From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 2CBEA20EC88 for ; Tue, 23 Apr 2024 11:22:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2D5B11E4C6; Tue, 23 Apr 2024 11:22:16 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Tue, 23 Apr 2024 11:21:39 +0200 Message-Id: <20240423092139.94402-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.270 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox-firewall.rs, firewall.rs] Subject: [pve-devel] [PATCH proxmox-firewall] firewall: properly cleanup tables when firewall is inactive X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" When executing multiple nft commands they are transactional, either all get applied or none. When only the host or guest firewall is active, only one table exists and this causes the delete commands to fail. To fix this we need to send the delete commands separately. It might make sense to support running multiple separate batches in the NftClient in the future in order to avoid having to call nft twice. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/bin/proxmox-firewall.rs | 9 +++++---- proxmox-firewall/src/firewall.rs | 10 +++++----- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs index 2f4875f..4e07993 100644 --- a/proxmox-firewall/src/bin/proxmox-firewall.rs +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs @@ -12,11 +12,12 @@ const RULE_BASE: &str = include_str!("../../resources/proxmox-firewall.nft"); fn remove_firewall() -> Result<(), std::io::Error> { log::info!("removing existing firewall rules"); - let commands = Firewall::remove_commands(); - // can ignore other errors, since it fails when tables do not exist - if let Err(NftError::Io(err)) = NftClient::run_json_commands(&commands) { - return Err(err); + for command in Firewall::remove_commands() { + // can ignore other errors, since it fails when tables do not exist + if let Err(NftError::Io(err)) = NftClient::run_json_commands(&command) { + return Err(err); + } } Ok(()) diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 2195a07..b137f58 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -157,11 +157,11 @@ impl Firewall { } } - pub fn remove_commands() -> Commands { - Commands::new(vec![ - Delete::table(Self::cluster_table()), - Delete::table(Self::guest_table()), - ]) + pub fn remove_commands() -> Vec { + vec![ + Commands::new(vec![Delete::table(Self::cluster_table())]), + Commands::new(vec![Delete::table(Self::guest_table())]), + ] } fn create_management_ipset(&self, commands: &mut Commands) -> Result<(), Error> { -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel