From 6e0cd1c74affc1c89329ad63808d4b47a89de303 Mon Sep 17 00:00:00 2001
From: Mira Limbeck <m.limbeck@proxmox.com>
Date: Tue, 6 Aug 2019 10:25:14 +0200
Subject: [PATCH] only add VM chains if VM firewall is enabled

Before if a NIC had the firewall enabled and the MAC filter was active,
a rule was added to the tap device even if the VM firewall was not
enabled. This led to nested machines not being able to reach outside.

Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
not reach each other because of the MAC filter.

Now we check if the VM firewall is enabled and only add the MAC and
IP filters then.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
(cherry picked from commit 033a15b372734fcfb390c3b747f67bfa4643dabd)
---
 src/PVE/Firewall.pm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7585ace..781a754 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2359,10 +2359,10 @@ sub generate_tap_rules_direction {
     my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
 	if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
 
-    # create chain with mac and ip filter
-    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
-
     if ($options->{enable}) {
+	# create chain with mac and ip filter
+	ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
+
 	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion, $vmid);
 
 	ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
-- 
2.39.2