From a1f5aa007a46b1e25106e5e47421fa889e41ac1c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 27 Jul 2022 15:07:52 +0200 Subject: [PATCH] fix #4175: ignore non-filter ebtables tables MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit we only ever add rules to the filter table, without this we'd add all rules from other tables (which might have been manually filled by the admin) to the filter table as well - adding another copy on every iteration of the firewall update cycle! note that ebtables-restore seems to flush tables contained in its input, but leave those alone which are not referenced at all. Signed-off-by: Fabian Grünbichler --- src/PVE/Firewall.pm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 3c6f0df..56868d4 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1971,10 +1971,18 @@ sub ebtables_get_chains { my $res = {}; my $chains = {}; + my $table; my $parser = sub { my $line = shift; return if $line =~ m/^#/; return if $line =~ m/^\s*$/; + if ($line =~ m/^\*(\S+)$/) { + $table = $1; + return; + } + + return if $table ne "filter"; + if ($line =~ m/^:(\S+)\s(ACCEPT|DROP|RETURN)$/) { # Make sure we know chains exist even if they're empty. $chains->{$1} //= []; -- 2.39.2