projects
/
pve-firewall.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
2105340
)
add support for ipfilter ipset
author
Dietmar Maurer
<dietmar@proxmox.com>
Wed, 11 Jun 2014 07:59:21 +0000
(09:59 +0200)
committer
Dietmar Maurer
<dietmar@proxmox.com>
Wed, 11 Jun 2014 07:59:21 +0000
(09:59 +0200)
src/PVE/Firewall.pm
patch
|
blob
|
blame
|
history
diff --git
a/src/PVE/Firewall.pm
b/src/PVE/Firewall.pm
index e8c05ebfbfcb51de02eafc929f95939774cc2a1f..c5d216e5d90b1a6fc63de18eead54fd9bdffae16 100644
(file)
--- a/
src/PVE/Firewall.pm
+++ b/
src/PVE/Firewall.pm
@@
-1624,7
+1624,7
@@
sub ruleset_chain_add_input_filters {
}
sub ruleset_create_vm_chain {
}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
+ my ($ruleset, $chain, $options, $macaddr, $
ipfilter_ipset, $
direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
@@
-1643,6
+1643,9
@@
sub ruleset_create_vm_chain {
if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
}
if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
}
+ if ($ipfilter_ipset) {
+ ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+ }
ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
}
}
ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
}
}
@@
-1743,7
+1746,10
@@
sub generate_venet_rules_direction {
my $chain = "venet0-$vmid-$direction";
my $chain = "venet0-$vmid-$direction";
- ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, 'ipfilter')
+ if $vmfw_conf->{ipset}->{ipfilter};
+
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $ipfilter_ipset, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
@@
-1785,7
+1791,10
@@
sub generate_tap_rules_direction {
my $tapchain = "$iface-$direction";
my $tapchain = "$iface-$direction";
- ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, 'ipfilter')
+ if $vmfw_conf->{ipset}->{ipfilter};
+
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $ipfilter_ipset, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);