use PVE::Firewall;
use File::Basename;
use Net::IP;
-use PVE::LXC;
-use PVE::QemuServer;
-my $mark;
+# dynamically include PVE::QemuServer and PVE::LXC
+# to avoid dependency problems
+my $have_qemu_server;
+eval {
+ require PVE::QemuServer;
+ $have_qemu_server = 1;
+};
+
+my $have_lxc;
+eval {
+ require PVE::LXC;
+ $have_lxc = 1;
+};
+
+my $mark = 0;
my $trace;
my $debug = 0;
sub rule_match {
my ($ipset_ruleset, $chain, $rule, $pkg) = @_;
- $rule =~ s/^-A $chain // || die "got strange rule: $rule";
+ $rule =~ s/^-A $chain +// || die "got strange rule: $rule";
while (length($rule)) {
if ($rule =~ s@^-m mark --mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*@@) {
my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
- return undef if !defined($mark) || ($mark & $mask) != $value;
+ return undef if ($mark & $mask) != $value;
next;
}
$from_info->{iface} = 'tapXYZ';
$start_state = 'from-bport';
} elsif ($from =~ m/^ct(\d+)$/) {
+ return 'SKIPPED' if !$have_lxc;
my $vmid = $1;
$from_info = extract_ct_info($vmdata, $vmid, 0);
$start_state = 'fwbr-out';
$pkg->{mac_source} = $from_info->{macaddr};
} elsif ($from =~ m/^vm(\d+)(i(\d))?$/) {
+ return 'SKIPPED' if !$have_qemu_server;
my $vmid = $1;
my $netnum = $3 || 0;
$from_info = extract_vm_info($vmdata, $vmid, $netnum);
$target->{bridge} = 'vmbr0';
$target->{iface} = 'tapXYZ';
} elsif ($to =~ m/^ct(\d+)$/) {
+ return 'SKIPPED' if !$have_lxc;
my $vmid = $1;
$target = extract_ct_info($vmdata, $vmid, 0);
$target->{iface} = $target->{tapdev};
} elsif ($to =~ m/^vm(\d+)$/) {
+ return 'SKIPPED' if !$have_qemu_server;
my $vmid = $1;
$target = extract_vm_info($vmdata, $vmid, 0);
$target->{iface} = $target->{tapdev};
projects / pve-firewall.git / blobdiff