[pve-devel] [PATCH firewall] ebtables: keep policy of custom chains

Stoiko Ivanov s.ivanov at proxmox.com
Tue Jun 2 10:12:19 CEST 2020 

missed that there was a bugzilla issue for this:

this fixes #2773

On Tue,  2 Jun 2020 10:06:17 +0200
Stoiko Ivanov <s.ivanov at proxmox.com> wrote:

> currently all ebtalbes chains are created with a hardcoded policy of ACCEPT.
> This patch changes the functionality to store the configured policy of a
> chain while reading the 'ebtables-save' output and uses this policy when
> creating the command list.
> 
> This is only relevant for ebtablers chains not generated by pve-firewall (the
> ones having an action of 'ignore' in the status-hash).
> 
> Reported on the pve-user list:
> https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html
> 
> Minimally tested with the example from the thread.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index a2105e5..97670fd 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -1944,9 +1944,10 @@ sub ebtables_get_chains {
>  	my $line = shift;
>  	return if $line =~ m/^#/;
>  	return if $line =~ m/^\s*$/;
> -	if ($line =~ m/^:(\S+)\s\S+$/) {
> +	if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
>  	    # Make sure we know chains exist even if they're empty.
>  	    $chains->{$1} //= [];
> +	    $res->{$1}->{policy} = $2;
>  	} elsif ($line =~ m/^(?:\S+)\s(\S+)\s(?:\S+).*/) {
>  	    my $chain = $1;
>  	    $line =~ s/\s+$//;
> @@ -4063,6 +4064,7 @@ sub get_ruleset_status {
>  	if (defined($change_only_regex)) {
>  	    $action = 'ignore' if ($chain !~ m/$change_only_regex/);
>  	    $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules};
> +	    $statushash->{$chain}->{policy} = $active_chains->{$chain}->{policy};
>  	    $sig = $sig->{sig};
>  	}
>  	$statushash->{$chain}->{action} = $action;
> @@ -4163,7 +4165,8 @@ sub get_ebtables_cmdlist {
>      my $pve_include = 0;
>      foreach my $chain (sort keys %$statushash) {
>  	next if ($statushash->{$chain}->{action} eq 'delete');
> -	$cmdlist .= ":$chain ACCEPT\n";
> +	my $policy = $statushash->{$chain}->{policy} // 'ACCEPT';
> +	$cmdlist .= ":$chain $policy\n";
>  	$pve_include = 1 if ($chain eq 'PVEFW-FORWARD');
>      }
>

More information about the pve-devel mailing list