generate_group_rules($ruleset, $group_rules, $2);
}
ruleset_generate_rule($ruleset, $tapchain, $rule);
- ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN")
+ ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN")
if $direction eq 'OUT';
} else {
- $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
+ $rule->{action} = "RETURN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
ruleset_generate_rule($ruleset, $tapchain, $rule);
}
}
}
- ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
- ruleset_addrule($ruleset, $tapchain, "-j DROP");
+ # implement policy
+ my $policy;
+
+ if ($direction eq 'OUT') {
+ $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+ } else {
+ $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default
+ }
+
+ if ($policy eq 'ACCEPT') {
+ if ($direction eq 'OUT') {
+ ruleset_addrule($ruleset, $tapchain, "-j RETURN");
+ } else {
+ ruleset_addrule($ruleset, $tapchain, "-j ACCEPT");
+ }
+ } elsif ($policy eq 'DROP') {
+ ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
+ ruleset_addrule($ruleset, $tapchain, "-j DROP");
+ } elsif ($policy eq 'REJECT') {
+ ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level 4");
+ ruleset_addrule($ruleset, $tapchain, "-j REJECT");
+ } else {
+ # should not happen
+ die "internal error: unknown policy '$policy'";
+ }
# plug the tap chain to bridge chain
my $physdevdirection = $direction eq 'IN' ? "out" : "in";
projects / pve-firewall.git / blobdiff