From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 13 May 2014 10:32:08 +0000 (+0200)
Subject: fix interface in rules for host-in and host-out
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=ffc0453b7eef397dc9ef3da1ec0e2ce6b9e126e0

fix interface in rules for host-in and host-out

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---

diff --git a/debian/example/host.fw b/debian/example/host.fw
index 04ab001..96eacc6 100644
--- a/debian/example/host.fw
+++ b/debian/example/host.fw
@@ -22,5 +22,5 @@ tcpflags: 1
 
 [RULES]
 
-IN  SSH(ACCEPT) net0
-OUT SSH(ACCEPT) net0
+IN  SSH(ACCEPT) -
+OUT SSH(ACCEPT) -
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 62f0bcf..e291b85 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1666,6 +1666,7 @@ sub enable_host_firewall {
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'in';
+	$rule->{iface_in} = $rule->{iface} if $rule->{iface};
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }
 
@@ -1693,6 +1694,7 @@ sub enable_host_firewall {
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	next if $rule->{type} ne 'out';
+	$rule->{iface_out} = $rule->{iface} if $rule->{iface};
 	ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
     }