X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=abcc1e858ebb34d87f262e90a45f40d971c4f987;hp=1607b74c5aebf90fceb6062ee41caa02965d8739;hb=8f3aa9cc800cf0c6375aaec81186493e1f1db2be;hpb=c1f1728736e3e75d11d646ad385a0334934401c2

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1607b74..abcc1e8 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -666,14 +666,10 @@ $pve_std_chains_conf->{6} = {
 	#{ action => 'DROP', dest => '224.0.0.0/4' },
     ],
     'PVEFW-reject' => [
-	# same as shorewall 'reject'
-	#{ action => 'DROP', dsttype => 'BROADCAST' },
-	#{ action => 'DROP', source => '224.0.0.0/4' },
 	{ action => 'DROP', proto => 'icmpv6' },
 	{ match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
-	#"-p udp -j REJECT --reject-with icmp-port-unreachable",
-	#"-p icmp -j REJECT --reject-with icmp-host-unreachable",
-	#"-j REJECT --reject-with icmp-host-prohibited",
+	{ match => '-p udp', target => '-j REJECT --reject-with icmp6-port-unreachable' },
+	{ target => '-j REJECT --reject-with icmp6-adm-prohibited' },
     ],
     'PVEFW-Drop' => [
 	# same as shorewall 'Drop', which is equal to DROP,
@@ -2391,10 +2387,10 @@ sub generate_tap_rules_direction {
     # plug the tap chain to bridge chain
     if ($direction eq 'IN') {
 	ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
-			"-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid);
+			"-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
     } else {
 	ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
-			"-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid);
+			"-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
     }
 }
 
@@ -3786,7 +3782,12 @@ sub compile_ebtables_filter {
 			push(@$arpfilter, $ip);
 		    }
 		}
-		push(@$arpfilter, $net->{ip}) if $net->{ip} && $vmfw_conf->{options}->{ipfilter};
+		if (my $ip = $net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+		    # ebtables changes this to a .0/MASK network but we just
+		    # want the address here, no network - see #2193
+		    $ip =~ s|/(\d+)$||;
+		    push @$arpfilter, $ip;
+		}
 		generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
 	    }
 	};