From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 25 Feb 2014 12:24:06 +0000 (+0100)
Subject: use RETURN instead ACCEPT for tap-out rules
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=7b291cabd7a69a441cae666b2c94ab49106cf592;hp=ccae0b5068f03e859ff280c41d013526a4fbfb4c

use RETURN instead ACCEPT for tap-out rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index a19505a..ea24cfb 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -684,10 +684,10 @@ sub generate_tap_rules_direction {
 		    generate_group_rules($ruleset, $group_rules, $2);
 		}
 		ruleset_generate_rule($ruleset, $tapchain, $rule);
-		ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN")
+		ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN")
 		    if $direction eq 'OUT';
 	    } else {
-		$rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
+		$rule->{action} = "RETURN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
 		ruleset_generate_rule($ruleset, $tapchain, $rule);
 	    }
 	}