From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 25 Feb 2014 12:47:52 +0000 (+0100)
Subject: bridge rules : -j ACCEPT for physical interfaces
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=d37fa05ca87e264772c6236759e8477a83c01650

bridge rules : -j ACCEPT for physical interfaces

We need to accept traffic at the end of bridge rules for outgoing packets from tap->ethX,
as we don't do ACCEPT in tap-out rules.

IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0

-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW

	-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
	-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
	-A vmbr0-FW -j ACCEPT

-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index ea24cfb..343f60c 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -653,6 +653,7 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
 	ruleset_create_chain($ruleset, "$bridge-IN");
 	ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+	ruleset_addrule($ruleset, "$bridge-FW", "-j ACCEPT");
     }
 }