+ # generate firewall rules for OpenVZ containers
+ foreach my $vmid (keys %{$vmdata->{openvz}}) {
+ my $conf = $vmdata->{openvz}->{$vmid};
+
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ next if !$vmfw_conf;
+ next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
+
+ if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
+ my $ip = $conf->{ip_address}->{value};
+ generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'IN');
+ generate_venet_rules_direction($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+ }
+
+ if ($conf->{netif} && $conf->{netif}->{value}) {
+ my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value});
+ foreach my $netid (keys %$netif) {
+ my $d = $netif->{$netid};
+ my $bridge = $d->{bridge};
+ if (!$bridge) {
+ warn "no bridge device for CT $vmid iface '$netid'\n";
+ next; # fixme?
+ }
+
+ generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table);
+
+ my $macaddr = $d->{mac};
+ my $iface = $d->{host_ifname};
+ generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, $bridge, 'IN');
+ generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, $bridge, 'OUT');
+ }
+ }