};
my $parse_tap_devive_name = sub {
- my ($iface) = @_;
+ my ($iface, $noerr) = @_;
my ($vmid, $devid);
$vmid = $1;
$devid = $2;
} else {
- die "wrong interface name $iface";
+ return undef if $noerr;
+ die "can't create firewall bridge for random interface name '$iface'\n";
}
return ($vmid, $devid);
my ($vmid, $devid) = @_;
my $fwbr = "fwbr${vmid}i${devid}";
- my $vethfw = "link${vmid}i${devid}";
- my $vethfwpeer = "link${vmid}p${devid}";
- my $ovsintport = "fwint${vmid}i${devid}";
+ # Note: the firewall use 'fwln+' to filter traffic to VMs
+ my $vethfw = "fwln${vmid}i${devid}";
+ my $vethfwpeer = "fwpr${vmid}p${devid}";
+ my $ovsintport = "fwln${vmid}o${devid}";
return ($fwbr, $vethfw, $vethfwpeer, $ovsintport);
};
&$activate_interface($vethfw);
&$activate_interface($vethfwpeer);
- &$bridge_add_interface($bridge, $vethfw);
- &$bridge_add_interface($fwbr, $vethfwpeer);
+ &$bridge_add_interface($fwbr, $vethfw);
+ &$bridge_add_interface($bridge, $vethfwpeer);
return $fwbr;
};
&$bridge_add_interface($fwbr, $iface);
&$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1);
+ &$activate_interface($ovsintport);
# set the same mtu for ovs int port
PVE::Tools::run_command("/sbin/ifconfig $ovsintport mtu $bridgemtu");
my $cleanup_firewall_bridge = sub {
my ($iface) = @_;
- my ($vmid, $devid) = &$parse_tap_devive_name($iface);
+ my ($vmid, $devid) = &$parse_tap_devive_name($iface, 1);
+ return if !defined($vmid);
my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid);
# cleanup old port config from any openvswitch bridge
projects / pve-common.git / blobdiff