use underscore instead of hyphen for fw options

diff --git a/example/100.fw b/example/100.fw
index b7b27dd1c6b1488b9b1c9ced7c2b147cb78fab5f..36c831ae97bcbdb9a274e84a2c9f033f6f147277 100644 (file)
--- a/example/100.fw
+++ b/example/100.fw
@@ -9,8 +9,8 @@ enable: 1
 macfilter: 0
 
 # default policy
-policy-in: DROP
-policy-out: REJECT
+policy_in: DROP
+policy_out: REJECT
 
 # log dropped incoming connection
 log_level_in: info

diff --git a/example/host.fw b/example/host.fw
index 5ecca3d330e3b4afde91ea8753e5b0b4b3107a1c..32311b4b55be163893291dbbed71b6f4088978ae 100644 (file)
--- a/example/host.fw
+++ b/example/host.fw
@@ -7,6 +7,11 @@ tcp_flags_log_level: info
 smurf_log_level: nolog
 log_level_in: info
 log_level_out: info
+
+# default policy
+policy_in: DROP
+policy_out: ACCEPT
+
 nf_conntrack_max: 196608
 
 

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 57c22fb439439bc3f85c2bbd74af9ec1f87df218..7a68642c42cf2ce66c82f2efec382aae01911a9d 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -947,9 +947,9 @@ sub generate_tap_rules_direction {
     my $policy;
 
     if ($direction eq 'OUT') {
-       $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+       $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
     } else {
-       $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+       $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     }
 
     my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
@@ -991,7 +991,7 @@ sub enable_host_firewall {
     }
 
     # implement input policy
-    my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+    my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     # host outbound firewall
@@ -1016,7 +1016,7 @@ sub enable_host_firewall {
     }
 
     # implement output policy
-    $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
@@ -1212,7 +1212,7 @@ sub parse_vmfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
        $opt = lc($1);
        $value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
        $opt = lc($1);
        $value = uc($3);
     } else {
@@ -1236,7 +1236,7 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
        $opt = lc($1);
        $value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
        $opt = lc($1);
        $value = uc($3);
     } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {