X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=ef54621a5d3a9455bb0bc60a3001b36dc46a9837;hp=62f0bcfa14ee29364eeb0ed693524b98d1ab3a0a;hb=0362a1adeee64bc70719b4f3d99805b09e8cd63d;hpb=2428e39440e61f198bcb957d8fec78d43d096e30

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 62f0bcf..ef54621 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1666,6 +1666,7 @@ sub enable_host_firewall {
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'in';
+	$rule->{iface_in} = $rule->{iface} if $rule->{iface};
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
@@ -1693,6 +1694,7 @@ sub enable_host_firewall {
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'out';
+	$rule->{iface_out} = $rule->{iface} if $rule->{iface};
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
@@ -1782,7 +1784,7 @@ sub parse_fw_rule {
 	    die "unknown action '$action'\n";
 	}
     } elsif ($type eq 'group') {
-	die "wrong number of rule elements\n" if scalar(@data) != 3;
+	die "wrong number of rule elements\n" if scalar(@data) > 3;
 	die "groups disabled\n" if !$allow_groups;
 
 	die "invalid characters in group name\n" if $action !~ m/^${security_group_name_pattern}$/;
@@ -2618,7 +2620,7 @@ sub compile {
 	foreach my $netid (keys %$conf) {
 	    next if $netid !~ m/^net(\d+)$/;
 	    my $net = PVE::QemuServer::parse_net($conf->{$netid});
-	    next if !$net;
+	    next if !$net->{firewall};
 	    my $iface = "tap${vmid}i$1";
 
 	    my $macaddr = $net->{macaddr};