]> git.proxmox.com Git - pve-firewall.git/commitdiff
projects / pve-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b291ca)
bridge rules : -j ACCEPT for physical interfaces
authorAlexandre Derumier <aderumier@odiso.com>
Tue, 25 Feb 2014 12:47:52 +0000 (13:47 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Wed, 26 Feb 2014 06:11:56 +0000 (07:11 +0100)
We need to accept traffic at the end of bridge rules for outgoing packets from tap->ethX,
as we don't do ACCEPT in tap-out rules.

IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0

-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW

-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A vmbr0-FW -j ACCEPT

-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
PVE/Firewall.pm patch | blob | blame | history

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index ea24cfb40069adf915e233843182b6511bdcdf09..343f60c22a8faeb8b9ab8ef50778ae4228a20d99 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -653,6 +653,7 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
        ruleset_create_chain($ruleset, "$bridge-IN");
        ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+       ruleset_addrule($ruleset, "$bridge-FW", "-j ACCEPT");
     }
 }
 
Firewall test scripts