[pve-devel] [PATCH firewall v5 03/11] firewall: helpers: add sub for flushing conntrack entries by mark

Christoph Heiss c.heiss at proxmox.com
Wed Jul 30 11:45:37 CEST 2025 

A small helper routine for flushing all conntrack table entries which
are marked with a specific value.

Reviewed-by: Stefan Hanreich <s.hanreich at proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich at proxmox.com>
Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
Changes v1 -> v2:
  * no changes

Changes v2 -> v3:
  * rebased on trixie

Changes v3 -> v4:
  * rebased on latest master
  * added proper pod header

Changes v4 -> v5:
  * no changes

 debian/control              |  3 ++-
 src/PVE/Firewall/Helpers.pm | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index d8ca975..a420016 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,8 @@ Standards-Version: 4.6.2
 Package: pve-firewall
 Architecture: any
 Conflicts: ulogd,
-Depends: ebtables,
+Depends: conntrack,
+         ebtables,
          ipset,
          iptables,
          libpve-access-control,
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index 49e2a3d..fa3646c 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -17,6 +17,7 @@ our @EXPORT_OK = qw(
     remove_vmfw_conf
     clone_vmfw_conf
     collect_refs
+    flush_fw_ct_entries_by_mark
 );
 
 my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -198,6 +199,7 @@ Checks whether nftables is active via checking for the existence of the file
 C<$FORCE_NFT_DISABLE_FLAG_FILE>
 
 =cut
+
 sub is_nftables {
     return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
 }
@@ -209,9 +211,27 @@ firewall bridge in order for the current firewall configuration to work. This is
 the case when using pve-firewall (iptables) or bridges that use OVS.
 
 =cut
+
 sub needs_fwbr {
     my ($bridge_name) = @_;
     return !is_nftables() || PVE::Network::is_ovs_bridge($bridge_name);
 }
 
+=head3 flush_fw_ct_entries_by_mark($mark)
+
+Flushes all conntrack table entries which are CONNMARK'd with the given
+value in C<$mark>.
+
+=cut
+
+sub flush_fw_ct_entries_by_mark {
+    my ($mark) = @_;
+
+    PVE::Tools::run_command(
+        ['conntrack', '--delete', '--mark', $mark],
+        noerr => 1,
+        quiet => 1,
+    );
+}
+
 1;
-- 
2.49.0

More information about the pve-devel mailing list