From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1AFB41FF2AB for ; Wed, 17 Jul 2024 15:16:53 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B91E03C184; Wed, 17 Jul 2024 15:17:21 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 17 Jul 2024 15:16:46 +0200 Message-Id: <20240717131646.135236-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.265 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox-firewall.rs] Subject: [pve-devel] [PATCH proxmox-firewall v3 1/1] service: flush firewall rules on force disable X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" When disabling the nftables firewall again, there is a race condition where the nftables ruleset never gets flushed and persists after disabling. The nftables firewall update loop does a noop when the force disable file exists. It only flushes the ruleset when nftables is disabled in the configuration file but the force disable file does not yet exist. This can lead to the following situation: * nftables is activated and created its ruleset * user switches from nftables firewall back to iptables firewall * pve-firewall runs and creates the force disable file * proxmox-firewall sees that the file exists and does nothing Reported-by: Hannes Laimer Signed-off-by: Stefan Hanreich --- Changes from v2 to v3: * Use proper debug output formatter Changes from v1 to v2: * Removed misleading/wrong section about the probability of this happening * Added a detailed description of the scenario this commit prevents proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs index f7e816e..4732e51 100644 --- a/proxmox-firewall/src/bin/proxmox-firewall.rs +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> { while !term.load(Ordering::Relaxed) { if force_disable_flag.exists() { + if let Err(error) = remove_firewall() { + log::error!("unable to disable firewall: {error:?}"); + } + std::thread::sleep(Duration::from_secs(5)); continue; } -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel