ebtables: sort guest chains during rulecreation

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e2287e5908732c2b7844f9857c3b9fde4a64460..fefe42ad6fd046255543c067736ae269f6568a2d 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1180,6 +1180,12 @@ our $cluster_option_properties = {
        minimum => 0,
        optional => 1,
     },
+    ebtables => {
+       description => "Enable ebtables rules cluster wide.",
+       type => 'boolean',
+       default => 1,
+       optional => 1,
+    },
     policy_in => {
        description => "Input policy.",
        type => 'string',
@@ -2312,7 +2318,7 @@ sub generate_tap_rules_direction {
        if ($direction eq 'OUT') {
            $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
        } else {
-       $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+           $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
        }
 
        my $accept = generate_nfqueue($options);
@@ -2658,7 +2664,7 @@ sub parse_clusterfw_option {
        if (($value > 1) && ((time() - $value) > 60)) {
            $value = 0
        }
-    } elsif ($line =~ m/^(ebtables_enable):\s*(0|1)\s*$/i) {
+    } elsif ($line =~ m/^(ebtables):\s*(0|1)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
@@ -3651,7 +3657,7 @@ sub compile_ipsets {
 sub compile_ebtables_filter {
     my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $verbose) = @_;
 
-    if (!($cluster_conf->{options}->{ebtables_enable} // 1)) {
+    if (!($cluster_conf->{options}->{ebtables} // 1)) {
        return {};
     }
 
@@ -3666,7 +3672,7 @@ sub compile_ebtables_filter {
     ruleset_addrule($ruleset, 'PVEFW-FORWARD', '-o fwln+', '-j PVEFW-FWBR-OUT');
 
     # generate firewall rules for QEMU VMs
-    foreach my $vmid (keys %{$vmdata->{qemu}}) {
+    foreach my $vmid (sort keys %{$vmdata->{qemu}}) {
        eval {
            my $conf = $vmdata->{qemu}->{$vmid};
            my $vmfw_conf = $vmfw_configs->{$vmid};
@@ -3687,7 +3693,7 @@ sub compile_ebtables_filter {
     }
 
     # generate firewall rules for LXC containers
-    foreach my $vmid (keys %{$vmdata->{lxc}}) {
+    foreach my $vmid (sort keys %{$vmdata->{lxc}}) {
        eval {
            my $conf = $vmdata->{lxc}->{$vmid};
 
@@ -3778,11 +3784,12 @@ sub get_ruleset_status {
     foreach my $chain (sort keys %$active_chains) {
        next if defined($ruleset->{$chain});
        my $action = 'delete';
+       my $sig = $active_chains->{$chain};
        if (defined($change_only_regex)) {
            $action = 'ignore' if ($chain !~ m/$change_only_regex/);
            $statushash->{$chain}->{rules} = $active_chains->{$chain}->{rules};
+           $sig = $sig->{sig};
        }
-       my $sig = $active_chains->{$chain}->{sig};
        $statushash->{$chain}->{action} = $action;
        $statushash->{$chain}->{sig} = $sig;
        print "$action $chain ($sig)\n" if $verbose;
@@ -3860,7 +3867,7 @@ sub get_ruleset_cmdlist {
     return wantarray ? ($cmdlist, $changes) : $cmdlist;
 }
 
-my $pve_ebtables_chainname_regex = qr/PVEFW-\S+|(?:tab|veth)\d+i\d+-(?:IN|OUT)/;
+my $pve_ebtables_chainname_regex = qr/PVEFW-\S+|(?:tap|veth)\d+i\d+-(?:IN|OUT)/;
 
 sub get_ebtables_cmdlist {
     my ($ruleset, $verbose) = @_;