use 'all' instead of 'any'

Internally, use undef

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 8be0c33005de8a6ac28d4f6f9c4f5facdbd9f9f6..7ff4ddf52acce5e97338f2849490fad23caabcbd 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -50,7 +50,7 @@ my $generate_input_rule = sub {
            $source = "${zoneref}:$rule->{source}";
        }
     } else {
-       $source = "any:$rule->{source}";
+       $source = "all:$rule->{source}";
     }
 
     return sprintf($rule_format, $action, $source, $dest, $rule->{proto} || '-', 
@@ -70,9 +70,9 @@ my $generate_output_rule = sub {
     my $dest;
 
     if (!$rule->{dest}) {
-       $dest = 'any';
+       $dest = 'all';
     } else {
-       $dest = "any:$rule->{dest}";
+       $dest = "all:$rule->{dest}";
     }
 
     return sprintf($rule_format, $action, "$zid:$tap", $dest, 
@@ -299,7 +299,7 @@ sub compile {
            foreach my $rule (@$inrules) {
                foreach my $netid (keys %{$netinfo->{$vmid}}) {
                    my $net = $netinfo->{$vmid}->{$netid};
-                   next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+                   next if $rule->{iface} && $rule->{iface} ne $netid;
                    $out .= &$generate_input_rule($zoneinfo, $rule, $net, $netid);
                }
            }
@@ -310,7 +310,7 @@ sub compile {
            foreach my $rule (@$outrules) {
                foreach my $netid (keys %{$netinfo->{$vmid}}) {
                    my $net = $netinfo->{$vmid}->{$netid};
-                   next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+                   next if $rule->{iface} && $rule->{iface} ne $netid;
                    $out .= &$generate_output_rule($zoneinfo, $rule, $net, $netid);
                }
            }

diff --git a/config/100.fw b/config/100.fw
index 30903cb8d4137d42c462ec729d8b9f928b92bbeb..889a1012fd2b7fe9b0b4f8ca295bb12cedeea404 100644 (file)
--- a/config/100.fw
+++ b/config/100.fw
@@ -1,13 +1,16 @@
 # Example VM firewall configuration
-#ACTION SOURCE DEST
+#ACTION IFACE SOURCE DEST
 
 [IN]
 
-ACCEPT net0 any any tcp 80
+SSH(ACCEPT) net0 192.168.2.192 -
 
 [OUT]
 
-ACCEPT net0 any any
+
+DNS(ACCEPT) net0
+Ping(ACCEPT) net0
+SSH(ACCEPT)
 
 
 

diff --git a/pvefw b/pvefw
index 978ffb15cdac07e95364d9c52bd137da2cd682f8..4ac96796e7331f32bbd293fafce45692f4f93478 100755 (executable)
--- a/pvefw
+++ b/pvefw
@@ -56,7 +56,7 @@ sub parse_fw_rules {
        my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
            split(/\s+/, $line);
 
-       if (!($action && $iface && $source && $dest)) {
+       if (!$action) {
            warn "skip incomplete line\n";
            next;
        }
@@ -75,26 +75,26 @@ sub parse_fw_rules {
            next;
        }
 
-       $iface = undef if $iface eq '-';
+       $iface = undef if $iface && $iface eq '-';
        if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
            warn "unknown interface '$iface'\n";
            next;
        }
 
-       $proto = undef if $proto eq '-';
+       $proto = undef if $proto && $proto eq '-';
        if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
            warn "unknown protokol '$proto'\n";
            next;
        }
 
-       $source = undef if $source eq '-';
+       $source = undef if $source && $source eq '-';
 
 #      if ($source !~ m/^(XYZ)$/) {
 #          warn "unknown source '$source'\n";
 #          next;
 #      }
 
-       $dest = undef if $dest eq '-';
+       $dest = undef if $dest && $dest eq '-';
 #      if ($dest !~ m/^XYZ)$/) {
 #          warn "unknown destination '$dest'\n";
 #          next;