From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 27 Feb 2014 08:40:23 +0000 (+0100)
Subject: add 'dhcp' option (enabled by default)
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=ce15d90b3d4f30fa7ff210b6e84903f322687735

add 'dhcp' option (enabled by default)
---

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 05720d5..5583ec0 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -836,6 +836,10 @@ sub generate_tap_rules_direction {
 	ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
     }
 
+    if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
+	ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT");
+    }
+
     if ($options->{tcpflags}) {
 	ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags");
     }
@@ -1130,7 +1134,7 @@ sub parse_fw_option {
 
     my ($opt, $value);
 
-    if ($line =~ m/^(enable|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {