From 9a4644fa5560e9087b50e5f9c11699590ad8966e Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Fri, 10 Aug 2012 11:37:01 +0200
Subject: [PATCH] use 'all' instead of 'any'

Internally, use undef
---
 PVE/Firewall.pm | 10 +++++-----
 config/100.fw   |  9 ++++++---
 pvefw           | 10 +++++-----
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 8be0c33..7ff4ddf 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -50,7 +50,7 @@ my $generate_input_rule = sub {
 	    $source = "${zoneref}:$rule->{source}";
 	}
     } else {
-	$source = "any:$rule->{source}";
+	$source = "all:$rule->{source}";
     }
 
     return sprintf($rule_format, $action, $source, $dest, $rule->{proto} || '-', 
@@ -70,9 +70,9 @@ my $generate_output_rule = sub {
     my $dest;
 
     if (!$rule->{dest}) {
-	$dest = 'any';
+	$dest = 'all';
     } else {
-	$dest = "any:$rule->{dest}";
+	$dest = "all:$rule->{dest}";
     }
 
     return sprintf($rule_format, $action, "$zid:$tap", $dest, 
@@ -299,7 +299,7 @@ sub compile {
 	    foreach my $rule (@$inrules) {
 		foreach my $netid (keys %{$netinfo->{$vmid}}) {
 		    my $net = $netinfo->{$vmid}->{$netid};
-		    next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+		    next if $rule->{iface} && $rule->{iface} ne $netid;
 		    $out .= &$generate_input_rule($zoneinfo, $rule, $net, $netid);
 		}
 	    }
@@ -310,7 +310,7 @@ sub compile {
 	    foreach my $rule (@$outrules) {
 		foreach my $netid (keys %{$netinfo->{$vmid}}) {
 		    my $net = $netinfo->{$vmid}->{$netid};
-		    next if !($rule->{iface} eq 'any' || $rule->{iface} eq $netid);
+		    next if $rule->{iface} && $rule->{iface} ne $netid;
 		    $out .= &$generate_output_rule($zoneinfo, $rule, $net, $netid);
 		}
 	    }
diff --git a/config/100.fw b/config/100.fw
index 30903cb..889a101 100644
--- a/config/100.fw
+++ b/config/100.fw
@@ -1,13 +1,16 @@
 # Example VM firewall configuration
-#ACTION SOURCE DEST
+#ACTION IFACE SOURCE DEST
 
 [IN]
 
-ACCEPT net0 any any tcp 80
+SSH(ACCEPT) net0 192.168.2.192 -
 
 [OUT]
 
-ACCEPT net0 any any
+
+DNS(ACCEPT) net0
+Ping(ACCEPT) net0
+SSH(ACCEPT)
 
 
 
diff --git a/pvefw b/pvefw
index 978ffb1..4ac9679 100755
--- a/pvefw
+++ b/pvefw
@@ -56,7 +56,7 @@ sub parse_fw_rules {
 	my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
 	    split(/\s+/, $line);
 
-	if (!($action && $iface && $source && $dest)) {
+	if (!$action) {
 	    warn "skip incomplete line\n";
 	    next;
 	}
@@ -75,26 +75,26 @@ sub parse_fw_rules {
 	    next;
 	}
 
-	$iface = undef if $iface eq '-';
+	$iface = undef if $iface && $iface eq '-';
 	if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
 	    warn "unknown interface '$iface'\n";
 	    next;
 	}
 
-	$proto = undef if $proto eq '-';
+	$proto = undef if $proto && $proto eq '-';
 	if ($proto && $proto !~ m/^(icmp|tcp|udp)$/) {
 	    warn "unknown protokol '$proto'\n";
 	    next;
 	}
 
-	$source = undef if $source eq '-';
+	$source = undef if $source && $source eq '-';
 
 #	if ($source !~ m/^(XYZ)$/) {
 #	    warn "unknown source '$source'\n";
 #	    next;
 #	}
 
-	$dest = undef if $dest eq '-';
+	$dest = undef if $dest && $dest eq '-';
 #	if ($dest !~ m/^XYZ)$/) {
 #	    warn "unknown destination '$dest'\n";
 #	    next;
-- 
2.39.2