[pve-devel] [RFC firewall] ebtables: remove PVE chains properly
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Jul 8 12:03:12 CEST 2019
On Mon, Jul 08, 2019 at 10:38:26AM +0200, Thomas Lamprecht wrote:
> Am 7/8/19 um 9:33 AM schrieb Fabian Grünbichler:
> > when globally disabling the FW, or on shutdown of firewall service.
> > otherwise, ebtables rules are leftover (and perpetually displayed as
> > pending changes as well).
> >
> > the actual removal is done by taking the same code path as when
> > disabling just ebtables on the cluster level, i.e. applying an empty
> > ruleset.
> >
> > Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> > ---
> >
> > Notes:
> > another approach would be to make ebtables_get_chains more like
> > iptables_get_chains, and then re-use remove_pvefw_chains_iptables..
> >
> > should backport cleanly to stable-5
> >
> > src/PVE/Firewall.pm | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> > index 96c45e9..4147f87 100644
> > --- a/src/PVE/Firewall.pm
> > +++ b/src/PVE/Firewall.pm
> > @@ -4269,6 +4269,7 @@ sub remove_pvefw_chains {
> > PVE::Firewall::remove_pvefw_chains_iptables("iptables");
> > PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
> > PVE::Firewall::remove_pvefw_chains_ipset();
> > + PVE::Firewall::remove_pvefw_chains_ebtables();
> >
> > }
> >
> > @@ -4314,6 +4315,12 @@ sub remove_pvefw_chains_ipset {
> > ipset_restore_cmdlist($cmdlist) if $cmdlist;
> > }
> >
> > +sub remove_pvefw_chains_ebtables {
> > + # empty ruleset == ebtables disabled
> > + my ($cmdlist, $changes) = get_ebtables_cmdlist({});
> > + ebtables_restore_cmdlist($cmdlist) if $changes && $cmdlist;
>
> $cmdlist is always true here..
true, and $changes is only 1 for anything besides exists/ignore/delete
(the latter seems incorrect IMHO, since both ipset and iptables treat
deletions as changes).
will send a v2..
> Also while it is not too useful to flush the rules if no changes
> (i.e., already emptied ebtables ruleset) is detected we could do
> it anyway, e.g. a simple (untested):
>
> ebtables_restore_cmdlist("*filter\n");
that would also remove rules set by the admin, AFAICT?
>
> > +}
> > +
> > sub init {
> > my $cluster_conf = load_clusterfw_conf();
> > my $cluster_options = $cluster_conf->{options};
> >
>
More information about the pve-devel
mailing list