generate maclist

[pve-firewall.git] / PVE / Firewall.pm

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index bf1b840dfe7ce2dd66099c9edeb6a66d8499a32a..56125f120e6fbdb0e159a1aecb7fab130fb47056 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -49,6 +49,8 @@ sub compile {
        fw => { type => 'firewall' },
     };
 
+    my $maclist = {};
+
     my $register_bridge;
 
     $register_bridge = sub {
@@ -99,6 +101,7 @@ sub compile {
 
            my $vmzone = $conf->{zone} || "vm$vmid";
            $net->{tap} = "tap${vmid}i${netnum}";
+           $maclist->{$net->{tap}} = $net->{macaddr} || die "internal error";
            $net->{zone} = &$register_bridge_port($net->{bridge}, $net->{tag}, $vmzone, $net->{tap});
            $netinfo->{$vmid}->{$opt} = $net;
        }
@@ -129,19 +132,19 @@ sub compile {
 
     my $out;
 
-    my $format = "%-15s %-10s %s\n";
-    $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS');
+    my $format = "%-15s %-10s %-15s %s\n";
+    $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS', '');
     
     foreach my $z (sort keys %$zoneinfo) {
        my $zid = $zoneinfo->{$z}->{id};
        if ($zoneinfo->{$z}->{type} eq 'firewall') {
-           $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type}, '');
+           $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type}, '' , "# $z");
        } elsif ($zoneinfo->{$z}->{type} eq 'bridge') {
-           $out .= sprintf($format, $zid, 'ipv4', '');
+           $out .= sprintf($format, $zid, 'ipv4', '', "# $z");
        } elsif ($zoneinfo->{$z}->{type} eq 'bport') {
            my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error";
            my $bzid = $zoneinfo->{$bridge_zone}->{id} || die "internal error";
-           $out .= sprintf($format, "$zid:$bzid", 'bport', '');
+           $out .= sprintf($format, "$zid:$bzid", 'bport', '', "# $z");
        } else {
            die "internal error";
        }
@@ -153,8 +156,11 @@ sub compile {
 
     # dump interfaces
 
-    $format = "%-15s %-20s %-10s %s\n";
-    $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS');
+    $format = "%-15s %-20s %-10s %-15s %s\n";
+    $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS', '');
+
+    my $maclist_format = "%-15s %-15s %-15s\n";
+    my $macs = sprintf($maclist_format, '#DISPOSITION', 'INTERFACE', 'MACZONE');
 
     foreach my $z (sort keys %$zoneinfo) {
        my $zid = $zoneinfo->{$z}->{id};
@@ -162,7 +168,7 @@ sub compile {
            # do nothing;
        } elsif ($zoneinfo->{$z}->{type} eq 'bridge') {
            my $bridge = $zoneinfo->{$z}->{bridge} || die "internal error";
-           $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge');
+           $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge', "# $z");
 
        } elsif ($zoneinfo->{$z}->{type} eq 'bport') {
            my $ifaces = $zoneinfo->{$z}->{ifaces};
@@ -170,7 +176,8 @@ sub compile {
                my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error";
                my $bridge = $zoneinfo->{$bridge_zone}->{bridge} || die "internal error";
                my $iftxt = "$bridge:$iface";
-               $out .= sprintf($format, $zid, $iftxt, '', '');
+               $out .= sprintf($format, $zid, $iftxt, '-', 'maclist', "# $z");
+               $macs .= sprintf($maclist_format, 'ACCEPT', $iface, $maclist->{$iface});
            }
        } else {
            die "internal error";
@@ -181,6 +188,9 @@ sub compile {
 
     PVE::Tools::file_set_contents("$targetdir/interfaces", $out);
 
+    # dump maclist
+    PVE::Tools::file_set_contents("$targetdir/maclist", $macs);
+
     # dump policy
 
     $format = "%-15s %-15s %-15s %s\n";