sub generate_bridge_chains {
my ($ruleset, $bridge) = @_;
- if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
- ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- }
-
if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
ruleset_create_chain($ruleset, "$bridge-FW");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
ruleset_create_chain($ruleset, "$bridge-OUT");
ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
}
if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
my $physdevdirection = $direction eq 'IN' ? "out" : "in";
my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
-
- if ($direction eq 'OUT'){
- # add tap->host rules
- my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
- ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
- }
}
sub enable_host_firewall {
ruleset_create_chain($ruleset, "PVEFW-INPUT");
ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
+
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
my $hostfw_options = {};
my $hostfw_conf;