From 63324b09bb05ab3e23e2c168534118e6017c7fe1 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 14 Apr 2014 12:21:38 +0200
Subject: [PATCH] move host policy setting to cluster.fw

Because we also have cluster wide rules
---
 example/cluster.fw  |  4 ++++
 example/host.fw     |  4 ----
 src/PVE/Firewall.pm | 11 ++++++-----
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/example/cluster.fw b/example/cluster.fw
index 8a3e3b2..e460943 100644
--- a/example/cluster.fw
+++ b/example/cluster.fw
@@ -2,6 +2,10 @@
 
 enable: 1
 
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
 [RULES]
 
 IN  SSH(ACCEPT) vmbr0
diff --git a/example/host.fw b/example/host.fw
index 1bf6d86..a8ae568 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -8,10 +8,6 @@ smurf_log_level: nolog
 log_level_in: info
 log_level_out: info
 
-# default policy
-policy_in: DROP
-policy_out: ACCEPT
-
 # allow more connections (default is 65536)
 nf_conntrack_max: 196608
 
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 33acf88..8c8e50a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1632,6 +1632,7 @@ sub enable_host_firewall {
     # fixme: allow security groups
 
     my $options = $hostfw_conf->{options};
+    my $cluster_options = $cluster_conf->{options};
     my $rules = $hostfw_conf->{rules};
 
     # host inbound firewall
@@ -1664,7 +1665,7 @@ sub enable_host_firewall {
     }
 
     # implement input policy
-    my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+    my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
     ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
 
     # host outbound firewall
@@ -1689,7 +1690,7 @@ sub enable_host_firewall {
     }
 
     # implement output policy
-    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+    $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
@@ -1856,9 +1857,6 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
-	$opt = lc($1);
-	$value = uc($3);
     } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
@@ -1878,6 +1876,9 @@ sub parse_clusterfw_option {
     if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+	$opt = lc($1);
+	$value = uc($3);
     } else {
 	chomp $line;
 	die "can't parse option '$line'\n"
-- 
2.39.2