- my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, $bridge, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, $bridge, 'OUT');
- }
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -m set --match-set ${venet0_ipset_chain} dst -j PVEFW-VENET-IN");
+
+ generate_std_chains($ruleset, $hostfw_options);
+
+ my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
+
+ my $ipset_ruleset = {};
+
+ if ($hostfw_enable) {
+ eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
+ warn $@ if $@; # just to be sure - should not happen
+ }
+
+ ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-o venet0 -m set --match-set ${venet0_ipset_chain} dst -j PVEFW-VENET-IN");
+
+ # generate firewall rules for QEMU VMs
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ eval {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+ return if !$vmfw_conf->{options}->{enable};
+
+ generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
+
+ foreach my $netid (keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net->{firewall};
+ my $iface = "tap${vmid}i$1";
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'IN');
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'OUT');
+ }
+ };
+ warn $@ if $@; # just to be sure - should not happen