X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=c946040404a2636812407013a684d6bea12fe2d7;hp=16d73011e299489ad63ab7e05cbcafb40e6aad9d;hb=c1031ab16cda7208eb161c891eceac31976a74b9;hpb=a9c463ce6917bcccd012bcfc37b1c756a16958cc diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 16d7301..c946040 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1748,25 +1748,25 @@ sub enable_bridge_firewall { sub iptables_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/iptables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist"); + run_command(['iptables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist"); } sub ip6tables_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/ip6tables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist"); + run_command(['ip6tables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist"); } sub ipset_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist"); + run_command(['ipset restore'], input => $cmdlist, errmsg => "ipset_restore_cmdlist"); } sub ebtables_restore_cmdlist { my ($cmdlist) = @_; - run_command("/sbin/ebtables-restore", input => $cmdlist, errmsg => "ebtables_restore_cmdlist"); + run_command(['ebtables-restore'], input => $cmdlist, errmsg => "ebtables_restore_cmdlist"); } sub iptables_get_chains { @@ -1825,7 +1825,7 @@ sub iptables_get_chains { } }; - run_command("/sbin/$iptablescmd-save", outfunc => $parser); + run_command(["$iptablescmd-save"], outfunc => $parser); return wantarray ? ($res, $hooks) : $res; } @@ -1869,7 +1869,7 @@ sub ipset_get_chains { } }; - run_command("/sbin/ipset save", outfunc => $parser); + run_command(['ipset', 'save'], outfunc => $parser); # compute digest for each chain foreach my $chain (keys %$chains) { @@ -1900,7 +1900,7 @@ sub ebtables_get_chains { } }; - run_command("/sbin/ebtables-save", outfunc => $parser); + run_command(['ebtables-save'], outfunc => $parser); # compute digest for each chain and store rules as well foreach my $chain (keys %$chains) { $res->{$chain}->{rules} = $chains->{$chain}; @@ -3519,7 +3519,8 @@ sub compile { $hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf; # cfs_update is handled by daemon or API - $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf; + $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") + if !defined($corosync_conf) && PVE::Corosync::check_conf_exists(1); $vmdata = read_local_vm_config(); $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef); @@ -4032,8 +4033,8 @@ sub get_ebtables_cmdlist { foreach my $chain (sort keys %$statushash) { my $stat = $statushash->{$chain}; - next if ($stat->{action} eq 'delete'); $changes = 1 if ($stat->{action} !~ 'ignore|exists'); + next if ($stat->{action} eq 'delete'); foreach my $cmd (@{$statushash->{$chain}->{'rules'}}) { if ($chain eq 'FORWARD' && $cmd eq $append_pve_to_forward) { @@ -4258,7 +4259,7 @@ sub update_nf_conntrack_logging { my $tmpfile = "$pve_fw_status_dir/log_nf_conntrack"; PVE::Tools::file_set_contents($tmpfile, $value); - PVE::Tools::run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]); + run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]); $log_nf_conntrack_enabled = $value; } } @@ -4268,6 +4269,7 @@ sub remove_pvefw_chains { PVE::Firewall::remove_pvefw_chains_iptables("iptables"); PVE::Firewall::remove_pvefw_chains_iptables("ip6tables"); PVE::Firewall::remove_pvefw_chains_ipset(); + PVE::Firewall::remove_pvefw_chains_ebtables(); } @@ -4313,6 +4315,11 @@ sub remove_pvefw_chains_ipset { ipset_restore_cmdlist($cmdlist) if $cmdlist; } +sub remove_pvefw_chains_ebtables { + # apply empty ruleset = remove all our chains + ebtables_restore_cmdlist(get_ebtables_cmdlist({})); +} + sub init { my $cluster_conf = load_clusterfw_conf(); my $cluster_options = $cluster_conf->{options};