ebtables: remove PVE chains properly

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 16d73011e299489ad63ab7e05cbcafb40e6aad9d..3b67186ed35c18ca7ed62c0f2001c5dbb0e649bb 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3519,7 +3519,8 @@ sub compile {
        $hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
 
        # cfs_update is handled by daemon or API
-       $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf;
+       $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf")
+           if !defined($corosync_conf) && PVE::Corosync::check_conf_exists(1);
 
        $vmdata = read_local_vm_config();
        $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef);
@@ -4268,6 +4269,7 @@ sub remove_pvefw_chains {
     PVE::Firewall::remove_pvefw_chains_iptables("iptables");
     PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
     PVE::Firewall::remove_pvefw_chains_ipset();
+    PVE::Firewall::remove_pvefw_chains_ebtables();
 
 }
 
@@ -4313,6 +4315,11 @@ sub remove_pvefw_chains_ipset {
     ipset_restore_cmdlist($cmdlist) if $cmdlist;
 }
 
+sub remove_pvefw_chains_ebtables {
+    # apply empty ruleset = remove all our chains
+    ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
+}
+
 sub init {
     my $cluster_conf = load_clusterfw_conf();
     my $cluster_options = $cluster_conf->{options};