X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=01de542d3305e8dc397ad15110eab2d5775bd0b3;hp=0c83e2fccf1848889ea844c9cf95327b7b1a9ccc;hb=6b8ca015bec1fec9476c3b5236379d8507a7d5fd;hpb=44be8ceb181b163eb4d418b27b5ae92d8ca35293

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0c83e2f..01de542 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1309,11 +1309,18 @@ sub ruleset_generate_rule {
 	$rules = [ $rule ];
     }
 
+    # update all or nothing
+
+    my @cmds = ();
     foreach my $tmp (@$rules) {
 	if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $tmp, $actions, $goto, $cluster_conf)) {
-	    ruleset_addrule($ruleset, $chain, $cmdstr);
+	    push @cmds, $cmdstr;
 	}
     }
+
+    foreach my $cmdstr (@cmds) {
+	ruleset_addrule($ruleset, $chain, $cmdstr);
+    }
 }
 
 sub ruleset_generate_rule_insert {
@@ -1498,6 +1505,8 @@ sub ruleset_generate_vm_rules {
 
     my $lc_direction = lc($direction);
 
+    my $in_accept = generate_nfqueue($options);
+
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
 	next if !$rule->{enable};
@@ -1520,8 +1529,7 @@ sub ruleset_generate_vm_rules {
 		ruleset_generate_rule($ruleset, $chain, $rule,
 				      { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
 	    } else {
-		my $accept = generate_nfqueue($options);
-		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $in_accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
 	    }
 	}
     }
@@ -1530,22 +1538,20 @@ sub ruleset_generate_vm_rules {
 sub generate_nfqueue {
     my ($options) = @_;
 
-    my $action = "";
-    if($options->{ips}){
-	$action = "NFQUEUE";
-	if($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) {
-	    if(defined($3) && defined($1)) {
+    if ($options->{ips}) {
+	my $action = "NFQUEUE";
+	if ($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) {
+	    if (defined($3) && defined($1)) {
 		$action .= " --queue-balance $1:$3";
-	    }elsif (defined($1)) {
+	    } elsif (defined($1)) {
 		$action .= " --queue-num $1";
 	    }
 	}
 	$action .= " --queue-bypass" if $feature_ipset_nomatch; #need kernel 3.10
-    }else{
-	$action = "ACCEPT";
+	return $action;
+    } else {
+	return "ACCEPT";
     }
-
-    return $action;
 }
 
 sub ruleset_generate_vm_ipsrules {
@@ -2415,9 +2421,12 @@ sub generate_ipset {
     my $nethash = {};
     foreach my $entry (@$options) {
 	my $cidr = $entry->{cidr};
-	if ($cidr =~ m/^${ip_alias_pattern}$/){
-	    die "no such alias $cidr" if !$aliases->{$cidr};
-	    $entry->{cidr} = $aliases->{$cidr};
+	if ($cidr =~ m/^${ip_alias_pattern}$/) {
+	    if ($aliases->{$cidr}) {
+		$entry->{cidr} = $aliases->{$cidr};
+	    } else {
+		warn "no such alias '$cidr'\n" if !$aliases->{$cidr};
+	    }
 	}
 	$nethash->{$entry->{cidr}} = $entry;
     }
@@ -2863,10 +2872,6 @@ sub apply_ruleset {
 
     enable_bridge_firewall();
 
-    update_nf_conntrack_max($hostfw_conf);
-
-    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
-
     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
 	get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 
@@ -2905,6 +2910,11 @@ sub apply_ruleset {
     }
 
     die "unable to apply firewall changes\n" if $errors;
+
+    update_nf_conntrack_max($hostfw_conf);
+
+    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
+
 }
 
 sub update_nf_conntrack_max {