ebtables_get_chains: deal with empty chains

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 545216724614f3e21e73ef27c3d8eaa7474583f0..8f545e7b439768f11d524e4d1031b9675066fc58 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1836,7 +1836,10 @@ sub ebtables_get_chains {
        my $line = shift;
        return if $line =~ m/^#/;
        return if $line =~ m/^\s*$/;
-       if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
+       if ($line =~ m/^:(\S+)\s\S+$/) {
+           # Make sure we know chains exist even if they're empty.
+           $chains->{$1} //= [];
+       } elsif ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
            my $chain = $1;
            $line =~ s/\s+$//;
            push @{$chains->{$chain}}, $line;
@@ -2065,7 +2068,9 @@ sub ruleset_addrule {
        my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log);
        push @{$ruleset->{$chain}}, "-A $chain $match $logaction";
    }
-   push @{$ruleset->{$chain}}, "-A $chain $match $action";
+   # for stable ebtables digests avoid double-spaces to match ebtables-save output
+   $match .= ' ' if length($match);
+   push @{$ruleset->{$chain}}, "-A $chain ${match}$action";
 }
 
 sub ruleset_insertrule {