From 41389aed97713a842b3171220cf251781c9d3227 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Mon, 12 May 2014 13:33:16 +0200 Subject: [PATCH] add PVEFW-VENET-IN && PVEFW-VENET-OUT chains Signed-off-by: Dietmar Maurer Signed-off-by: Alexandre Derumier --- src/PVE/Firewall.pm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 835b26a..5cb17c7 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1575,7 +1575,7 @@ sub generate_venet_rules_direction { # plug into FORWARD, INPUT and OUTPUT chain if ($direction eq 'OUT') { - ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", { + ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", { action => $chain, source => $ip, iface_in => 'venet0'}); @@ -1585,7 +1585,7 @@ sub generate_venet_rules_direction { source => $ip, iface_in => 'venet0'}); } else { - ruleset_generate_rule($ruleset, "PVEFW-FORWARD", { + ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", { action => $chain, dest => $ip, iface_out => 'venet0'}); @@ -2575,12 +2575,18 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-FORWARD"); + ruleset_create_chain($ruleset, "PVEFW-VENET-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT"); + ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN"); ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT"); ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT"); + ruleset_create_chain($ruleset, "PVEFW-VENET-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN"); + my $hostfw_options = $hostfw_conf->{options} || {}; # fixme: what log level should we use here? -- 2.39.2