use Data::Dumper;
+# fixme: remove loglevel settings? NFLOG does not have --loglevel
+
my $nodename = PVE::INotify::nodename();
my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
ruleset_create_chain($ruleset, "$bridge-FW");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-in -j $bridge-FW");
}
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
ruleset_create_chain($ruleset, "$bridge-OUT");
- ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
- ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-in -j $bridge-OUT");
+ ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-in -j $bridge-OUT");
}
if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
ruleset_create_chain($ruleset, "$bridge-IN");
- ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j $bridge-IN");
ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT");
# accept traffic to unmanaged bridge ports
- ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT ");
+ ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j ACCEPT ");
}
}
ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop");
- ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel")
+ ruleset_addrule($ruleset, $chain, "-j NFLOG --nflog-prefix \"$chain-dropped: \"")
if defined($loglevel);
ruleset_addrule($ruleset, $chain, "-j DROP");
} elsif ($policy eq 'REJECT') {
ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject");
- ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel")
+ ruleset_addrule($ruleset, $chain, "-j NFLOG --nflog-prefix \"$chain-reject: \"")
if defined($loglevel);
ruleset_addrule($ruleset, $chain, "-g PVEFW-reject");
ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action);
# plug the tap chain to bridge chain
- my $physdevdirection = $direction eq 'IN' ? "out" : "in";
- my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
- ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
+ if ($direction eq 'IN') {
+ ruleset_insertrule($ruleset, "$bridge-IN",
+ "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain");
+ } else {
+ ruleset_insertrule($ruleset, "$bridge-OUT",
+ "-m physdev --physdev-in $iface -j $tapchain");
+ }
}
sub enable_host_firewall {
# same as shorewall smurflog.
if (defined($loglevel)) {
$pve_std_chains-> {'PVEFW-smurflog'} = [
- "-j LOG --log-prefix \"smurfs-dropped: \" --log-level $loglevel",
+ "-j NFLOG --nflog-prefix \"smurfs-dropped: \"",
"-j DROP",
];
} else {
$loglevel = get_option_log_level($options, 'tcp_flags_log_level');
if (defined($loglevel)) {
$pve_std_chains-> {'PVEFW-logflags'} = [
- "-j LOG --log-prefix \"logflags-dropped: \" --log-level $loglevel --log-ip-options",
+ # fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG)
+ "-j NFLOG --nflog-prefix \"logflags-dropped: \"",
"-j DROP",
];
} else {
generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table);
- my $macaddr = $d->{host_mac};
+ my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT');
# disable interbridge routing
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j NFLOG --nflog-prefix \"PVEFW-FORWARD-dropped \"");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j NFLOG --nflog-prefix \"PVEFW-FORWARD-dropped \"");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");