[pve-devel] [PATCH firewall v5 03/11] firewall: helpers: add sub for flushing conntrack entries by mark
Christoph Heiss
c.heiss at proxmox.com
Wed Jul 30 11:45:37 CEST 2025
A small helper routine for flushing all conntrack table entries which
are marked with a specific value.
Reviewed-by: Stefan Hanreich <s.hanreich at proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich at proxmox.com>
Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
Changes v1 -> v2:
* no changes
Changes v2 -> v3:
* rebased on trixie
Changes v3 -> v4:
* rebased on latest master
* added proper pod header
Changes v4 -> v5:
* no changes
debian/control | 3 ++-
src/PVE/Firewall/Helpers.pm | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index d8ca975..a420016 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,8 @@ Standards-Version: 4.6.2
Package: pve-firewall
Architecture: any
Conflicts: ulogd,
-Depends: ebtables,
+Depends: conntrack,
+ ebtables,
ipset,
iptables,
libpve-access-control,
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index 49e2a3d..fa3646c 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -17,6 +17,7 @@ our @EXPORT_OK = qw(
remove_vmfw_conf
clone_vmfw_conf
collect_refs
+ flush_fw_ct_entries_by_mark
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -198,6 +199,7 @@ Checks whether nftables is active via checking for the existence of the file
C<$FORCE_NFT_DISABLE_FLAG_FILE>
=cut
+
sub is_nftables {
return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
}
@@ -209,9 +211,27 @@ firewall bridge in order for the current firewall configuration to work. This is
the case when using pve-firewall (iptables) or bridges that use OVS.
=cut
+
sub needs_fwbr {
my ($bridge_name) = @_;
return !is_nftables() || PVE::Network::is_ovs_bridge($bridge_name);
}
+=head3 flush_fw_ct_entries_by_mark($mark)
+
+Flushes all conntrack table entries which are CONNMARK'd with the given
+value in C<$mark>.
+
+=cut
+
+sub flush_fw_ct_entries_by_mark {
+ my ($mark) = @_;
+
+ PVE::Tools::run_command(
+ ['conntrack', '--delete', '--mark', $mark],
+ noerr => 1,
+ quiet => 1,
+ );
+}
+
1;
--
2.49.0
More information about the pve-devel
mailing list