- if ($rules) {
- foreach my $rule (@$rules) {
- next if $rule->{iface} && $rule->{iface} ne $netid;
- # we go to $bridge-IN if accept in out rules
- if($rule->{action} =~ m/^(GROUP-(\S+))$/){
- $rule->{action} .= "-$direction";
- # generate empty group rule if don't exist
- if(!ruleset_chain_exist($ruleset, $rule->{action})){
- generate_group_rules($ruleset, $group_rules, $2);
- }
- ruleset_generate_rule($ruleset, $tapchain, $rule);
- ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN")
- if $direction eq 'OUT';
+ foreach my $rule (@$rules) {
+ next if $rule->{iface} && $rule->{iface} ne $netid;
+ next if $rule->{disable};
+ if ($rule->{type} eq 'group') {
+ my $group_chain = "GROUP-$rule->{action}-$direction";
+ if(!ruleset_chain_exist($ruleset, $group_chain)){
+ generate_group_rules($ruleset, $groups_conf, $rule->{action});
+ }
+ ruleset_addrule($ruleset, $tapchain, "-j $group_chain");
+ ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN")
+ if $direction eq 'OUT';
+ } else {
+ next if $rule->{type} ne $lc_direction;
+ if ($direction eq 'OUT') {
+ ruleset_generate_rule($ruleset, $tapchain, $rule,
+ { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });