From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 15 Apr 2014 05:29:50 +0000 (+0200)
Subject: stop firewall inside update if firewall is disabled in cluster.fw
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=3dfa8a7f6d1c3eae51fa410eb818fcc1bd0b7ed2

stop firewall inside update if firewall is disabled in cluster.fw

And some code cleanups.
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8c8e50a..60ba41d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2483,12 +2483,16 @@ sub save_hostfw_conf {
 }
 
 sub compile {
+    my ($cluster_conf, $hostfw_conf) = @_;
+
+    $cluster_conf = load_clusterfw_conf() if !$cluster_conf;
+    $hostfw_conf = load_hostfw_conf() if !$hostfw_conf;
+
     my $vmdata = read_local_vm_config();
     my $vmfw_configs = read_vm_firewall_configs($vmdata);
 
     my $routing_table = read_proc_net_route();
 
-    my $cluster_conf = load_clusterfw_conf();
 
     my $ipset_ruleset = {};
     generate_ipset_chains($ipset_ruleset, $cluster_conf);
@@ -2500,7 +2504,6 @@ sub compile {
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-    my $hostfw_conf = load_hostfw_conf();
     my $hostfw_options = $hostfw_conf->{options} || {};
 
     generate_std_chains($ruleset, $hostfw_options);
@@ -2596,7 +2599,7 @@ sub compile {
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP");
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");
 
-    return wantarray ? ($ruleset, $hostfw_conf, $ipset_ruleset) : $ruleset;
+    return ($ruleset, $ipset_ruleset);
 }
 
 sub get_ruleset_status {
@@ -2868,9 +2871,29 @@ sub update {
     my ($start, $verbose) = @_;
 
     my $code = sub {
+
+	my $cluster_conf = load_clusterfw_conf();
+	my $cluster_options = $cluster_conf->{options};
+
+	my $enable = !(defined($cluster_options->{enable}) && ($cluster_options->{enable} == 0));
+
 	my $status = read_pvefw_status();
 
-	my ($ruleset, $hostfw_conf, $ipset_ruleset) = compile();
+	die "Firewall is disabled - cannot start\n" if !$enable && $start;
+
+	if (!$enable) {
+	    if ($status ne 'stopped') {
+		print "trying to stop firewall (firewall is disabled)\n" if $verbose;
+		PVE::Firewall::remove_pvefw_chains();
+		PVE::Firewall::save_pvefw_status('stopped');
+	    }
+	    print "Firewall disabled\n" if $verbose;
+	    return;
+	}
+
+	my $hostfw_conf = load_hostfw_conf();
+
+	my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf);
 
 	if ($start || $status eq 'active') {
 
diff --git a/src/pvefw b/src/pvefw
index f02b12a..754a4ea 100755
--- a/src/pvefw
+++ b/src/pvefw
@@ -60,7 +60,7 @@ __PACKAGE__->register_method ({
 	    if !defined($param->{verbose}) && ($rpcenv->{type} eq 'cli');
 
 	my $code = sub {
-	    my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE::Firewall::compile();
+	    my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
 
 	    if ($param->{verbose}) {
 		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, 1);
@@ -115,7 +115,7 @@ __PACKAGE__->register_method ({
 
 	    my $res = { status => $status };
 	    if ($status eq 'active') {
-		my ($ruleset, $hostfw_conf, $ipset_ruleset) = PVE::Firewall::compile();
+		my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile();
 
 		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset);
 		my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset);