+ # fixme: this is an optimization? if so, we should also drop INVALID packages?
+ ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+
+ # fixme: what log level should we use here?
+ my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
+
+ # fixme: should we really block inter-bridge traffic?
+
+ # always allow traffic from containers?
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
+
+ # disable interbridge routing
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j LOG --log-prefix \"PVEFW-FORWARD-dropped \" --log-level $loglevel");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");
+