use RETURN instead of ACCEPT to allow further processing

author Dietmar Maurer <dietmar@proxmox.com>

Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)

committer Dietmar Maurer <dietmar@proxmox.com>

Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)
author Dietmar Maurer <dietmar@proxmox.com>
Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)
committer Dietmar Maurer <dietmar@proxmox.com>
Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm

index 003dde67c7acbb2542e5ae1a3c8539aff5426e6d..0f8ab646679afa52b43ecc943db8569c34d4631b 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1696,7 +1696,11 @@ sub compile {
      # fixme: what log level should we use here?
      my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
  
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j ACCEPT");
+    # fixme: should we really block inter-bridge traffic?
+
+    # always allow traffic from containers?
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
+
      # disable interbridge routing
      ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop"); 
      ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop");
author	Dietmar Maurer <dietmar@proxmox.com>
	Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)