add $bridge-OUT chain to PVEFW-INPUT

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 14f57b7168acfd6d894ffb07e3288896cbc756c1..e0e7a67da806e9fc88023874882bf3ec03f4bc00 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -839,6 +839,7 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
        ruleset_create_chain($ruleset, "$bridge-OUT");
        ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
        ruleset_create_chain($ruleset, "$bridge-OUT");
        ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");

+       ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");

     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {


@@ -953,12 +954,6 @@ sub generate_tap_rules_direction {
     my $physdevdirection = $direction eq 'IN' ? "out" : "in";
     my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
     ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
     my $physdevdirection = $direction eq 'IN' ? "out" : "in";
     my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
     ruleset_insertrule($ruleset, "$bridge-$direction", $rule);

-
-    if ($direction eq 'OUT'){
-       # add tap->host rules
-       my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
-       ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
-    }

 }
 
 sub enable_host_firewall {
 }
 
 sub enable_host_firewall {