+}
+
+sub generate_venet_rules_direction {
+ my ($ruleset, $groups_conf, $vmfw_conf, $vmid, $ip, $direction) = @_;
+
+ parse_address_list($ip); # make sure we have a valid $ip list
+
+ my $lc_direction = lc($direction);
+
+ my $rules = $vmfw_conf->{rules};
+
+ my $options = $vmfw_conf->{options};
+ my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
+
+ my $chain = "venet0-$vmid-$direction";
+
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+
+ ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $chain, 'venet', $direction);
+
+ # implement policy
+ my $policy;
+
+ if ($direction eq 'OUT') {
+ $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+ } else {
+ $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+ }
+
+ my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
+ ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
+
+ # plug into FORWARD, INPUT and OUTPUT chain
+ if ($direction eq 'OUT') {
+ ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", {
+ action => $chain,
+ source => $ip,
+ iface_in => 'venet0'});
+
+ ruleset_generate_rule_insert($ruleset, "PVEFW-INPUT", {
+ action => $chain,
+ source => $ip,
+ iface_in => 'venet0'});
+ } else {
+ ruleset_generate_rule($ruleset, "PVEFW-FORWARD", {
+ action => $chain,
+ dest => $ip,
+ iface_out => 'venet0'});
+
+ ruleset_generate_rule($ruleset, "PVEFW-OUTPUT", {
+ action => $chain,
+ dest => $ip,
+ iface_out => 'venet0'});
+ }
+}
+
+sub generate_tap_rules_direction {
+ my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_;
+
+ my $lc_direction = lc($direction);
+
+ my $rules = $vmfw_conf->{rules};
+
+ my $options = $vmfw_conf->{options};
+ my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
+
+ my $tapchain = "$iface-$direction";
+
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+
+ ruleset_generate_vm_rules($ruleset, $rules, $groups_conf, $tapchain, $netid, $direction);