* [pve-devel] [PATCH proxmox-firewall 1/1] guest: do not try to create map entries if there are no devices
@ 2025-04-08 13:41 Stefan Hanreich
2025-04-08 13:54 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Stefan Hanreich @ 2025-04-08 13:41 UTC (permalink / raw)
To: pve-devel
When the firewall was enabled for a guest, but disabled for all
interfaces of a guest, the firewall tried to add an empty list to the
guest map, which is an invalid nftables statement.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/firewall.rs | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index e1c9351..086b96c 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -955,7 +955,7 @@ impl Firewall {
let network_devices = config.network_config().network_devices();
if !network_devices.is_empty() {
- let map_elements = network_devices
+ let map_elements: Vec<(Expression, MapValue)> = network_devices
.iter()
.filter(|(_, device)| device.has_firewall())
.map(|(index, _)| {
@@ -965,12 +965,15 @@ impl Firewall {
target: chain.name().to_string(),
}),
)
- });
+ })
+ .collect();
- commands.push(Add::element(AddElement::map_from_expressions(
- Self::guest_vmap(direction),
- map_elements,
- )));
+ if !map_elements.is_empty() {
+ commands.push(Add::element(AddElement::map_from_expressions(
+ Self::guest_vmap(direction),
+ map_elements,
+ )));
+ }
}
self.create_log_rule(
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH proxmox-firewall 1/1] guest: do not try to create map entries if there are no devices
2025-04-08 13:41 [pve-devel] [PATCH proxmox-firewall 1/1] guest: do not try to create map entries if there are no devices Stefan Hanreich
@ 2025-04-08 13:54 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2025-04-08 13:54 UTC (permalink / raw)
To: pve-devel, Stefan Hanreich
On Tue, 08 Apr 2025 15:41:35 +0200, Stefan Hanreich wrote:
> When the firewall was enabled for a guest, but disabled for all
> interfaces of a guest, the firewall tried to add an empty list to the
> guest map, which is an invalid nftables statement.
>
>
Applied, thanks!
[1/1] guest: do not try to create map entries if there are no devices
commit: f16e60bc091892ad1c8576f034642d3f980c1357
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-08 13:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-08 13:41 [pve-devel] [PATCH proxmox-firewall 1/1] guest: do not try to create map entries if there are no devices Stefan Hanreich
2025-04-08 13:54 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal