ruleset_generate_rule: update all or nothing

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0c83e2fccf1848889ea844c9cf95327b7b1a9ccc..8c8db821e0ec3dbd88aa398bb455a00cbab71948 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1309,11 +1309,18 @@ sub ruleset_generate_rule {
        $rules = [ $rule ];
     }
 
+    # update all or nothing
+
+    my @cmds = ();
     foreach my $tmp (@$rules) {
        if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf)) {
-           ruleset_addrule($ruleset, $chain, $cmdstr);
+           push @cmds, $cmdstr;
        }
     }
+
+    foreach my $cmdstr (@cmds) {
+       ruleset_addrule($ruleset, $chain, $cmdstr);
+    }
 }
 
 sub ruleset_generate_rule_insert {
@@ -2415,9 +2422,12 @@ sub generate_ipset {
     my $nethash = {};
     foreach my $entry (@$options) {
        my $cidr = $entry->{cidr};
-       if ($cidr =~ m/^${ip_alias_pattern}$/){
-           die "no such alias $cidr" if !$aliases->{$cidr};
-           $entry->{cidr} = $aliases->{$cidr};
+       if ($cidr =~ m/^${ip_alias_pattern}$/) {
+           if ($aliases->{$cidr}) {
+               $entry->{cidr} = $aliases->{$cidr};
+           } else {
+               warn "no such alias '$cidr'\n" if !$aliases->{$cidr};
+           }
        }
        $nethash->{$entry->{cidr}} = $entry;
     }
@@ -2863,10 +2873,6 @@ sub apply_ruleset {
 
     enable_bridge_firewall();
 
-    update_nf_conntrack_max($hostfw_conf);
-
-    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
-
     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
        get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 
@@ -2905,6 +2911,11 @@ sub apply_ruleset {
     }
 
     die "unable to apply firewall changes\n" if $errors;
+
+    update_nf_conntrack_max($hostfw_conf);
+
+    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
+
 }
 
 sub update_nf_conntrack_max {