fix #2193: arpfilter: CT: remove mask from net ip cidr.

We need to send to ebtables an host address without prefix or with
/32 prefix.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 806fd4bb5eea100afdc1c0dc055f64af8c9a28b5..e6791278ecc1fec1e8f4b6dda37b97d577a0ae30 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3782,7 +3782,10 @@ sub compile_ebtables_filter {
                        push(@$arpfilter, $ip);
                    }
                }
-               push(@$arpfilter, $net->{ip}) if $net->{ip} && $vmfw_conf->{options}->{ipfilter};
+               if($net->{ip} && $vmfw_conf->{options}->{ipfilter}) {
+                   $net->{ip} =~ s|/(\d+)$||;
+                   push(@$arpfilter, $net->{ip});
+               }
                generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
            }
        };