[pve-devel] [PATCH firewall] ebtables: keep policy of custom chains

Stoiko Ivanov s.ivanov at proxmox.com
Tue Jun 2 10:06:17 CEST 2020


currently all ebtalbes chains are created with a hardcoded policy of ACCEPT.
This patch changes the functionality to store the configured policy of a
chain while reading the 'ebtables-save' output and uses this policy when
creating the command list.

This is only relevant for ebtablers chains not generated by pve-firewall (the
ones having an action of 'ignore' in the status-hash).

Reported on the pve-user list:
https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html

Minimally tested with the example from the thread.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PVE/Firewall.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a2105e5..97670fd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1944,9 +1944,10 @@ sub ebtables_get_chains {
 	my $line = shift;
 	return if $line =~ m/^#/;
 	return if $line =~ m/^\s*$/;
-	if ($line =~ m/^:(\S+)\s\S+$/) {
+	if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
 	    # Make sure we know chains exist even if they're empty.
 	    $chains->{$1} //= [];
+	    $res->{$1}->{policy} = $2;
 	} elsif ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) {
 	    my $chain = $1;
 	    $line =~ s/\s+$//;
@@ -4063,6 +4064,7 @@ sub get_ruleset_status {
 	if (defined($change_only_regex)) {
 	    $action = 'ignore' if ($chain !~ m/$change_only_regex/);
 	    $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules};
+	    $statushash->{$chain}->{policy} = $active_chains->{$chain}->{policy};
 	    $sig = $sig->{sig};
 	}
 	$statushash->{$chain}->{action} = $action;
@@ -4163,7 +4165,8 @@ sub get_ebtables_cmdlist {
     my $pve_include = 0;
     foreach my $chain (sort keys %$statushash) {
 	next if ($statushash->{$chain}->{action} eq 'delete');
-	$cmdlist .= ":$chain ACCEPT\n";
+	my $policy = $statushash->{$chain}->{policy} // 'ACCEPT';
+	$cmdlist .= ":$chain $policy\n";
 	$pve_include = 1 if ($chain eq 'PVEFW-FORWARD');
     }
 
-- 
2.20.1





More information about the pve-devel mailing list