use RETURN instead of ACCEPT to allow further processing
authorDietmar Maurer <dietmar@proxmox.com>
Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)
src/PVE/Firewall.pm

index 003dde6..0f8ab64 100644 (file)
@@ -1696,7 +1696,11 @@ sub compile {
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j ACCEPT");
+    # fixme: should we really block inter-bridge traffic?
+
+    # always allow traffic from containers?
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
+
     # disable interbridge routing
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop"); 
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop");