From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH pve-firewall v4 5/9] nftables: make is_nftables check flag file instead of config
Date: Fri, 15 Nov 2024 13:09:33 +0100 [thread overview]
Message-ID: <20241115120937.169342-6-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20241115120937.169342-1-s.hanreich@proxmox.com>
is_nftables is used in the VM and CT network startup scripts to
determine whether the nftables firewall is enabled or not. This causes
issues on container and VM startup when loading the SDN config, since
it requires the RPCEnvironment which is not initialized yet. Therefore
change this check to look for the existence of the flag file instead.
It also avoids parsing the entire cluster and host firewall
configuration on VM / CT startup, which means increased performance.
While we're at it, make all methods related to the configuration
parsing private, in order to avoid accidental usage of the expensive
methods.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/PVE/Firewall.pm | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7642bf6..bfaa33a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4727,7 +4727,14 @@ sub remove_pvefw_chains_ebtables {
ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
}
+# This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
+my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
+
sub is_nftables {
+ return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
+}
+
+my sub get_nftables_option {
my ($cluster_conf, $host_conf) = @_;
if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
@@ -4743,9 +4750,6 @@ sub is_nftables {
my sub update_force_nftables_disable_flag {
my ($cluster_firewall_enabled, $is_nftables) = @_;
- # This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
- my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
-
if (!($cluster_firewall_enabled && $is_nftables)) {
if (! -e $FORCE_NFT_DISABLE_FLAG_FILE) {
open(my $_fh, '>', $FORCE_NFT_DISABLE_FLAG_FILE)
@@ -4757,13 +4761,13 @@ my sub update_force_nftables_disable_flag {
}
}
-sub is_enabled_and_not_nftables {
+my sub is_enabled_and_not_nftables {
my ($cluster_conf, $host_conf) = @_;
$cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
$host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
- my $is_nftables = is_nftables($cluster_conf, $host_conf);
+ my $is_nftables = get_nftables_option($cluster_conf, $host_conf);
update_force_nftables_disable_flag($cluster_conf->{options}->{enable}, $is_nftables);
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-15 12:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 12:09 [pve-devel] [PATCH docs/firewall/manager/proxmox{-firewall, -perl-rs} v4 0/9] autogenerate ipsets for sdn objects Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH proxmox-firewall v4 2/9] config: tests: add support for loading sdn and ipam config Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH proxmox-firewall v4 3/9] ipsets: autogenerate ipsets for vnets and ipam Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH pve-firewall v4 4/9] add support for loading sdn firewall configuration Stefan Hanreich
2024-11-15 12:09 ` Stefan Hanreich [this message]
2024-11-15 12:09 ` [pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH proxmox-perl-rs v4 7/9] add PVE::RS::Firewall::SDN module Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH pve-manager v4 8/9] firewall: add sdn scope to IPRefSelector Stefan Hanreich
2024-11-15 12:09 ` [pve-devel] [PATCH pve-docs v4 9/9] sdn: add documentation for firewall integration Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241115120937.169342-6-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox