From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 12 May 2014 11:33:19 +0000 (+0200)
Subject: use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=62689a1ed68ecc7b878d49449436fd9bb4b1b1d9

use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d0e187..4cefc41 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1577,27 +1577,16 @@ sub generate_venet_rules_direction {
     my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
     ruleset_add_chain_policy($ruleset, $chain, $vmid, $policy, $loglevel, $accept_action);
 
-    # plug into FORWARD, INPUT and OUTPUT chain
     if ($direction eq 'OUT') {
 	ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", {
 	    action => $chain,
 	    source => $ip,
 	    iface_in => 'venet0'});
-
-	ruleset_generate_rule_insert($ruleset, "PVEFW-INPUT", {
-	    action => $chain,
-	    source => $ip,
-	    iface_in => 'venet0'});
     } else {
 	ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", {
 	    action => $chain,
 	    dest => $ip,
 	    iface_out => 'venet0'});
-
-	ruleset_generate_rule($ruleset, "PVEFW-OUTPUT", {
-	    action => $chain,
-	    dest => $ip,
-	    iface_out => 'venet0'});
     }
 }
 
@@ -2564,8 +2553,6 @@ sub compile {
     my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
     ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept);
 
-    #ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $hostfw_options, $accept);
-
     if ($cluster_conf->{ipset}->{blacklist}){
 	ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set PVEFW-blacklist src -j DROP");
@@ -2573,6 +2560,7 @@ sub compile {
 
     ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT");
+    ruleset_addrule($ruleset, "PVEFW-INPUT", "-i venet0 -j PVEFW-VENET-OUT");
 
     ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
     ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $hostfw_options);
@@ -2593,6 +2581,8 @@ sub compile {
 
     enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf) if $hostfw_enable;
 
+    ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-o venet0 -j PVEFW-VENET-IN");
+
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
 	my $conf = $vmdata->{qemu}->{$vmid};