[pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

[Fabian Grünbichler]

Quoting Stefan Hanreich (2024-05-29 15:25:26)
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In practice this almost never happens due to pve-firewall
> running every 10 seconds, and proxmox-firewall running every 5
> seconds, so the proxmox-firewall main loop almost always runs at least
> once before the force disable file gets created and flushes the
> ruleset.

so if I understand this correctly, it should handle the following case:

proxmox-firewall runs and sets up NFT rules
user disables NFT
pve-firewall runs and sets up legacy rules and force disable file
proxmox-firewall runs and disables NFT rules

as opposed to the following sequence

proxmox-firewall runs and sets up NFT rules
user disables NFT
proxmox-firewall runs and disables NFT rules
pve-firewall runs and sets up legacy rules and force disable file

which is already handled..

I don't see why the first cast should "almost never happen", just because the
loops have a different period - it all comes down to alignment of the periods
and timing of the user action?

in other words, you have a sequence

0:    N
5:    N
5+X:  L
10:   N
15:   N
15+X: L
20:   N
25:   N
25+X: L

where the gap between N and N is 5 seconds, and the gap between N and L and L
and N together is also 5 seconds. on average (assuming random alignment of the
periods), there's an X=2.5s window (out of 10) that the user action must hit to
trigger the issue (in the gap between L and N, since X can be between 0 and
5s)?

FWIW, the change itself looks good to me, but the commit message might need
some adaptation ;)

> 
> Reported-by: Hannes Laimer <h.laimer at proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
>  proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
> index f7e816e..5133cbf 100644
> --- a/proxmox-firewall/src/bin/proxmox-firewall.rs
> +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
> @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
>  
>      while !term.load(Ordering::Relaxed) {
>          if force_disable_flag.exists() {
> +            if let Err(error) = remove_firewall() {
> +                log::error!("unable to disable firewall: {error:#}");
> +            }
> +
>              std::thread::sleep(Duration::from_secs(5));
>              continue;
>          }
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>