[pve-devel] [PATCH firewall] fix: Check if VM firewall enabled before generating NICs tap rules

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Aug 7 10:58:18 CEST 2019


On April 11, 2019 12:03 pm, Christian Ebner wrote:
> Only if the VM firewall is enabled, the tap rules for each of the NICs should be
> generated, analogous to the current behaviour for CTs.

applied this in spirit, but merged the check into the return for 
non-existing guest firewall configs (+ a whitespace cleanup followup + 
cherry-pick to stable-5):

>From bd60a824555eec55e08909ca189d49962761c93b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler at proxmox.com>
Date: Wed, 7 Aug 2019 09:25:36 +0200
Subject: [PATCH firewall] skip tap rule generation if vmfw is disabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

like for containers, and adapt code style to be identical.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/PVE/Firewall.pm | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0e15090..ff494d6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3592,7 +3592,7 @@ sub compile_iptables_filter {
 	eval {
 	    my $conf = $vmdata->{qemu}->{$vmid};
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
-	    return if !$vmfw_conf;
+	    return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
 
 	    foreach my $netid (sort keys %$conf) {
 		next if $netid !~ m/^net(\d+)$/;
@@ -3615,9 +3615,7 @@ sub compile_iptables_filter {
         eval {
             my $conf = $vmdata->{lxc}->{$vmid};
             my $vmfw_conf = $vmfw_configs->{$vmid};
-            return if !$vmfw_conf;
-
-            if ($vmfw_conf->{options}->{enable}) {
+	     return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
 		foreach my $netid (sort keys %$conf) {
                     next if $netid !~ m/^net(\d+)$/;
                     my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
@@ -3628,7 +3626,6 @@ sub compile_iptables_filter {
                                                  $vmfw_conf, $vmid, 'IN', $ipversion);
                     generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
                                                  $vmfw_conf, $vmid, 'OUT', $ipversion);
-		}
             }
         };
         warn $@ if $@; # just to be sure - should not happen

-- 
2.20.1

> 
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 24 +++++++++++++-----------
>  1 file changed, 13 insertions(+), 11 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 48e6300..91e21ed 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -3572,17 +3572,19 @@ sub compile_iptables_filter {
>  	    my $vmfw_conf = $vmfw_configs->{$vmid};
>  	    return if !$vmfw_conf;
>  
> -	    foreach my $netid (sort keys %$conf) {
> -		next if $netid !~ m/^net(\d+)$/;
> -		my $net = PVE::QemuServer::parse_net($conf->{$netid});
> -		next if !$net->{firewall};
> -		my $iface = "tap${vmid}i$1";
> -
> -		my $macaddr = $net->{macaddr};
> -		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> -					     $vmfw_conf, $vmid, 'IN', $ipversion);
> -		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> -					     $vmfw_conf, $vmid, 'OUT', $ipversion);
> +            if ($vmfw_conf->{options}->{enable}) {
> +		foreach my $netid (sort keys %$conf) {
> +		    next if $netid !~ m/^net(\d+)$/;
> +		    my $net = PVE::QemuServer::parse_net($conf->{$netid});
> +		    next if !$net->{firewall};
> +		    my $iface = "tap${vmid}i$1";
> +
> +		    my $macaddr = $net->{macaddr};
> +		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> +						 $vmfw_conf, $vmid, 'IN', $ipversion);
> +		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
> +						 $vmfw_conf, $vmid, 'OUT', $ipversion);
> +		}
>  	    }
>  	};
>  	warn $@ if $@; # just to be sure - should not happen
> -- 
> 2.11.0
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 



More information about the pve-devel mailing list