use PVE::Firewall;
use File::Basename;
use Net::IP;
-use PVE::LXC;
-use PVE::QemuServer;
-my $mark;
+# dynamically include PVE::QemuServer and PVE::LXC
+# to avoid dependency problems
+my $have_qemu_server;
+eval {
+ require PVE::QemuServer;
+ $have_qemu_server = 1;
+};
+
+my $have_lxc;
+eval {
+ require PVE::LXC;
+ $have_lxc = 1;
+};
+
+my $mark = 0;
my $trace;
my $debug = 0;
+my $NUMBER_RE = qr/0x[0-9a-fA-F]+|\d+/;
+
sub debug {
my $new_value = shift;
sub rule_match {
my ($ipset_ruleset, $chain, $rule, $pkg) = @_;
- $rule =~ s/^-A $chain // || die "got strange rule: $rule";
+ $rule =~ s/^-A $chain +// || die "got strange rule: $rule";
while (length($rule)) {
next;
}
- if ($rule =~ s/^-m mark --mark (\d+)\s*//) {
- return undef if !defined($mark) || $mark != $1;
+ if ($rule =~ s@^-m mark --mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*@@) {
+ my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
+ return undef if ($mark & $mask) != $value;
next;
}
# final actions
- if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
- $mark = $1;
+ if ($rule =~ s@^-j MARK --set-mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*$@@) {
+ my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
+ $mark = ($mark & ~$mask) | $value;
return undef;
}
my $info = { type => 'ct', vmid => $vmid };
my $conf = $vmdata->{lxc}->{$vmid} || die "no such CT '$vmid'";
- my $net = PVE::LXC::parse_lxc_network($conf->{"net$netnum"});
+ my $net = PVE::LXC::Config->parse_lxc_network($conf->{"net$netnum"});
$info->{macaddr} = $net->{hwaddr} || die "unable to get mac address";
$info->{bridge} = $net->{bridge} || die "unable to get bridge";
$info->{fwbr} = "fwbr${vmid}i$netnum";
$from_info->{iface} = 'tapXYZ';
$start_state = 'from-bport';
} elsif ($from =~ m/^ct(\d+)$/) {
+ return 'SKIPPED' if !$have_lxc;
my $vmid = $1;
$from_info = extract_ct_info($vmdata, $vmid, 0);
$start_state = 'fwbr-out';
$pkg->{mac_source} = $from_info->{macaddr};
} elsif ($from =~ m/^vm(\d+)(i(\d))?$/) {
+ return 'SKIPPED' if !$have_qemu_server;
my $vmid = $1;
my $netnum = $3 || 0;
$from_info = extract_vm_info($vmdata, $vmid, $netnum);
$target->{bridge} = 'vmbr0';
$target->{iface} = 'tapXYZ';
} elsif ($to =~ m/^ct(\d+)$/) {
+ return 'SKIPPED' if !$have_lxc;
my $vmid = $1;
$target = extract_ct_info($vmdata, $vmid, 0);
$target->{iface} = $target->{tapdev};
} elsif ($to =~ m/^vm(\d+)$/) {
+ return 'SKIPPED' if !$have_qemu_server;
my $vmid = $1;
$target = extract_vm_info($vmdata, $vmid, 0);
$target->{iface} = $target->{tapdev};