fix #4175: ignore non-filter ebtables tables

we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!

note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 3c6f0df11cdea1abb0abaafafd6102ab8167074d..56868d4326228f5dc6b8350bcb41e98f783db7dc 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1971,10 +1971,18 @@ sub ebtables_get_chains {
 
     my $res = {};
     my $chains = {};
+    my $table;
     my $parser = sub {
        my $line = shift;
        return if $line =~ m/^#/;
        return if $line =~ m/^\s*$/;
+       if ($line =~ m/^\*(\S+)$/) {
+           $table = $1;
+           return;
+       }
+
+       return if $table ne "filter";
+
        if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) {
            # Make sure we know chains exist even if they're empty.
            $chains->{$1} //= [];