Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-04 09:17:58 +03:00
Code Releases Activity

nftables: make is_nftables check flag file instead of config

Browse Source 
is_nftables is used in the VM and CT network startup scripts to
determine whether the nftables firewall is enabled or not. This causes
issues on container and VM startup when loading the SDN config, since
it requires the RPCEnvironment which is not initialized yet. Therefore
change this check to look for the existence of the flag file instead.

It also avoids parsing the entire cluster and host firewall
configuration on VM / CT startup, which means increased performance.

While we're at it, make all methods related to the configuration
parsing private, in order to avoid accidental usage of the expensive
methods.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Stefan Hanreich 2024-11-15 13:09:33 +01:00 committed by Thomas Lamprecht
parent 4339ef1526
commit 632d02a8e2
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/PVE/Firewall.pm
View File

@ -4679,7 +4679,14 @@ sub remove_pvefw_chains_ebtables {
ebtables_restore_cmdlist(get_ebtables_cmdlist({}));
}
# This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
sub is_nftables {
return !-e $FORCE_NFT_DISABLE_FLAG_FILE;
}
my sub get_nftables_option {
my ($cluster_conf, $host_conf) = @_;
if (!-x "/usr/libexec/proxmox/proxmox-firewall") {
@ -4695,9 +4702,6 @@ sub is_nftables {
my sub update_force_nftables_disable_flag {
my ($cluster_firewall_enabled, $is_nftables) = @_;
# This is checked in proxmox-firewall to avoid log-spam due to failing to parse the config
my $FORCE_NFT_DISABLE_FLAG_FILE = "/run/proxmox-nftables-firewall-force-disable";
if (!($cluster_firewall_enabled && $is_nftables)) {
if (! -e $FORCE_NFT_DISABLE_FLAG_FILE) {
open(my $_fh, '>', $FORCE_NFT_DISABLE_FLAG_FILE)
@ -4709,13 +4713,13 @@ my sub update_force_nftables_disable_flag {
}
}
sub is_enabled_and_not_nftables {
my sub is_enabled_and_not_nftables {
my ($cluster_conf, $host_conf) = @_;
$cluster_conf = load_clusterfw_conf() if !defined($cluster_conf);
$host_conf = load_hostfw_conf($cluster_conf) if !defined($host_conf);
my $is_nftables = is_nftables($cluster_conf, $host_conf);
my $is_nftables = get_nftables_option($cluster_conf, $host_conf);
update_force_nftables_disable_flag($cluster_conf->{options}->{enable}, $is_nftables);