From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 641C58A8C3 for ; Wed, 27 Jul 2022 15:08:07 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5B0595DF4 for ; Wed, 27 Jul 2022 15:08:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 27 Jul 2022 15:08:06 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 11B334057D for ; Wed, 27 Jul 2022 15:08:00 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Wed, 27 Jul 2022 15:07:52 +0200 Message-Id: <20220727130752.1175497-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.162 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH firewall] fix #4175: ignore non-filter ebtables tables X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2022 13:08:07 -0000 we only ever add rules to the filter table, without this we'd add all rules from other tables (which might have been manually filled by the admin) to the filter table as well - adding another copy on every iteration of the firewall update cycle! note that ebtables-restore seems to flush tables contained in its input, but leave those alone which are not referenced at all. Signed-off-by: Fabian Grünbichler --- still waiting on OP to report whether there is yet another issue observed which is unrelated to ebtables - but this (wrong) behaviour I can reproduce, and it is fixed with this patch ;) src/PVE/Firewall.pm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 71746d2..5edb72d 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1971,10 +1971,18 @@ sub ebtables_get_chains { my $res = {}; my $chains = {}; + my $table; my $parser = sub { my $line = shift; return if $line =~ m/^#/; return if $line =~ m/^\s*$/; + if ($line =~ m/^\*(\S+)$/) { + $table = $1; + return; + } + + return if $table ne "filter"; + if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) { # Make sure we know chains exist even if they're empty. $chains->{$1} //= []; -- 2.30.2