From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id 1AFB41FF2AB
for <inbox@lore.proxmox.com>; Wed, 17 Jul 2024 15:16:53 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id B91E03C184;
Wed, 17 Jul 2024 15:17:21 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Wed, 17 Jul 2024 15:16:46 +0200
Message-Id: <20240717131646.135236-1-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.265 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
methods
RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_NONE 0.001 SPF: sender does not publish an SPF Record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [proxmox-firewall.rs]
Subject: [pve-devel] [PATCH proxmox-firewall v3 1/1] service: flush firewall
rules on force disable
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
When disabling the nftables firewall again, there is a race condition
where the nftables ruleset never gets flushed and persists after
disabling.
The nftables firewall update loop does a noop when the force disable
file exists. It only flushes the ruleset when nftables is disabled in
the configuration file but the force disable file does not yet exist.
This can lead to the following situation:
* nftables is activated and created its ruleset
* user switches from nftables firewall back to iptables firewall
* pve-firewall runs and creates the force disable file
* proxmox-firewall sees that the file exists and does nothing
Reported-by: Hannes Laimer <h.laimer@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
Changes from v2 to v3:
* Use proper debug output formatter
Changes from v1 to v2:
* Removed misleading/wrong section about the probability of this
happening
* Added a detailed description of the scenario this commit prevents
proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
index f7e816e..4732e51 100644
--- a/proxmox-firewall/src/bin/proxmox-firewall.rs
+++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
@@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
while !term.load(Ordering::Relaxed) {
if force_disable_flag.exists() {
+ if let Err(error) = remove_firewall() {
+ log::error!("unable to disable firewall: {error:?}");
+ }
+
std::thread::sleep(Duration::from_secs(5));
continue;
}
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel