when globally disabling the FW, or on shutdown of firewall service. otherwise, ebtables rules are leftover (and perpetually displayed as pending changes as well).
the actual removal is done by taking the same code path as when disabling just ebtables on the cluster level, i.e. applying an empty ruleset. Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> --- Notes: another approach would be to make ebtables_get_chains more like iptables_get_chains, and then re-use remove_pvefw_chains_iptables.. should backport cleanly to stable-5 src/PVE/Firewall.pm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 96c45e9..4147f87 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -4269,6 +4269,7 @@ sub remove_pvefw_chains { PVE::Firewall::remove_pvefw_chains_iptables("iptables"); PVE::Firewall::remove_pvefw_chains_iptables("ip6tables"); PVE::Firewall::remove_pvefw_chains_ipset(); + PVE::Firewall::remove_pvefw_chains_ebtables(); } @@ -4314,6 +4315,12 @@ sub remove_pvefw_chains_ipset { ipset_restore_cmdlist($cmdlist) if $cmdlist; } +sub remove_pvefw_chains_ebtables { + # empty ruleset == ebtables disabled + my ($cmdlist, $changes) = get_ebtables_cmdlist({}); + ebtables_restore_cmdlist($cmdlist) if $changes && $cmdlist; +} + sub init { my $cluster_conf = load_clusterfw_conf(); my $cluster_options = $cluster_conf->{options}; -- 2.20.1 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel