, so we use conntrack 'ESTABLISHED', to speedup rules
>      ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-p IPv4', '-j ACCEPT');
> @@ -3852,6 +3855,7 @@ sub get_ruleset_cmdlist {
>  sub get_ebtables_cmdlist {
>      my ($ruleset, $verbose) = @_;
>  
> +    return (wantarray ? ('', 0) : '') if ! keys (%$ruleset);
>      my $changes = 0;
>      my $cmdlist = "*filter\n";
>  
> @@ -3995,7 +3999,7 @@ sub apply_ruleset {
>  
>      ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
>  
> -    ebtables_restore_cmdlist($ebtables_cmdlist);
> +    ebtables_restore_cmdlist($ebtables_cmdlist) if $ebtables_cmdlist;
>  
>      $tmpfile = "$pve_fw_status_dir/ebtablescmdlist";
>      PVE::Tools::file_set_contents($tmpfile, $ebtables_cmdlist || '');
> -- 
> 2.11.0



More information about the pve-devel mailing list