add MAC filter

[pve-firewall.git] / PVE / Firewall.pm

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 0969963698821c93740f2c6e8b050705b9e32fe8..24bc2c756aee9094ff27a5e45797afc5c5a70531 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -307,7 +307,7 @@ sub generate_bridge_chains {
 }
 
 sub generate_tap_rules_direction {
-    my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;
+    my ($ruleset, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
 
     my $tapchain = "$iface-$direction";
 
@@ -316,6 +316,10 @@ sub generate_tap_rules_direction {
     ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
     ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
 
+    if ($direction eq 'OUT' && defined($macaddr)) {
+       ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+    }
+
     if ($rules) {
         foreach my $rule (@$rules) {
            next if $rule->{iface} && $rule->{iface} ne $netid;
@@ -621,8 +625,9 @@ sub compile {
 
            generate_bridge_chains($ruleset, $bridge);
 
-           generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
-           generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{out}, $bridge, 'OUT');
+           my $macaddr = $net->{macaddr};
+           generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
+           generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
        }
     }
     return $ruleset;