---
src/PVE/Firewall.pm | 15 ++++++++++-----
src/PVE/Service/pve_firewall.pm | 10 ++++++----
test/fwtester.pl | 3 ++-
3 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e092671..f738dba 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3397,7 +3397,7 @@ sub save_hostfw_conf {
}
}
-sub compile {
+sub read_config {
my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_;
my $vmfw_configs;
@@ -3424,6 +3424,12 @@ sub compile {
}
return ({},{},{},{}) if !$cluster_conf->{options}->{enable};
+ return ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs);
+}
+
+
+sub compile {
+ my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose) = @_;
my $localnet;
if ($cluster_conf->{aliases}->{local_network}) {
@@ -4197,7 +4203,8 @@ sub update {
return if !PVE::Cluster::check_cfs_is_mounted(1);
- my $cluster_conf = load_clusterfw_conf();
+ my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) =
read_config();
+
my $cluster_options = $cluster_conf->{options};
if (!$cluster_options->{enable}) {
@@ -4205,9 +4212,7 @@ sub update {
return;
}
- my $hostfw_conf = load_hostfw_conf($cluster_conf);
-
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
compile($cluster_conf, $hostfw_conf);
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs);
apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6,
$ebtables_ruleset);
};
diff --git a/src/PVE/Service/pve_firewall.pm b/src/PVE/Service/pve_firewall.pm
index 5a0dd04..b0fc62f 100755
--- a/src/PVE/Service/pve_firewall.pm
+++ b/src/PVE/Service/pve_firewall.pm
@@ -164,7 +164,8 @@ __PACKAGE__->register_method ({
if ($status eq 'running') {
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
+ my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) =
PVE::Firewall::read_config($cluster_conf, undef, undef, $verbose);
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs,
$verbose);
$verbose = 0; # do not show iptables details
my (undef, undef, $ipset_changes) =
PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
@@ -201,8 +202,8 @@ __PACKAGE__->register_method ({
my $verbose = 1;
- my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef,
$verbose);
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
+ my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) =
PVE::Firewall::read_config(undef, undef, undef, $verbose);
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs,
$verbose);
print "ipset cmdlist:\n";
my (undef, undef, $ipset_changes) =
PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
@@ -333,7 +334,8 @@ __PACKAGE__->register_method ({
local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
- my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
PVE::Firewall::compile(undef, undef, undef, $param->{verbose});
+ my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) =
PVE::Firewall::read_config(undef, undef, undef, $param->{verbose});
+ my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) =
PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs,
$param->{verbose});
PVE::FirewallSimulator::debug($param->{verbose} || 0);
diff --git a/test/fwtester.pl b/test/fwtester.pl
index 2700ef3..3c28d47 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -36,8 +36,9 @@ sub run_tests {
PVE::Firewall::local_network('172.16.1.0/24');
+ my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) =
PVE::Firewall::read_config(undef, undef, $vmdata, 1);
my ($ruleset, $ipset_ruleset) =
- PVE::Firewall::compile(undef, undef, $vmdata, 1);
+ PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata,
$vmfw_configs, 1);
my $filename = "$testdir/$testfile";
my $fh = IO::File->new($filename) ||
--
2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
