[pve-devel] [PATCH pve-firewall v4 5/9] nftables: make is_nftables check flag file instead of config

Stefan Hanreich s.hanreich at proxmox.com
Fri Nov 15 13:09:33 CET 2024 

is_nftables is used in the VM and CT network startup scripts to
determine whether the nftables firewall is enabled or not. This causes
issues on container and VM startup when loading the SDN config, since
it requires the RPCEnvironment which is not initialized yet. Therefore
change this check to look for the existence of the flag file instead.

It also avoids parsing the entire cluster and host firewall
configuration on VM / CT startup, which means increased performance.

While we're at it, make all methods related to the configuration
parsing private, in order to avoid accidental usage of the expensive
methods.

Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/Firewall.pm | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7642bf6..bfaa33a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4727,7 +4727,14 @@ sub remove_pvefw_chains_ebtables {
     ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
 }
 
+# This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
+my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
+
 sub is_nftables {
+    return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
+}
+
+my sub get_nftables_option {
     my ($cluster_conf, $host_conf) = @_;
 
     if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
@@ -4743,9 +4750,6 @@ sub is_nftables {
 my sub update_force_nftables_disable_flag {
     my ($cluster_firewall_enabled, $is_nftables) = @_;
 
-    # This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
-    my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
-
     if (!($cluster_firewall_enabled && $is_nftables)) {
 	if (! -e $FORCE_NFT_DISABLE_FLAG_FILE) {
 	    open(my $_fh, '>', $FORCE_NFT_DISABLE_FLAG_FILE)
@@ -4757,13 +4761,13 @@ my sub update_force_nftables_disable_flag {
     }
 }
 
-sub is_enabled_and_not_nftables {
+my sub is_enabled_and_not_nftables {
     my ($cluster_conf, $host_conf) = @_;
 
     $cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
     $host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
 
-    my $is_nftables = is_nftables($cluster_conf, $host_conf);
+    my $is_nftables = get_nftables_option($cluster_conf, $host_conf);
 
     update_force_nftables_disable_flag($cluster_conf->{options}->{enable}, $is_nftables);
 
-- 
2.39.5

More information about the pve-devel mailing list