[pve-devel] [PATCH pve-firewall] remove_pvefw_chains : flush conntrack
Alexandre Derumier
aderumier at odiso.com
Fri Feb 15 11:56:39 CET 2019
avoid invalid state if we reenable firewall later
---
debian/control | 3 ++-
src/PVE/Firewall.pm | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index a38250d..33fc666 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,8 @@ Standards-Version: 3.8.4
Package: pve-firewall
Architecture: any
Conflicts: ulogd,
-Depends: ebtables,
+Depends: conntrack,
+ ebtables,
ipset,
iptables,
libpve-access-control,
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8e057be..4bcde6d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4128,7 +4128,11 @@ sub remove_pvefw_chains {
PVE::Firewall::remove_pvefw_chains_iptables("iptables");
PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
PVE::Firewall::remove_pvefw_chains_ipset();
+ PVE::Firewall::flush_conntrack();
+}
+sub flush_conntrack {
+ run_command(['/usr/sbin/conntrack', '-F']) if -e '/usr/sbin/conntrack';
}
sub remove_pvefw_chains_iptables {
--
2.11.0
More information about the pve-devel
mailing list