avoid use of --physdev-is-bridged whenever possible

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8e1a4cba77b6b81466a4413681bf2a1aba6967c9..4ed91dcb416127b014ba2d9e3ddf97339430cce7 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -18,6 +18,8 @@ use PVE::Tools qw(run_command lock_file);
 
 use Data::Dumper;
 
+# fixme: use ULOG instead of LOG?
+
 my $nodename = PVE::INotify::nodename();
 
 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
@@ -855,22 +857,22 @@ sub generate_bridge_chains {
 
     if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
        ruleset_create_chain($ruleset, "$bridge-FW");
-       ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
-       ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
+       ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW");
+       ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-in -j $bridge-FW");
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
        ruleset_create_chain($ruleset, "$bridge-OUT");
-       ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
-       ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+       ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-in -j $bridge-OUT");
+       ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-in -j $bridge-OUT");
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
        ruleset_create_chain($ruleset, "$bridge-IN");
-       ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+       ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j $bridge-IN");
        ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT");
        # accept traffic to unmanaged bridge ports
-       ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT ");
+       ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-out -j ACCEPT ");
     }
 }
 
@@ -1042,9 +1044,13 @@ sub generate_tap_rules_direction {
     ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action);
 
     # plug the tap chain to bridge chain
-    my $physdevdirection = $direction eq 'IN' ? "out" : "in";
-    my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
-    ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
+    if ($direction eq 'IN') {
+       ruleset_insertrule($ruleset, "$bridge-IN",
+                          "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain");
+    } else {
+       ruleset_insertrule($ruleset, "$bridge-OUT",
+                          "-m physdev --physdev-in $iface -j $tapchain");
+    }
 }
 
 sub enable_host_firewall {
@@ -1720,7 +1726,7 @@ sub compile {
                
                generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table);
 
-               my $macaddr = $d->{host_mac};
+               my $macaddr = $d->{mac};
                my $iface = $d->{host_ifname};
                generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
                generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT');