[pve-devel] [PATCH proxmox-firewall v2 1/1] service: flush firewall rules on force disable

Stefan Hanreich s.hanreich at proxmox.com
Thu Jul 4 14:36:48 CEST 2024


When disabling the nftables firewall again, there is a race condition
where the nftables ruleset never gets flushed and persists after
disabling.

The nftables firewall update loop does a noop when the force disable
file exists. It only flushes the ruleset when nftables is disabled in
the configuration file but the force disable file does not yet exist.

This can lead to the following situation:

* nftables is activated and created its ruleset
* user switches from nftables firewall back to iptables firewall
* pve-firewall runs and creates the force disable file
* proxmox-firewall sees that the file exists and does nothing

Reported-by: Hannes Laimer <h.laimer at proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
Changes from v1 to v2:
* Removed misleading/wrong section about the probability of this
  happening
* Added a detailed description of the scenario this commit prevents

 proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
index f7e816e..5133cbf 100644
--- a/proxmox-firewall/src/bin/proxmox-firewall.rs
+++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
@@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
 
     while !term.load(Ordering::Relaxed) {
         if force_disable_flag.exists() {
+            if let Err(error) = remove_firewall() {
+                log::error!("unable to disable firewall: {error:#}");
+            }
+
             std::thread::sleep(Duration::from_secs(5));
             continue;
         }
-- 
2.39.2




More information about the pve-devel mailing list