projects
/
pve-firewall.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
44269d2
)
enable cluster wide rules
author
Dietmar Maurer
<dietmar@proxmox.com>
Fri, 18 Apr 2014 06:11:49 +0000
(08:11 +0200)
committer
Dietmar Maurer
<dietmar@proxmox.com>
Fri, 18 Apr 2014 06:11:49 +0000
(08:11 +0200)
src/PVE/Firewall.pm
patch
|
blob
|
blame
|
history
diff --git
a/src/PVE/Firewall.pm
b/src/PVE/Firewall.pm
index 000455f554c43ae5543913a27e87a3d52438d009..dd6ec61a38e5d02a9dd7e695a4c023f97a8782eb 100644
(file)
--- a/
src/PVE/Firewall.pm
+++ b/
src/PVE/Firewall.pm
@@
-1641,6
+1641,7
@@
sub enable_host_firewall {
my $options = $hostfw_conf->{options};
my $cluster_options = $cluster_conf->{options};
my $rules = $hostfw_conf->{rules};
my $options = $hostfw_conf->{options};
my $cluster_options = $cluster_conf->{options};
my $rules = $hostfw_conf->{rules};
+ my $cluster_rules = $cluster_conf->{rules};
# host inbound firewall
my $chain = "PVEFW-HOST-IN";
# host inbound firewall
my $chain = "PVEFW-HOST-IN";
@@
-1666,7
+1667,8
@@
sub enable_host_firewall {
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
- foreach my $rule (@$rules) {
+ # add host rules first, so that cluster wide rules can be overwritten
+ foreach my $rule (@$rules, @$cluster_rules) {
next if $rule->{type} ne 'in';
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
next if $rule->{type} ne 'in';
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
@@
-1691,7
+1693,8
@@
sub enable_host_firewall {
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
- foreach my $rule (@$rules) {
+ # add host rules first, so that cluster wide rules can be overwritten
+ foreach my $rule (@$rules, @$cluster_rules) {
next if $rule->{type} ne 'out';
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
next if $rule->{type} ne 'out';
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}