fix #4175: ignore non-filter ebtables tables

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e2331d865808154f9685e0cb2d678b53768215ff..56868d4326228f5dc6b8350bcb41e98f783db7dc 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,10 +1971,18 @@ sub ebtables_get_chains {
 
     my $res = {};
     my $chains = {};
+    my $table;
     my $parser = sub {
        my $line = shift;
        return if $line =~ m/^#/;
        return if $line =~ m/^\s*$/;
+       if ($line =~ m/^\*(\S+)$/) {
+           $table = $1;
+           return;
+       }
+
+       return if $table ne "filter";
+
        if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
            # Make sure we know chains exist even if they're empty.
            $chains->{$1} //= [];
@@ -3964,7 +3972,7 @@ sub compile_ebtables_filter {
        eval {
            my $conf = $vmdata->{qemu}->{$vmid};
            my $vmfw_conf = $vmfw_configs->{$vmid};
-           return if !$vmfw_conf;
+           return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
            my $ipsets = $vmfw_conf->{ipset};
 
            foreach my $netid (sort keys %$conf) {