From 12cc9946363b9667f6bb2625f88090e205b47de3 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 4 Mar 2014 11:48:22 +0100
Subject: [PATCH] add $bridge-OUT chain to PVEFW-INPUT

---
 src/PVE/Firewall.pm | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 14f57b7..e0e7a67 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -839,6 +839,7 @@ sub generate_bridge_chains {
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
 	ruleset_create_chain($ruleset, "$bridge-OUT");
 	ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+	ruleset_addrule($ruleset, "PVEFW-INPUT", "-i $bridge -m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
@@ -953,12 +954,6 @@ sub generate_tap_rules_direction {
     my $physdevdirection = $direction eq 'IN' ? "out" : "in";
     my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
     ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
-
-    if ($direction eq 'OUT'){
-	# add tap->host rules
-	my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
-	ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
-    }
 }
 
 sub enable_host_firewall {
-- 
2.39.2