[pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jul 27 15:07:52 CEST 2022


we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!

note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
still waiting on OP to report whether there is yet another issue
observed which is unrelated to ebtables - but this (wrong) behaviour I
can reproduce, and it is fixed with this patch ;)

 src/PVE/Firewall.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 71746d2..5edb72d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,10 +1971,18 @@ sub ebtables_get_chains {
 
     my $res = {};
     my $chains = {};
+    my $table;
     my $parser = sub {
 	my $line = shift;
 	return if $line =~ m/^#/;
 	return if $line =~ m/^\s*$/;
+	if ($line =~ m/^\*(\S+)$/) {
+	    $table = $1;
+	    return;
+	}
+
+	return if $table ne "filter";
+
 	if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
 	    # Make sure we know chains exist even if they're empty.
 	    $chains->{$1} //= [];
-- 
2.30.2





More information about the pve-devel mailing list