From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables
Date: Wed, 27 Jul 2022 15:07:52 +0200 [thread overview]
Message-ID: <20220727130752.1175497-1-f.gruenbichler@proxmox.com> (raw)
we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!
note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
still waiting on OP to report whether there is yet another issue
observed which is unrelated to ebtables - but this (wrong) behaviour I
can reproduce, and it is fixed with this patch ;)
src/PVE/Firewall.pm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 71746d2..5edb72d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,10 +1971,18 @@ sub ebtables_get_chains {
my $res = {};
my $chains = {};
+ my $table;
my $parser = sub {
my $line = shift;
return if $line =~ m/^#/;
return if $line =~ m/^\s*$/;
+ if ($line =~ m/^\*(\S+)$/) {
+ $table = $1;
+ return;
+ }
+
+ return if $table ne "filter";
+
if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
# Make sure we know chains exist even if they're empty.
$chains->{$1} //= [];
--
2.30.2
next reply other threads:[~2022-07-27 13:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 13:07 Fabian Grünbichler [this message]
2022-08-29 12:32 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727130752.1175497-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox