From 383fe679e3a62b34c2dd937c0794ff218b333075 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 2 Mar 2016 12:59:15 +0100 Subject: [PATCH] ipfilter: include configured container IPs by default --- src/PVE/API2/Firewall/VM.pm | 3 ++- src/PVE/Firewall.pm | 11 +++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm index 192737a..4fdf3da 100644 --- a/src/PVE/API2/Firewall/VM.pm +++ b/src/PVE/API2/Firewall/VM.pm @@ -43,7 +43,8 @@ my $option_properties = { "This is equivalent to adding an empty ipfilter-net ipset " . "for every interface. Such ipsets implicitly contain sane default " . "restrictions such as restricting IPv6 link local addresses to " . - "the one derived from the interface's MAC address.", + "the one derived from the interface's MAC address. For containers " . + "the configured IP addresses will be implicitly added.", type => 'boolean', optional => 1, }, diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 73ae6f7..7dbe13d 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -3357,7 +3357,8 @@ sub compile_ipsets { # is no 'ipfilter-netX' ipset defiend gets an implicit empty default # ipset. # The reason is that ipfilter ipsets are always filled with standard - # IPv6 link-local filters. + # IPv6 link-local filters, as well as the IP addresses configured + # for the container. my $ipsets = $vmfw_conf->{ipset}; my $implicit_sets = {}; @@ -3373,10 +3374,16 @@ sub compile_ipsets { my $macaddr = $net->{hwaddr}; my $linklocal = mac_to_linklocal($macaddr); - $device_ips->{$netid} = [ + my $set = $device_ips->{$netid} = [ { cidr => $linklocal }, { cidr => 'fe80::/10', nomatch => 1 } ]; + if ($net->{ip} =~ m!^($IPV4RE)(?:/\d+)?$!) { + push @$set, { cidr => $1 }; + } + if ($net->{ip6} =~ m!^($IPV6RE)(?:/\d+)?$!) { + push @$set, { cidr => $1 }; + } } generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $ipsets); -- 2.39.5