X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=22cae5a8c7ee50eafe1073f063339837353d1199;hp=b2bcc32e5ca685cfafd84cc05019094c3ee6a925;hb=55fad3b7889f943599038c3a13e070cd1fcab051;hpb=d46b1ef6fb3ba5628a27ea26e7cda011ed588b91

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index b2bcc32..22cae5a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,8 +1971,6 @@ for (my $i = 0; $i < $MAX_NETS; $i++)  {
 sub parse_fw_rule {
     my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
 
-    chomp $line;
-
     my $orig_line = $line;
 
     my $rule = {};
@@ -2066,7 +2064,6 @@ sub parse_vmfw_option {
 	$opt = lc($1);
 	$value = $2;
     } else {
-	chomp $line;
 	die "can't parse option '$line'\n"
     }
 
@@ -2090,7 +2087,6 @@ sub parse_hostfw_option {
 	$opt = lc($1);
 	$value = int($2);
     } else {
-	chomp $line;
 	die "can't parse option '$line'\n"
     }
 
@@ -2109,7 +2105,6 @@ sub parse_clusterfw_option {
 	$opt = lc($1);
 	$value = uc($3);
     } else {
-	chomp $line;
 	die "can't parse option '$line'\n"
     }
 
@@ -2164,6 +2159,8 @@ sub generic_fw_config_parser {
 	next if $line =~ m/^#/;
 	next if $line =~ m/^\s*$/;
 
+	chomp $line;
+
 	my $linenr = $fh->input_line_number();
 	my $prefix = "$filename (line $linenr)";
 
@@ -2284,6 +2281,7 @@ sub generic_fw_config_parser {
 		}
 	    };
 	    if (my $err = $@) {
+		chomp $err;
 		$errors->{cidr} = $err;
 	    }
 
@@ -2292,6 +2290,13 @@ sub generic_fw_config_parser {
 	    $entry->{comment} = $comment if $comment;
 	    $entry->{errors} =  $errors if $errors;
 
+	    if ($verbose && $errors) {
+		warn "$prefix - errors in ipset '$group': $line\n";
+		foreach my $p (keys %{$errors}) {
+		    warn "  $p: $errors->{$p}\n";
+		}
+	    }
+
 	    push @{$res->{$section}->{$group}}, $entry;
 	} else {
 	    warn "$prefix: skip line - unknown section\n";
@@ -2629,6 +2634,7 @@ sub generate_ipset {
     # remove duplicates
     my $nethash = {};
     foreach my $entry (@$options) {
+	next if $entry->{errors}; # skip entries with errors
 	eval {
 	    my $cidr = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
 	    $nethash->{$cidr} = { cidr => $cidr, nomatch => $entry->{nomatch} };
@@ -2775,6 +2781,8 @@ sub compile {
 
     push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
 
+    return ({}, {}) if !$cluster_conf->{options}->{enable};
+
     my $ruleset = {};
 
     ruleset_create_chain($ruleset, "PVEFW-INPUT");
@@ -2963,8 +2971,9 @@ sub get_ruleset_cmdlist {
     }
 
     foreach my $h (qw(INPUT OUTPUT FORWARD)) {
-	if (!$hooks->{$h}) {
-	    $cmdlist .= "-A $h -j PVEFW-$h\n";
+	my $chain = "PVEFW-$h";
+	if ($ruleset->{$chain} && !$hooks->{$h}) {
+	    $cmdlist .= "-A $h -j $chain\n";
 	}
     }
 
@@ -3164,6 +3173,17 @@ sub remove_pvefw_chains {
     $cmdlist .= "COMMIT\n";
 
     iptables_restore_cmdlist($cmdlist);
+
+    my $ipset_chains = ipset_get_chains();
+
+    $cmdlist = "";
+ 
+    foreach my $chain (keys %$ipset_chains) {
+       $cmdlist .= "flush $chain\n";
+       $cmdlist .= "destroy $chain\n";
+    }
+
+    ipset_restore_cmdlist($cmdlist) if $cmdlist; 
 }
 
 sub init {
@@ -3182,11 +3202,7 @@ sub update {
 	my $cluster_conf = load_clusterfw_conf();
 	my $cluster_options = $cluster_conf->{options};
 
-	my $enable = $cluster_options->{enable};
-
-	die "Firewall is disabled - cannot start\n" if !$enable;
-
-	if (!$enable) {
+	if (!$cluster_options->{enable}) {
 	    PVE::Firewall::remove_pvefw_chains();
 	    return;
 	}