[pve-devel] [PATCH pve-firewall] remove_pvefw_chains : flush conntrack

Alexandre Derumier aderumier at odiso.com
Fri Feb 15 11:56:39 CET 2019


avoid invalid state if we reenable firewall later
---
 debian/control      | 3 ++-
 src/PVE/Firewall.pm | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index a38250d..33fc666 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,8 @@ Standards-Version: 3.8.4
 Package: pve-firewall
 Architecture: any
 Conflicts: ulogd,
-Depends: ebtables,
+Depends: conntrack,
+         ebtables,
          ipset,
          iptables,
          libpve-access-control,
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8e057be..4bcde6d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4128,7 +4128,11 @@ sub remove_pvefw_chains {
     PVE::Firewall::remove_pvefw_chains_iptables("iptables");
     PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
     PVE::Firewall::remove_pvefw_chains_ipset();
+    PVE::Firewall::flush_conntrack();
+}
 
+sub flush_conntrack {
+    run_command(['/usr/sbin/conntrack', '-F']) if -e '/usr/sbin/conntrack';
 }
 
 sub remove_pvefw_chains_iptables {
-- 
2.11.0



More information about the pve-devel mailing list