]> git.proxmox.com Git - pve-firewall.git/blobdiff - src/PVE/Firewall.pm
projects / pve-firewall.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
honor disabled flag on group rules again
[pve-firewall.git] / src / PVE / Firewall.pm
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c858b853bff4dca88e15f2ee7d3dff3e042c53e7..2feac5497ac0ce4160950f6cd66c8d448be85ee5 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2417,6 +2417,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
        next if $rule->{type} ne 'in';
+       next if !$rule->{enable} || $rule->{errors};
        next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
        rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
        ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf);
@@ -2429,6 +2430,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
        next if $rule->{type} ne 'out';
+       next if !$rule->{enable} || $rule->{errors};
        next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
        # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
        # check also other tap rules later
Firewall test scripts