[pve-devel] [PATCH pve-firewall 2/3] remove_pvefw_chains_iptables : don't commit if rules are already removed.
Alexandre Derumier
aderumier at odiso.com
Wed Jan 9 14:56:52 CET 2019
currently, we commit at each update empty rules if they are already removed.
---
src/PVE/Firewall.pm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 71327b0..1a9be89 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4135,7 +4135,8 @@ sub remove_pvefw_chains_iptables {
my ($iptablescmd) = @_;
my ($chash, $hooks) = iptables_get_chains($iptablescmd);
- my $cmdlist = "*filter\n";
+ my $cmdlist_prefix = "*filter\n";
+ my $cmdlist = "";
foreach my $h (qw(INPUT OUTPUT FORWARD)) {
if ($hooks->{$h}) {
@@ -4150,6 +4151,9 @@ sub remove_pvefw_chains_iptables {
foreach my $chain (keys %$chash) {
$cmdlist .= "-X $chain\n";
}
+
+ return if !$cmdlist;
+ $cmdlist = $cmdlist_prefix.$cmdlist;
$cmdlist .= "COMMIT\n";
if($iptablescmd eq "ip6tables") {
--
2.11.0
More information about the pve-devel
mailing list