plug venet0 chains into PVEFW-INPUT and PVEFW-OUTPUT

Container firewall should be fully functional now.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 78507fb48d8fc664b06b73dbe2e1572b807d2b41..1d88891c81ea47d77b403e8b46e99aa782e09951 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -857,7 +857,7 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
        ruleset_create_chain($ruleset, "$bridge-OUT");
        ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
-       ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+       ruleset_insertrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
@@ -984,17 +984,27 @@ sub generate_venet_rules_direction {
     my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
-    # plug into FORWARD chain
+    # plug into FORWARD, INPUT and OUTPUT chain
     if ($direction eq 'OUT') {
        ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", {
            action => $chain,
            source => $ip,
            iface_in => 'venet0'});
+
+       ruleset_generate_rule_insert($ruleset, "PVEFW-INPUT", {
+           action => $chain,
+           source => $ip,
+           iface_in => 'venet0'});
     } else {
        ruleset_generate_rule($ruleset, "PVEFW-FORWARD", {
            action => $chain,
            dest => $ip,
            iface_out => 'venet0'});
+
+       ruleset_generate_rule($ruleset, "PVEFW-OUTPUT", {
+           action => $chain,
+           dest => $ip,
+           iface_out => 'venet0'});
     }
 }