}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
+ my ($ruleset, $chain, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
}
+ if ($ipfilter_ipset) {
+ ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+ }
ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
}
}
my $chain = "venet0-$vmid-$direction";
- ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, 'ipfilter')
+ if $vmfw_conf->{ipset}->{ipfilter};
+
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $ipfilter_ipset, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
my $tapchain = "$iface-$direction";
- ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, 'ipfilter')
+ if $vmfw_conf->{ipset}->{ipfilter};
+
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $ipfilter_ipset, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
projects / pve-firewall.git / commitdiff