* [pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables
@ 2022-07-27 13:07 Fabian Grünbichler
2022-08-29 12:32 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2022-07-27 13:07 UTC (permalink / raw)
To: pve-devel
we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!
note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
still waiting on OP to report whether there is yet another issue
observed which is unrelated to ebtables - but this (wrong) behaviour I
can reproduce, and it is fixed with this patch ;)
src/PVE/Firewall.pm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 71746d2..5edb72d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,10 +1971,18 @@ sub ebtables_get_chains {
my $res = {};
my $chains = {};
+ my $table;
my $parser = sub {
my $line = shift;
return if $line =~ m/^#/;
return if $line =~ m/^\s*$/;
+ if ($line =~ m/^\*(\S+)$/) {
+ $table = $1;
+ return;
+ }
+
+ return if $table ne "filter";
+
if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
# Make sure we know chains exist even if they're empty.
$chains->{$1} //= [];
--
2.30.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH firewall] fix #4175: ignore non-filter ebtables tables
2022-07-27 13:07 [pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables Fabian Grünbichler
@ 2022-08-29 12:32 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2022-08-29 12:32 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
Am 27/07/2022 um 15:07 schrieb Fabian Grünbichler:
> we only ever add rules to the filter table, without this we'd add all
> rules from other tables (which might have been manually filled by the
> admin) to the filter table as well - adding another copy on every
> iteration of the firewall update cycle!
>
> note that ebtables-restore seems to flush tables contained in its input,
> but leave those alone which are not referenced at all.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> still waiting on OP to report whether there is yet another issue
> observed which is unrelated to ebtables - but this (wrong) behaviour I
> can reproduce, and it is fixed with this patch ;)
>
> src/PVE/Firewall.pm | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-29 12:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-27 13:07 [pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables Fabian Grünbichler
2022-08-29 12:32 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox