* [pve-devel] [PATCH proxmox-firewall 1/1] guest: do not try to create map entries if there are no devices
@ 2025-04-08 13:41 Stefan Hanreich
2025-04-08 13:54 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Stefan Hanreich @ 2025-04-08 13:41 UTC (permalink / raw)
To: pve-devel
When the firewall was enabled for a guest, but disabled for all
interfaces of a guest, the firewall tried to add an empty list to the
guest map, which is an invalid nftables statement.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/firewall.rs | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index e1c9351..086b96c 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -955,7 +955,7 @@ impl Firewall {
let network_devices = config.network_config().network_devices();
if !network_devices.is_empty() {
- let map_elements = network_devices
+ let map_elements: Vec<(Expression, MapValue)> = network_devices
.iter()
.filter(|(_, device)| device.has_firewall())
.map(|(index, _)| {
@@ -965,12 +965,15 @@ impl Firewall {
target: chain.name().to_string(),
}),
)
- });
+ })
+ .collect();
- commands.push(Add::element(AddElement::map_from_expressions(
- Self::guest_vmap(direction),
- map_elements,
- )));
+ if !map_elements.is_empty() {
+ commands.push(Add::element(AddElement::map_from_expressions(
+ Self::guest_vmap(direction),
+ map_elements,
+ )));
+ }
}
self.create_log_rule(
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-08 13:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-08 13:41 [pve-devel] [PATCH proxmox-firewall 1/1] guest: do not try to create map entries if there are no devices Stefan Hanreich
2025-04-08 13:54 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal