fix #2686: don't add arp-ip-src filter for dhcp

When the IPFilter setting is enabled and the container has DHCP
configured on an interface no 'arp-ip-src' filter should be added as we
don't have an IP address.
Previously '--arp-ip-src dhcp' was passed to ebtables which led to an error.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d22b15a506387bd7462ee8ae8ffa0f60f3ddf96e..250a642a58eb93f5c426ab7a4ad917196aecff87 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3904,7 +3904,9 @@ sub compile_ebtables_filter {
                    # ebtables changes this to a .0/MASK network but we just
                    # want the address here, no network - see #2193
                    $ip =~ s|/(\d+)$||;
                    # ebtables changes this to a .0/MASK network but we just
                    # want the address here, no network - see #2193
                    $ip =~ s|/(\d+)$||;

-                   push @$arpfilter, $ip;
+                   if ($ip ne 'dhcp') {
+                       push @$arpfilter, $ip;
+                   }

                }
                generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
            }
                }
                generate_tap_layer2filter($ruleset, $iface, $macaddr, $vmfw_conf, $vmid, $arpfilter);
            }