From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 442EF1FF16F
	for <inbox@lore.proxmox.com>; Fri, 15 Nov 2024 13:10:21 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id A5879122C5;
	Fri, 15 Nov 2024 13:10:18 +0100 (CET)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri, 15 Nov 2024 13:09:33 +0100
Message-Id: <20241115120937.169342-6-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20241115120937.169342-1-s.hanreich@proxmox.com>
References: <20241115120937.169342-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.240 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [PATCH pve-firewall v4 5/9] nftables: make is_nftables
 check flag file instead of config
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

is_nftables is used in the VM and CT network startup scripts to
determine whether the nftables firewall is enabled or not. This causes
issues on container and VM startup when loading the SDN config, since
it requires the RPCEnvironment which is not initialized yet. Therefore
change this check to look for the existence of the flag file instead.

It also avoids parsing the entire cluster and host firewall
configuration on VM / CT startup, which means increased performance.

While we're at it, make all methods related to the configuration
parsing private, in order to avoid accidental usage of the expensive
methods.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/Firewall.pm | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7642bf6..bfaa33a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4727,7 +4727,14 @@ sub remove_pvefw_chains_ebtables {
     ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
 }
 
+# This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
+my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
+
 sub is_nftables {
+    return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
+}
+
+my sub get_nftables_option {
     my ($cluster_conf, $host_conf) = @_;
 
     if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
@@ -4743,9 +4750,6 @@ sub is_nftables {
 my sub update_force_nftables_disable_flag {
     my ($cluster_firewall_enabled, $is_nftables) = @_;
 
-    # This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
-    my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
-
     if (!($cluster_firewall_enabled && $is_nftables)) {
 	if (! -e $FORCE_NFT_DISABLE_FLAG_FILE) {
 	    open(my $_fh, '>', $FORCE_NFT_DISABLE_FLAG_FILE)
@@ -4757,13 +4761,13 @@ my sub update_force_nftables_disable_flag {
     }
 }
 
-sub is_enabled_and_not_nftables {
+my sub is_enabled_and_not_nftables {
     my ($cluster_conf, $host_conf) = @_;
 
     $cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
     $host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
 
-    my $is_nftables = is_nftables($cluster_conf, $host_conf);
+    my $is_nftables = get_nftables_option($cluster_conf, $host_conf);
 
     update_force_nftables_disable_flag($cluster_conf->{options}->{enable}, $is_nftables);
 
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel