# plug into FORWARD, INPUT and OUTPUT chain
if ($direction eq 'OUT') {
- ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", {
+ ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", {
action => $chain,
source => $ip,
iface_in => 'venet0'});
source => $ip,
iface_in => 'venet0'});
} else {
- ruleset_generate_rule($ruleset, "PVEFW-FORWARD", {
+ ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", {
action => $chain,
dest => $ip,
iface_out => 'venet0'});
return $vmdata;
};
-sub read_bridges_config {
-
- my $bridgehash = {};
-
- dir_glob_foreach('/sys/class/net', 'vmbr(\d+)', sub {
- my ($bridge) = @_;
-
- dir_glob_foreach("/sys/class/net/$bridge/brif", '((eth|bond)(\d+)(\.(\d+))?)', sub {
- my ($interface) = @_;
- push @{$bridgehash->{$bridge}}, $interface;
- });
- });
-
- return $bridgehash;
-};
-
sub load_vmfw_conf {
my ($vmid) = @_;
my $vmdata = read_local_vm_config();
my $vmfw_configs = read_vm_firewall_configs($vmdata);
- my $bridges_config = read_bridges_config();
-
my $ipset_ruleset = {};
generate_ipset_chains($ipset_ruleset, $cluster_conf);
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+ ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT");
+
ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN");
ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
+ ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN");
+
my $hostfw_options = $hostfw_conf->{options} || {};
# fixme: what log level should we use here?
projects / pve-firewall.git / blobdiff