From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall v4 04/14] firewall: helpers: add sub for flushing conntrack entries by mark
Date: Thu, 17 Jul 2025 16:15:20 +0200 [thread overview]
Message-ID: <20250717141530.1471199-5-c.heiss@proxmox.com> (raw)
In-Reply-To: <20250717141530.1471199-1-c.heiss@proxmox.com>
A small helper routine for flushing all conntrack table entries which
are marked with a specific value.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v1 -> v2:
* no changes
Changes v2 -> v3:
* rebased on trixie
Changes v3 -> v4:
* rebased on latest master
* added proper pod header
debian/control | 3 ++-
src/PVE/Firewall/Helpers.pm | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index d8ca975..a420016 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,8 @@ Standards-Version: 4.6.2
Package: pve-firewall
Architecture: any
Conflicts: ulogd,
-Depends: ebtables,
+Depends: conntrack,
+ ebtables,
ipset,
iptables,
libpve-access-control,
diff --git a/src/PVE/Firewall/Helpers.pm b/src/PVE/Firewall/Helpers.pm
index 49e2a3d..fa3646c 100644
--- a/src/PVE/Firewall/Helpers.pm
+++ b/src/PVE/Firewall/Helpers.pm
@@ -17,6 +17,7 @@ our @EXPORT_OK = qw(
remove_vmfw_conf
clone_vmfw_conf
collect_refs
+ flush_fw_ct_entries_by_mark
);
my $pvefw_conf_dir = "/etc/pve/firewall";
@@ -198,6 +199,7 @@ Checks whether nftables is active via checking for the existence of the file
C<$FORCE_NFT_DISABLE_FLAG_FILE>
=cut
+
sub is_nftables {
return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
}
@@ -209,9 +211,27 @@ firewall bridge in order for the current firewall configuration to work. This is
the case when using pve-firewall (iptables) or bridges that use OVS.
=cut
+
sub needs_fwbr {
my ($bridge_name) = @_;
return !is_nftables() || PVE::Network::is_ovs_bridge($bridge_name);
}
+=head3 flush_fw_ct_entries_by_mark($mark)
+
+Flushes all conntrack table entries which are CONNMARK'd with the given
+value in C<$mark>.
+
+=cut
+
+sub flush_fw_ct_entries_by_mark {
+ my ($mark) = @_;
+
+ PVE::Tools::run_command(
+ ['conntrack', '--delete', '--mark', $mark],
+ noerr => 1,
+ quiet => 1,
+ );
+}
+
1;
--
2.49.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-07-17 14:14 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 14:15 [pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v4 00/14] fix #5180: migrate conntrack state on live migration Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH proxmox-ve-rs v4 01/14] config: guest: allow access to raw Vmid value Christoph Heiss
2025-07-17 19:00 ` [pve-devel] applied: " Thomas Lamprecht
2025-07-17 14:15 ` [pve-devel] [PATCH proxmox-firewall v4 02/14] firewall: add connmark rule with VMID to all guest chains Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH firewall v4 03/14] " Christoph Heiss
2025-07-17 14:15 ` Christoph Heiss [this message]
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 05/14] qmp helpers: allow passing structured args via qemu_objectadd() Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 06/14] api2: qemu: add module exposing node migration capabilities Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 07/14] fix #5180: dbus-vmstate: add daemon for QEMUs dbus-vmstate interface Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 08/14] fix #5180: migrate: integrate helper for live-migrating conntrack info Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH qemu-server v4 09/14] migrate: flush old VM conntrack entries after successful migration Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 10/14] api2: capabilities: explicitly import CPU capabilities module Christoph Heiss
2025-07-17 21:28 ` [pve-devel] applied: " Thomas Lamprecht
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 11/14] api2: capabilities: proxy index endpoints to respective nodes Christoph Heiss
2025-07-17 21:28 ` [pve-devel] applied: " Thomas Lamprecht
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 12/14] api2: capabilities: expose new qemu/migration endpoint Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH manager v4 13/14] ui: window: Migrate: add checkbox for migrating VM conntrack state Christoph Heiss
2025-07-17 14:15 ` [pve-devel] [PATCH docs v4 14/14] qm: document conntrack state migration for live migrations Christoph Heiss
2025-07-21 14:49 ` [pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v4 00/14] fix #5180: migrate conntrack state on live migration Gabriel Goller
2025-07-30 9:33 ` Christoph Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250717141530.1471199-5-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.