--- src/PVE/Firewall.pm | 15 ++++++++++----- src/PVE/Service/pve_firewall.pm | 10 ++++++---- test/fwtester.pl | 3 ++- 3 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index e092671..f738dba 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -3397,7 +3397,7 @@ sub save_hostfw_conf { } } -sub compile { +sub read_config { my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_; my $vmfw_configs; @@ -3424,6 +3424,12 @@ sub compile { } return ({},{},{},{}) if !$cluster_conf->{options}->{enable}; + return ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs); +} + + +sub compile { + my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose) = @_; my $localnet; if ($cluster_conf->{aliases}->{local_network}) { @@ -4197,7 +4203,8 @@ sub update { return if !PVE::Cluster::check_cfs_is_mounted(1); - my $cluster_conf = load_clusterfw_conf(); + my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = read_config(); + my $cluster_options = $cluster_conf->{options}; if (!$cluster_options->{enable}) { @@ -4205,9 +4212,7 @@ sub update { return; } - my $hostfw_conf = load_hostfw_conf($cluster_conf); - - my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf); + my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs); apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $ebtables_ruleset); }; diff --git a/src/PVE/Service/pve_firewall.pm b/src/PVE/Service/pve_firewall.pm index 5a0dd04..b0fc62f 100755 --- a/src/PVE/Service/pve_firewall.pm +++ b/src/PVE/Service/pve_firewall.pm @@ -164,7 +164,8 @@ __PACKAGE__->register_method ({ if ($status eq 'running') { - my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); + my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config($cluster_conf, undef, undef, $verbose); + my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose); $verbose = 0; # do not show iptables details my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); @@ -201,8 +202,8 @@ __PACKAGE__->register_method ({ my $verbose = 1; - my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); - my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); + my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config(undef, undef, undef, $verbose); + my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose); print "ipset cmdlist:\n"; my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); @@ -333,7 +334,8 @@ __PACKAGE__->register_method ({ local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog - my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose}); + my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config(undef, undef, undef, $param->{verbose}); + my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $param->{verbose}); PVE::FirewallSimulator::debug($param->{verbose} || 0); diff --git a/test/fwtester.pl b/test/fwtester.pl index 2700ef3..3c28d47 100755 --- a/test/fwtester.pl +++ b/test/fwtester.pl @@ -36,8 +36,9 @@ sub run_tests { PVE::Firewall::local_network('172.16.1.0/24'); + my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config(undef, undef, $vmdata, 1); my ($ruleset, $ipset_ruleset) = - PVE::Firewall::compile(undef, undef, $vmdata, 1); + PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, 1); my $filename = "$testdir/$testfile"; my $fh = IO::File->new($filename) || -- 2.11.0 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel