X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=56868d4326228f5dc6b8350bcb41e98f783db7dc;hb=a1f5aa007a46b1e25106e5e47421fa889e41ac1c;hp=6b9b787ec5b9da50da9d2d29aac15c6f6052974f;hpb=8f62e951aa972f36198ffa69aafaae4abca8ed65;p=pve-firewall.git

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 6b9b787..56868d4 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1357,7 +1357,7 @@ our $vm_option_properties = {
     macfilter => {
 	description => "Enable/disable MAC address filter.",
 	type => 'boolean',
-	default => 0,
+	default => 1,
 	optional => 1,
     },
     dhcp => {
@@ -1947,11 +1947,9 @@ sub ipset_get_chains {
 	return if $line =~ m/^\s*$/;
 	if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
 	    my $chain = $1;
+	    # ignore initval from ipset v7.7+, won't set that yet so it'd mess up change detection
+	    $line =~ s/\binitval 0x[0-9a-f]+//;
 	    $line =~ s/\s+$//; # delete trailing white space
-	    # ignore bucketsize onwards from output of ipset v7+
-	    if ($line =~ m/^(.*?)(?:\sbucketsize.*)/) {
-		$line = $1;
-	    }
 	    push @{$chains->{$chain}}, $line;
 	} else {
 	    # simply ignore the rest
@@ -1973,10 +1971,18 @@ sub ebtables_get_chains {
 
     my $res = {};
     my $chains = {};
+    my $table;
     my $parser = sub {
 	my $line = shift;
 	return if $line =~ m/^#/;
 	return if $line =~ m/^\s*$/;
+	if ($line =~ m/^\*(\S+)$/) {
+	    $table = $1;
+	    return;
+	}
+
+	return if $table ne "filter";
+
 	if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
 	    # Make sure we know chains exist even if they're empty.
 	    $chains->{$1} //= [];
@@ -3158,13 +3164,13 @@ sub read_local_vm_config {
 		}
 	    }
         } elsif ($d->{type} eq 'lxc') {
-            if ($have_lxc) {
-                my $cfspath = PVE::LXC::Config->cfs_config_path($vmid);
-                if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
-                    $lxc->{$vmid} = $conf;
-                }
-            }
-        }
+	    if ($have_lxc) {
+		my $cfspath = PVE::LXC::Config->cfs_config_path($vmid);
+		if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
+		    $lxc->{$vmid} = $conf;
+		}
+	    }
+	}
     }
 
     return $vmdata;
@@ -3487,9 +3493,13 @@ sub generate_ipset_chains {
 		$hashsize = round_powerof2($hashsize);
 	    }
 
+	    my $bucketsize = 12; # lower than the default of 14, faster but slightly more memory use
+
 	    my $family = $ipversion == "6" ? "inet6" : "inet";
 
-	    $ipset_ruleset->{$name} = ["create $name hash:net family $family hashsize $hashsize maxelem $hashsize"];
+	    $ipset_ruleset->{$name} = [
+		"create $name hash:net family $family hashsize $hashsize maxelem $hashsize bucketsize $bucketsize"
+	    ];
 
 	    foreach my $cidr (sort keys %$data) {
 		my $entry = $data->{$cidr};
@@ -3962,7 +3972,7 @@ sub compile_ebtables_filter {
 	eval {
 	    my $conf = $vmdata->{qemu}->{$vmid};
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
-	    return if !$vmfw_conf;
+	    return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
 	    my $ipsets = $vmfw_conf->{ipset};
 
 	    foreach my $netid (sort keys %$conf) {
@@ -4038,7 +4048,7 @@ sub generate_tap_layer2filter {
     ruleset_create_chain($ruleset, $tapchain);
 
     if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
-	    ruleset_addrule($ruleset, $tapchain, "-s ! $macaddr", '-j DROP');
+	ruleset_addrule($ruleset, $tapchain, "-s ! $macaddr", '-j DROP');
     }
 
     if (@$arpfilter){