[pve-devel] [PATCH v2 pve-firewall 4/5] split read_configuration from compile sub

Alexandre Derumier aderumier at odiso.com
Mon Jan 14 10:16:02 CET 2019 

---
 src/PVE/Firewall.pm             | 15 ++++++++++-----
 src/PVE/Service/pve_firewall.pm | 10 ++++++----
 test/fwtester.pl                |  3 ++-
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e092671..f738dba 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3397,7 +3397,7 @@ sub save_hostfw_conf {
     }
 }
 
-sub compile {
+sub read_config {
     my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_;
 
     my $vmfw_configs;
@@ -3424,6 +3424,12 @@ sub compile {
     }
 
     return ({},{},{},{}) if !$cluster_conf->{options}->{enable};
+    return ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs);
+}
+
+
+sub compile {
+    my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose) = @_;
 
     my $localnet;
     if ($cluster_conf->{aliases}->{local_network}) {
@@ -4197,7 +4203,8 @@ sub update {
 
         return if !PVE::Cluster::check_cfs_is_mounted(1);
 
-	my $cluster_conf = load_clusterfw_conf();
+	my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = read_config();
+
 	my $cluster_options = $cluster_conf->{options};
 
 	if (!$cluster_options->{enable}) {
@@ -4205,9 +4212,7 @@ sub update {
 	    return;
 	}
 
-	my $hostfw_conf = load_hostfw_conf($cluster_conf);
-
-	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf);
+	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs);
 
 	apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $ebtables_ruleset);
     };
diff --git a/src/PVE/Service/pve_firewall.pm b/src/PVE/Service/pve_firewall.pm
index 5a0dd04..b0fc62f 100755
--- a/src/PVE/Service/pve_firewall.pm
+++ b/src/PVE/Service/pve_firewall.pm
@@ -164,7 +164,8 @@ __PACKAGE__->register_method ({
 
 	    if ($status eq 'running') {
 		
-		my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
+		my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config($cluster_conf, undef, undef, $verbose);
+		my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose);
 
 		$verbose = 0; # do not show iptables details
 		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
@@ -201,8 +202,8 @@ __PACKAGE__->register_method ({
 
 	    my $verbose = 1;
 
-	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); 
-	    my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
+	    my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config(undef, undef, undef, $verbose);
+	    my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $verbose);
 
 	    print "ipset cmdlist:\n";
 	    my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
@@ -333,7 +334,8 @@ __PACKAGE__->register_method ({
 
 	local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
 
-	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose});
+	my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config(undef, undef, undef, $param->{verbose});
+	my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, $param->{verbose});
 
 	PVE::FirewallSimulator::debug($param->{verbose} || 0);
 	
diff --git a/test/fwtester.pl b/test/fwtester.pl
index 2700ef3..3c28d47 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -36,8 +36,9 @@ sub run_tests {
 
     PVE::Firewall::local_network('172.16.1.0/24');
 
+    my ($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs) = PVE::Firewall::read_config(undef, undef, $vmdata, 1);
     my ($ruleset, $ipset_ruleset) = 
-	PVE::Firewall::compile(undef, undef, $vmdata, 1);
+	PVE::Firewall::compile($cluster_conf, $hostfw_conf, $vmdata, $vmfw_configs, 1);
 
     my $filename = "$testdir/$testfile";
     my $fh = IO::File->new($filename) ||
-- 
2.11.0

More information about the pve-devel mailing list