X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=PVE%2FFirewall.pm;h=f1eba0ed35bd4b03ae91cb144faf818c9c28871a;hp=3f0adf0cb531d0314a97135f5b3fceef79d7cf79;hb=b9b06789a89d77fd16eb053a2b43b836bf6f75ca;hpb=8fb53d8ccf5b71e3352c33221fdecb9e97e1753c

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 3f0adf0..f1eba0e 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -41,25 +41,36 @@ my $generate_input_rule = sub {
     my $action = $rule->{service} ? 
 	"$rule->{service}($rule->{action})" : $rule->{action};
 
-    my $source;
+    my $sources = [];
 
-    if ($zoneinfo->{$zone}->{type} eq 'bport') {
+    if (!$rule->{source}) {
+	push @$sources, 'all'; 
+    } elsif ($zoneinfo->{$zone}->{type} eq 'bport') {
 	my $bridge_zone = $zoneinfo->{$zone}->{bridge_zone} || die "internal error";
-	my $bridge_ext_zone = $zoneinfo->{$bridge_zone}->{bridge_ext_zone} || die "internal error";
-	my $zoneref = $zoneinfo->{$bridge_ext_zone}->{zoneref} || die "internal error";
-	if (!$rule->{source}) {
-	    # $source = "${zoneref}";
-	    $source = 'all';
-	} else {
-	    # 'all' does not work
-	    $source = "${zoneref}:$rule->{source}";
+	my $zoneref = $zoneinfo->{$bridge_zone}->{zoneref} || die "internal error";
+
+	# using 'all' does not work, so we create one rule for
+	# each related zone on the same bridge
+	push @$sources, "${zoneref}:$rule->{source}";
+	foreach my $z (keys %$zoneinfo) {
+	    next if $z eq $zone;
+	    next if !$zoneinfo->{$z}->{bridge_zone};
+	    next if $zoneinfo->{$z}->{bridge_zone} ne $bridge_zone;
+	    $zoneref = $zoneinfo->{$z}->{zoneref} || die "internal error";
+	    push @$sources, "${zoneref}:$rule->{source}";
 	}
     } else {
-	$source = "all:$rule->{source}";
+	push @$sources, "all:$rule->{source}";
+    }
+
+    my $out = '';
+
+    foreach my $source (@$sources) {
+	$out .= sprintf($rule_format, $action, $source, $dest, $rule->{proto} || '-', 
+			$rule->{dport} || '-', $rule->{sport} || '-');
     }
 
-    return sprintf($rule_format, $action, $source, $dest, $rule->{proto} || '-', 
-		   $rule->{dport} || '-', $rule->{sport} || '-');
+    return $out;
 };
 
 my $generate_output_rule = sub {
@@ -421,7 +432,7 @@ sub read_local_vm_config {
     my $list = PVE::QemuServer::config_list();
 
     foreach my $vmid (keys %$list) {
-	# next if $vmid ne '100';
+	#next if !($vmid eq '100' || $vmid eq '102');
 	my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
 	if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
 	    $qemu->{$vmid} = $conf;