move host policy setting to cluster.fw

Because we also have cluster wide rules

diff --git a/example/cluster.fw b/example/cluster.fw
index 8a3e3b2bbe1705b37eaf38ca8f890b9d55f6dd36..e460943e96ffdcc774c66221fe32a875814fb363 100644 (file)
--- a/example/cluster.fw
+++ b/example/cluster.fw
@@ -2,6 +2,10 @@
 
 enable: 1
 
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
 [RULES]
 
 IN  SSH(ACCEPT) vmbr0

diff --git a/example/host.fw b/example/host.fw
index 1bf6d86578ab2dc5a6eeecaeb8190e3393d7fdd3..a8ae5682cbdade55714ccd360f3821447655170e 100644 (file)
--- a/example/host.fw
+++ b/example/host.fw
@@ -8,10 +8,6 @@ smurf_log_level: nolog
 log_level_in: info
 log_level_out: info
 
-# default policy
-policy_in: DROP
-policy_out: ACCEPT
-
 # allow more connections (default is 65536)
 nf_conntrack_max: 196608
 

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 33acf8803d005d265743101f915047bde11a70eb..8c8e50ae569eb1e384be78d3eecd3801d6e6494f 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1632,6 +1632,7 @@ sub enable_host_firewall {
     # fixme: allow security groups
 
     my $options = $hostfw_conf->{options};
+    my $cluster_options = $cluster_conf->{options};
     my $rules = $hostfw_conf->{rules};
 
     # host inbound firewall
@@ -1664,7 +1665,7 @@ sub enable_host_firewall {
     }
 
     # implement input policy
-    my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+    my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
     ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
 
     # host outbound firewall
@@ -1689,7 +1690,7 @@ sub enable_host_firewall {
     }
 
     # implement output policy
-    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+    $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
@@ -1856,9 +1857,6 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
        $opt = lc($1);
        $value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
-       $opt = lc($1);
-       $value = uc($3);
     } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
@@ -1878,6 +1876,9 @@ sub parse_clusterfw_option {
     if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+       $opt = lc($1);
+       $value = uc($3);
     } else {
        chomp $line;
        die "can't parse option '$line'\n"