+sub ruleset_add_chain_policy {
+ my ($ruleset, $chain, $policy, $loglevel, $accept_action) = @_;
+
+ if ($policy eq 'ACCEPT') {
+
+ ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT' },
+ { ACCEPT => $accept_action});
+
+ } elsif ($policy eq 'DROP') {
+
+ ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop");
+
+ ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel")
+ if defined($loglevel);
+
+ ruleset_addrule($ruleset, $chain, "-j DROP");
+ } elsif ($policy eq 'REJECT') {
+ ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject");
+
+ ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel")
+ if defined($loglevel);
+
+ ruleset_addrule($ruleset, $chain, "-g PVEFW-reject");
+ } else {
+ # should not happen
+ die "internal error: unknown policy '$policy'";
+ }
+}
+