From 780bcc0ffe61a9ad2e8237e86917ba7ed1ac225d Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 18 Feb 2014 12:07:40 +0100
Subject: [PATCH] enable proc/sys/net/bridge/bridge-nf-call-iptables

---
 PVE/Firewall.pm | 12 ++++++++++++
 pvefw           |  1 +
 2 files changed, 13 insertions(+)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 24bc2c7..324a20d 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -137,6 +137,18 @@ sub parse_port_name_number_or_range {
     return ($nbports);
 }
 
+my $bridge_firewall_enabled = 0;
+
+sub enable_bridge_firewall {
+
+    return if $bridge_firewall_enabled; # only once
+
+    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
+    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
+
+    $bridge_firewall_enabled = 1;
+}
+
 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
 
 sub iptables {
diff --git a/pvefw b/pvefw
index 029ce9b..4370678 100755
--- a/pvefw
+++ b/pvefw
@@ -82,6 +82,7 @@ __PACKAGE__->register_method ({
 	my ($param) = @_;
 
 	my $code = sub {
+	    PVE::Firewall::enable_bridge_firewall();
 	    PVE::Firewall::compile_and_start($param->{verbose});
 	};
 
-- 
2.39.2