[pve-devel] [PATCH pve-firewall 2/3] remove_pvefw_chains_iptables : don't commit if rules are already removed.

Alexandre Derumier aderumier at odiso.com
Wed Jan 9 14:56:52 CET 2019


currently, we commit at each update empty rules if they are already removed.
---
 src/PVE/Firewall.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 71327b0..1a9be89 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4135,7 +4135,8 @@ sub remove_pvefw_chains_iptables {
     my ($iptablescmd) = @_;
 
     my ($chash, $hooks) = iptables_get_chains($iptablescmd);
-    my $cmdlist = "*filter\n";
+    my $cmdlist_prefix = "*filter\n";
+    my $cmdlist = "";
 
     foreach my $h (qw(INPUT OUTPUT FORWARD)) {
 	if ($hooks->{$h}) {
@@ -4150,6 +4151,9 @@ sub remove_pvefw_chains_iptables {
     foreach my $chain (keys %$chash) {
 	$cmdlist .= "-X $chain\n";
     }
+
+    return if !$cmdlist;
+    $cmdlist = $cmdlist_prefix.$cmdlist;
     $cmdlist .= "COMMIT\n";
 
     if($iptablescmd eq "ip6tables") {
-- 
2.11.0




More information about the pve-devel mailing list