only add VM chains if VM firewall is enabled

Before if a NIC had the firewall enabled and the MAC filter was active,
a rule was added to the tap device even if the VM firewall was not
enabled. This led to nested machines not being able to reach outside.

Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
not reach each other because of the MAC filter.

Now we check if the VM firewall is enabled and only add the MAC and
IP filters then.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 36dced6a8f17ae69387387574a2a48013d6de396..1319bfbed3af437d6fe8c87851150eba9325e4a1 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2363,10 +2363,10 @@ sub generate_tap_rules_direction {
     my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
        if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
 
-    # create chain with mac and ip filter
-    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
-
     if ($options->{enable}) {
+       # create chain with mac and ip filter
+       ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
+
        ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion, $vmid);
 
        ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);