fix CT rule generation with ipfilter set

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f84e6d9b0852228e3f352b65b288913d3e702aa9..b08cea57312b9e6a54680e24abced4e4de4c47be 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2387,10 +2387,10 @@ sub generate_tap_rules_direction {
     # plug the tap chain to bridge chain
     if ($direction eq 'IN') {
        ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
-                       "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+                       "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
     } else {
        ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
-                       "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+                       "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
     }
 }
 
@@ -3782,7 +3782,7 @@ sub compile_ebtables_filter {
                        push(@$arpfilter, $ip);
                    }
                }
-               if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+               if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) {
                    # ebtables changes this to a .0/MASK network but we just
                    # want the address here, no network - see #2193
                    $ip =~ s|/(\d+)$||;