my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
-my $default_log_level = 'info';
+my $default_log_level = 'nolog'; # avoid logs by default
my $log_level_hash = {
debug => 7,
}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $options, $host_options, $macaddr, $direction) = @_;
+ my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
}
sub generate_venet_rules_direction {
- my ($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
+ my ($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
my $lc_direction = lc($direction);
my $rules = $vmfw_conf->{rules};
my $options = $vmfw_conf->{options};
- my $hostfw_options = $vmfw_conf->{options};
my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
my $chain = "venet0-$vmid-$direction";
- ruleset_create_vm_chain($ruleset, $chain, $options, $hostfw_options, undef, $direction);
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $chain, 'venet', $direction);
}
sub generate_tap_rules_direction {
- my ($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
+ my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction) = @_;
my $lc_direction = lc($direction);
my $rules = $vmfw_conf->{rules};
my $options = $vmfw_conf->{options};
- my $hostfw_options = $hostfw_conf->{options};
my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
my $tapchain = "$iface-$direction";
- ruleset_create_vm_chain($ruleset, $tapchain, $options, $hostfw_options, $macaddr, $direction);
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $tapchain, $netid, $direction, $options);
my $iface = "tap${vmid}i$1";
my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'OUT');
}
}
push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
}
- generate_venet_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, 'IN');
- generate_venet_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
}
if ($conf->{netif} && $conf->{netif}->{value}) {
my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
$vmfw_conf, $vmid, 'OUT');
}
}
iptables_restore_cmdlist($cmdlist);
}
+sub init {
+ my $cluster_conf = load_clusterfw_conf();
+ my $cluster_options = $cluster_conf->{options};
+ my $enable = $cluster_options->{enable};
+
+ return if !$enable;
+
+ # load required modules here
+}
+
sub update {
my ($verbose) = @_;
run_locked($code);
}
-
1;
projects / pve-firewall.git / blobdiff