From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 7 Dec 2017 07:30:01 +0000 (+0100)
Subject: honor disabled flag on group rules again
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=7a5a402b56513cc3ce8c4f8ae3307b43bacc06b6;hp=a19d4127e88048dfbb97d56d9966bd64f913d185

honor disabled flag on group rules again

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c858b85..2feac54 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2417,6 +2417,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'in';
+	next if !$rule->{enable} || $rule->{errors};
 	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
 	ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf);
@@ -2429,6 +2430,7 @@ sub generate_group_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{type} ne 'out';
+	next if !$rule->{enable} || $rule->{errors};
 	next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
 	# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
 	# check also other tap rules later