X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=c95beddc9249dffa324e3d95a090751222ed9975;hb=44cb379d0abf6049cb19ab0e0bbe091a94767791;hp=835b26a5e8b243f480867489a85083dac17ba778;hpb=a01c32c752ad1e5906f1bfda9e4e93b01a4b8bc0;p=pve-firewall.git diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 835b26a..c95bedd 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1575,7 +1575,7 @@ sub generate_venet_rules_direction { # plug into FORWARD, INPUT and OUTPUT chain if ($direction eq 'OUT') { - ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", { + ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", { action => $chain, source => $ip, iface_in => 'venet0'}); @@ -1585,7 +1585,7 @@ sub generate_venet_rules_direction { source => $ip, iface_in => 'venet0'}); } else { - ruleset_generate_rule($ruleset, "PVEFW-FORWARD", { + ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", { action => $chain, dest => $ip, iface_out => 'venet0'}); @@ -2186,22 +2186,6 @@ sub read_local_vm_config { return $vmdata; }; -sub read_bridges_config { - - my $bridgehash = {}; - - dir_glob_foreach('/sys/class/net', 'vmbr(\d+)', sub { - my ($bridge) = @_; - - dir_glob_foreach("/sys/class/net/$bridge/brif", '((eth|bond)(\d+)(\.(\d+))?)', sub { - my ($interface) = @_; - push @{$bridgehash->{$bridge}}, $interface; - }); - }); - - return $bridgehash; -}; - sub load_vmfw_conf { my ($vmid) = @_; @@ -2563,8 +2547,6 @@ sub compile { my $vmdata = read_local_vm_config(); my $vmfw_configs = read_vm_firewall_configs($vmdata); - my $bridges_config = read_bridges_config(); - my $ipset_ruleset = {}; generate_ipset_chains($ipset_ruleset, $cluster_conf); @@ -2575,12 +2557,18 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-FORWARD"); + ruleset_create_chain($ruleset, "PVEFW-VENET-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT"); + ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN"); ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT"); + ruleset_create_chain($ruleset, "PVEFW-VENET-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN"); + my $hostfw_options = $hostfw_conf->{options} || {}; # fixme: what log level should we use here?