From 72f63fde6e68abfa9b1b4e35d63f4788086d2c1c Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 5 Mar 2014 09:01:44 +0100
Subject: [PATCH] use underscore instead of hyphen for fw options

---
 example/100.fw      |  4 ++--
 example/host.fw     |  5 +++++
 src/PVE/Firewall.pm | 12 ++++++------
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/example/100.fw b/example/100.fw
index b7b27dd..36c831a 100644
--- a/example/100.fw
+++ b/example/100.fw
@@ -9,8 +9,8 @@ enable: 1
 macfilter: 0
 
 # default policy
-policy-in: DROP
-policy-out: REJECT
+policy_in: DROP
+policy_out: REJECT
 
 # log dropped incoming connection
 log_level_in: info
diff --git a/example/host.fw b/example/host.fw
index 5ecca3d..32311b4 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -7,6 +7,11 @@ tcp_flags_log_level: info
 smurf_log_level: nolog
 log_level_in: info
 log_level_out: info
+
+# default policy
+policy_in: DROP
+policy_out: ACCEPT
+
 nf_conntrack_max: 196608
 
 
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 57c22fb..7a68642 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -947,9 +947,9 @@ sub generate_tap_rules_direction {
     my $policy;
 
     if ($direction eq 'OUT') {
-	$policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+	$policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
     } else {
-	$policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+	$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     }
 
     my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
@@ -991,7 +991,7 @@ sub enable_host_firewall {
     }
 
     # implement input policy
-    my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+    my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     # host outbound firewall
@@ -1016,7 +1016,7 @@ sub enable_host_firewall {
     }
 
     # implement output policy
-    $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
@@ -1212,7 +1212,7 @@ sub parse_vmfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
     } else {
@@ -1236,7 +1236,7 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
     } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
-- 
2.39.2