X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=c946040404a2636812407013a684d6bea12fe2d7;hp=d300dc99b9e9fe98fe9ad2c7724372a46fe76cca;hb=c1031ab16cda7208eb161c891eceac31976a74b9;hpb=eacd4748486c3938890e0c2a623ef46950077437

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d300dc9..c946040 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1748,25 +1748,25 @@ sub enable_bridge_firewall {
 sub iptables_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/iptables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
+    run_command(['iptables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
 }
 
 sub ip6tables_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/ip6tables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
+    run_command(['ip6tables-restore', '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
 }
 
 sub ipset_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist");
+    run_command(['ipset restore'], input => $cmdlist, errmsg => "ipset_restore_cmdlist");
 }
 
 sub ebtables_restore_cmdlist {
     my ($cmdlist) = @_;
 
-    run_command("/sbin/ebtables-restore", input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
+    run_command(['ebtables-restore'], input => $cmdlist, errmsg => "ebtables_restore_cmdlist");
 }
 
 sub iptables_get_chains {
@@ -1825,7 +1825,7 @@ sub iptables_get_chains {
 	}
     };
 
-    run_command("/sbin/$iptablescmd-save", outfunc => $parser);
+    run_command(["$iptablescmd-save"], outfunc => $parser);
 
     return wantarray ? ($res, $hooks) : $res;
 }
@@ -1869,7 +1869,7 @@ sub ipset_get_chains {
 	}
     };
 
-    run_command("/sbin/ipset save", outfunc => $parser);
+    run_command(['ipset', 'save'], outfunc => $parser);
 
     # compute digest for each chain
     foreach my $chain (keys %$chains) {
@@ -1900,7 +1900,7 @@ sub ebtables_get_chains {
 	}
     };
 
-    run_command("/sbin/ebtables-save", outfunc => $parser);
+    run_command(['ebtables-save'], outfunc => $parser);
     # compute digest for each chain and store rules as well
     foreach my $chain (keys %$chains) {
 	$res->{$chain}->{rules} = $chains->{$chain};
@@ -2418,7 +2418,8 @@ sub enable_host_firewall {
 	});
 
 	# allow multicast only if enabled in config
-	$multicast_enabled = $corosync_conf->{main}->{totem}->{transport} // 0;
+	my $corosync_transport = $corosync_conf->{main}->{totem}->{transport};
+	$multicast_enabled = defined($corosync_transport) && $corosync_transport eq 'udp';
     }
 
     # host inbound firewall
@@ -2472,14 +2473,11 @@ sub enable_host_firewall {
 
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
 	    my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+	    my $destination = $corosync_local_addresses->{$key};
 
-	    if ($node_name ne $local_hostname) {
-		my $destination = $corosync_local_addresses->{$key};
-
+	    if ($node_name ne $local_hostname && defined($destination)) {
 		# accept only traffic on same ring
-		if (defined($destination)) {
-		    ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
-		}
+		ruleset_addrule($ruleset, $chain, "-d $destination -s $node_ip $corosync_rule", "-j $accept_action");
 	    }
 	});
     }
@@ -2541,14 +2539,11 @@ sub enable_host_firewall {
 
 	PVE::Corosync::for_all_corosync_addresses($corosync_conf, $ipversion, sub {
 	    my ($node_name, $node_ip, $node_ipversion, $key) = @_;
+	    my $source = $corosync_local_addresses->{$key};
 
-	    if ($node_name ne $local_hostname) {
-		my $source = $corosync_local_addresses->{$key};
-
+	    if ($node_name ne $local_hostname && defined($source)) {
 		# accept only traffic on same ring
-		if (defined($source)) {
-		    ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
-		}
+		ruleset_addrule($ruleset, $chain, "-s $source -d $node_ip $corosync_rule", "-j $accept_action");
 	    }
 	});
     }
@@ -3524,7 +3519,8 @@ sub compile {
 	$hostfw_conf = load_hostfw_conf($cluster_conf, undef) if !$hostfw_conf;
 
 	# cfs_update is handled by daemon or API
-	$corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf") if !$corosync_conf;
+	$corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf")
+	    if !defined($corosync_conf) && PVE::Corosync::check_conf_exists(1);
 
 	$vmdata = read_local_vm_config();
 	$vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef);
@@ -4037,8 +4033,8 @@ sub get_ebtables_cmdlist {
 
     foreach my $chain (sort keys %$statushash) {
 	my $stat = $statushash->{$chain};
-	next if ($stat->{action} eq 'delete');
 	$changes = 1 if ($stat->{action} !~ 'ignore|exists');
+	next if ($stat->{action} eq 'delete');
 
 	foreach my $cmd (@{$statushash->{$chain}->{'rules'}}) {
 	    if ($chain eq 'FORWARD' && $cmd eq $append_pve_to_forward) {
@@ -4263,7 +4259,7 @@ sub update_nf_conntrack_logging {
 	my $tmpfile = "$pve_fw_status_dir/log_nf_conntrack";
 	PVE::Tools::file_set_contents($tmpfile, $value);
 
-	PVE::Tools::run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);
+	run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);
 	$log_nf_conntrack_enabled = $value;
     }
 }
@@ -4273,6 +4269,7 @@ sub remove_pvefw_chains {
     PVE::Firewall::remove_pvefw_chains_iptables("iptables");
     PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
     PVE::Firewall::remove_pvefw_chains_ipset();
+    PVE::Firewall::remove_pvefw_chains_ebtables();
 
 }
 
@@ -4318,6 +4315,11 @@ sub remove_pvefw_chains_ipset {
     ipset_restore_cmdlist($cmdlist) if $cmdlist;
 }
 
+sub remove_pvefw_chains_ebtables {
+    # apply empty ruleset = remove all our chains
+    ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
+}
+
 sub init {
     my $cluster_conf = load_clusterfw_conf();
     my $cluster_options = $cluster_conf->{options};