#{ action => 'DROP', dest => '224.0.0.0/4' },
],
'PVEFW-reject' => [
- # same as shorewall 'reject'
- #{ action => 'DROP', dsttype => 'BROADCAST' },
- #{ action => 'DROP', source => '224.0.0.0/4' },
{ action => 'DROP', proto => 'icmpv6' },
{ match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
- #"-p udp -j REJECT --reject-with icmp-port-unreachable",
- #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
- #"-j REJECT --reject-with icmp-host-prohibited",
+ { match => '-p udp', target => '-j REJECT --reject-with icmp6-port-unreachable' },
+ { target => '-j REJECT --reject-with icmp6-adm-prohibited' },
],
'PVEFW-Drop' => [
# same as shorewall 'Drop', which is equal to DROP,
# plug the tap chain to bridge chain
if ($direction eq 'IN') {
ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
- "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
} else {
ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
- "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+ "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
}
}
push(@$arpfilter, $ip);
}
}
- push(@$arpfilter, $net->{ip}) if $net->{ip} && $vmfw_conf->{options}->{ipfilter};
+ if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+ # ebtables changes this to a .0/MASK network but we just
+ # want the address here, no network - see #2193
+ $ip =~ s|/(\d+)$||;
+ push @$arpfilter, $ip;
+ }
generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
}
};
projects / pve-firewall.git / blobdiff