[pve-devel] [PATCH firewall] fix: Check if VM firewall enabled before generating NICs tap rules
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Aug 7 10:58:18 CEST 2019
On April 11, 2019 12:03 pm, Christian Ebner wrote:
> Only if the VM firewall is enabled, the tap rules for each of the NICs should be
> generated, analogous to the current behaviour for CTs.
applied this in spirit, but merged the check into the return for
non-existing guest firewall configs (+ a whitespace cleanup followup +
cherry-pick to stable-5):
>From bd60a824555eec55e08909ca189d49962761c93b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
Date: Wed, 7 Aug 2019 09:25:36 +0200
Subject: [PATCH firewall] skip tap rule generation if vmfw is disabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
like for containers, and adapt code style to be identical.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/PVE/Firewall.pm | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0e15090..ff494d6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3592,7 +3592,7 @@ sub compile_iptables_filter {
eval {
my $conf = $vmdata->{qemu}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
- return if !$vmfw_conf;
+ return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
@@ -3615,9 +3615,7 @@ sub compile_iptables_filter {
eval {
my $conf = $vmdata->{lxc}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
- return if !$vmfw_conf;
-
- if ($vmfw_conf->{options}->{enable}) {
+ return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
@@ -3628,7 +3626,6 @@ sub compile_iptables_filter {
$vmfw_conf, $vmid, 'IN', $ipversion);
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'OUT', $ipversion);
- }
}
};
warn $@ if $@; # just to be sure - should not happen
--
2.20.1
>
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
> src/PVE/Firewall.pm | 24 +++++++++++++-----------
> 1 file changed, 13 insertions(+), 11 deletions(-)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 48e6300..91e21ed 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -3572,17 +3572,19 @@ sub compile_iptables_filter {
> my $vmfw_conf = $vmfw_configs->{$vmid};
> return if !$vmfw_conf;
>
> - foreach my $netid (sort keys %$conf) {
> - next if $netid !~ m/^net(\d+)$/;
> - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> - next if !$net->{firewall};
> - my $iface = "tap${vmid}i$1";
> -
> - my $macaddr = $net->{macaddr};
> - generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> - $vmfw_conf, $vmid, 'IN', $ipversion);
> - generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> - $vmfw_conf, $vmid, 'OUT', $ipversion);
> + if ($vmfw_conf->{options}->{enable}) {
> + foreach my $netid (sort keys %$conf) {
> + next if $netid !~ m/^net(\d+)$/;
> + my $net = PVE::QemuServer::parse_net($conf->{$netid});
> + next if !$net->{firewall};
> + my $iface = "tap${vmid}i$1";
> +
> + my $macaddr = $net->{macaddr};
> + generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> + $vmfw_conf, $vmid, 'IN', $ipversion);
> + generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> + $vmfw_conf, $vmid, 'OUT', $ipversion);
> + }
> }
> };
> warn $@ if $@; # just to be sure - should not happen
> --
> 2.11.0
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list