X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=cc8a132bebc4b89322378ebc632475a1e36f1f17;hp=8c871826a4d433975799b9a95aeb0c5244da77db;hb=12d0f130c0f487115e0fa29062ecea5aa1b1b238;hpb=530c005e7d89cdbae2de5e0a6b19b461f5bd7c6b

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8c87182..cc8a132 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -18,6 +18,8 @@ use PVE::Tools qw(run_command lock_file);
 
 use Data::Dumper;
 
+# fixme: use ULOG instead of LOG?
+
 my $nodename = PVE::INotify::nodename();
 
 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
@@ -1065,7 +1067,7 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
+    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync
 
     # we use RETURN because we need to check also tap rules
@@ -1090,7 +1092,7 @@ sub enable_host_firewall {
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
-    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
+    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
 
     # we use RETURN because we may want to check other thigs later
@@ -1720,7 +1722,7 @@ sub compile {
 		
 		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table);
 
-		my $macaddr = $d->{host_mac};
+		my $macaddr = $d->{mac};
 		my $iface = $d->{host_ifname};
 		generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN');
 		generate_tap_rules_direction($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT');