X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PVE%2FFirewall.pm;fp=PVE%2FFirewall.pm;h=54f9c97d585de6b0624a932964a1fe31a4b808e7;hb=d8f2505e9f075f6314a852ccf1d249415e596c8a;hp=b4e262b1cf8d94e630fb92efe51a928bf5f26521;hpb=4b58651838d5194f55275bde1d4e929d3b86a647;p=pve-firewall.git

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index b4e262b..54f9c97 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -348,6 +348,12 @@ my $pve_fw_macros = {
 my $pve_fw_parsed_macros;
 my $pve_fw_preferred_macro_names = {};
 
+my $pve_std_chains = {
+    'PVEFW-SET-ACCEPT-MARK' => [
+	"-j MARK --set-mark 1",
+    ],
+};
+
 # iptables -p icmp -h
 my $icmp_type_names = {
     any => 1,
@@ -1186,6 +1192,21 @@ sub read_vm_firewall_rules {
     return $rules;
 }
 
+sub generate_std_chains {
+    my ($ruleset) = @_;
+
+    foreach my $chain (keys %$pve_std_chains) {
+	ruleset_create_chain($ruleset, $chain);
+	foreach my $rule (@{$pve_std_chains->{$chain}}) {
+	    if (ref($rule)) {
+		ruleset_generate_rule($ruleset, $chain, $rule);
+	    } else {
+		ruleset_addrule($ruleset, $chain, $rule);
+	    }
+	}
+    }
+}
+
 sub compile {
     my $vmdata = read_local_vm_config();
     my $rules = read_vm_firewall_rules($vmdata);
@@ -1204,8 +1225,7 @@ sub compile {
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-    ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK");
-    ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
+    generate_std_chains($ruleset);
 
     my $enable_hostfw = 0;
     $filename = "/etc/pve/local/host.fw";