my $mark;
my $trace;
+my $outside_iface = 'eth0';
+my $outside_bridge = 'vmbr0';
+
my $debug = 0;
sub add_trace {
$pkg->{iface_in} = $pkg->{iface_out} = undef;
$pkg->{physdev_in} = $pkg->{physdev_out} = undef;
- if ($route_state eq 'host') {
+ if ($route_state eq 'from-outside') {
+ $next_route_state = $outside_bridge || die 'internal error';
+ $next_physdev_in = $outside_iface || die 'internal error';
+ } elsif ($route_state eq 'host') {
- if ($target->{type} eq 'ct') {
+ if ($target->{type} eq 'outside') {
+ $pkg->{iface_in} = 'lo';
+ $pkg->{iface_out} = $outside_bridge;
+ $chain = 'PVEFW-OUTPUT';
+ $next_route_state = $outside_iface
+ } elsif ($target->{type} eq 'ct') {
$pkg->{iface_in} = 'lo';
$pkg->{iface_out} = 'venet0';
$chain = 'PVEFW-OUTPUT';
$pkg->{iface_out} = 'lo';
$next_route_state = 'host';
+ } elsif ($target->{type} eq 'outside') {
+
+ $chain = 'PVEFW-FORWARD';
+ $pkg->{iface_in} = 'venet0';
+ $pkg->{iface_out} = $outside_bridge;
+ $next_route_state = $outside_iface;
+
} elsif ($target->{type} eq 'vm') {
$chain = 'PVEFW-FORWARD';
$pkg->{iface_out} = 'lo';
$next_route_state = 'host';
+ if ($route_state eq $outside_bridge) {
+
+ } else {
+
+ }
+
+ } elsif ($target->{type} eq 'outside') {
+
+ $chain = 'PVEFW-FORWARD';
+ $pkg->{iface_in} = $route_state;
+ $pkg->{iface_out} = $outside_bridge;
+ $pkg->{physdev_in} = $physdev_in;
+ # conditionally set physdev_out (same behavior as kernel)
+ if ($route_state eq $outside_bridge) {
+ $pkg->{physdev_out} = $outside_iface || die 'internal error';
+ }
+ $next_route_state = $outside_iface;
+
} elsif ($target->{type} eq 'ct') {
$chain = 'PVEFW-FORWARD';
} elsif ($target->{type} eq 'vm') {
$chain = 'PVEFW-FORWARD';
+ $pkg->{iface_in} = $route_state;
+ $pkg->{iface_out} = $target->{bridge};
+ $pkg->{physdev_in} = $physdev_in;
+ # conditionally set physdev_out (same behavior as kernel)
if ($route_state eq $target->{bridge}) {
- $pkg->{iface_in} = $route_state;
- $pkg->{iface_out} = $route_state;
- $pkg->{physdev_in} = $physdev_in;
$pkg->{physdev_out} = $target->{fwpr} || die 'internal error';
- } else {
- $pkg->{iface_in} = $route_state;
- $pkg->{iface_out} = $route_state;
- $pkg->{physdev_in} = $physdev_in;
- # do not set physdev_out (same behavior as kernel)
}
$next_route_state = 'fwbr-in';
if ($from eq 'host') {
$from_info->{type} = 'host';
$start_state = 'host';
+ } elsif ($from eq 'outside') {
+ $from_info->{type} = 'outside';
+ $start_state = 'from-outside';
} elsif ($from =~ m/^ct(\d+)$/) {
my $vmid = $1;
$from_info = extract_ct_info($vmdata, $vmid);
if ($to eq 'host') {
$target->{type} = 'host';
$target->{iface} = 'host';
+ } elsif ($to eq 'outside') {
+ $target->{type} = 'outside';
+ $target->{iface} = $outside_iface;
} elsif ($to =~ m/^ct(\d+)$/) {
my $vmid = $1;
$target = extract_ct_info($vmdata, $vmid);
projects / pve-firewall.git / blobdiff