# plug the tap chain to bridge chain
if ($direction eq 'IN') {
ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
- "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
} else {
ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
- "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
}
}
eval {
my $conf = $vmdata->{qemu}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
- return if !$vmfw_conf;
+ return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
eval {
my $conf = $vmdata->{lxc}->{$vmid};
my $vmfw_conf = $vmfw_configs->{$vmid};
- return if !$vmfw_conf;
-
- if ($vmfw_conf->{options}->{enable}) {
+ return if !$vmfw_conf || !$vmfw_conf->{options}->{enable};
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
$vmfw_conf, $vmid, 'IN', $ipversion);
generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'OUT', $ipversion);
- }
}
};
warn $@ if $@; # just to be sure - should not happen
push(@$arpfilter, $ip);
}
}
- if ($net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+ if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
# ebtables changes this to a .0/MASK network but we just
# want the address here, no network - see #2193
- $net->{ip} =~ s|/(\d+)$||;
- push @$arpfilter, $net->{ip};
+ $ip =~ s|/(\d+)$||;
+ push @$arpfilter, $ip;
}
generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
}
projects / pve-firewall.git / blobdiff