"This is equivalent to adding an empty ipfilter-net<id> ipset " .
"for every interface. Such ipsets implicitly contain sane default " .
"restrictions such as restricting IPv6 link local addresses to " .
- "the one derived from the interface's MAC address.",
+ "the one derived from the interface's MAC address. For containers " .
+ "the configured IP addresses will be implicitly added.",
type => 'boolean',
optional => 1,
},
# is no 'ipfilter-netX' ipset defiend gets an implicit empty default
# ipset.
# The reason is that ipfilter ipsets are always filled with standard
- # IPv6 link-local filters.
+ # IPv6 link-local filters, as well as the IP addresses configured
+ # for the container.
my $ipsets = $vmfw_conf->{ipset};
my $implicit_sets = {};
my $macaddr = $net->{hwaddr};
my $linklocal = mac_to_linklocal($macaddr);
- $device_ips->{$netid} = [
+ my $set = $device_ips->{$netid} = [
{ cidr => $linklocal },
{ cidr => 'fe80::/10', nomatch => 1 }
];
+ if ($net->{ip} =~ m!^($IPV4RE)(?:/\d+)?$!) {
+ push @$set, { cidr => $1 };
+ }
+ if ($net->{ip6} =~ m!^($IPV6RE)(?:/\d+)?$!) {
+ push @$set, { cidr => $1 };
+ }
}
generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $ipsets);
projects / pve-firewall.git / commitdiff