[pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable
Stefan Hanreich
s.hanreich at proxmox.com
Thu Jul 4 14:37:26 CEST 2024
superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064439.html
On 5/29/24 15:25, Stefan Hanreich wrote:
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In practice this almost never happens due to pve-firewall
> running every 10 seconds, and proxmox-firewall running every 5
> seconds, so the proxmox-firewall main loop almost always runs at least
> once before the force disable file gets created and flushes the
> ruleset.
>
> Reported-by: Hannes Laimer <h.laimer at proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
> index f7e816e..5133cbf 100644
> --- a/proxmox-firewall/src/bin/proxmox-firewall.rs
> +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
> @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
>
> while !term.load(Ordering::Relaxed) {
> if force_disable_flag.exists() {
> + if let Err(error) = remove_firewall() {
> + log::error!("unable to disable firewall: {error:#}");
> + }
> +
> std::thread::sleep(Duration::from_secs(5));
> continue;
> }
More information about the pve-devel
mailing list