From 9c6b6efd7ef5a1f537c9d57387fe7130b3ff524a Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 26 Feb 2014 13:42:48 +0100
Subject: [PATCH] make mac address filtering optional (default enabled)

---
 PVE/Firewall.pm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index ef9d136..ca0e78d 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -806,7 +806,8 @@ sub generate_tap_rules_direction {
     ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
-    if ($direction eq 'OUT' && defined($macaddr)) {
+    if ($direction eq 'OUT' && defined($macaddr) && 
+	!(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
 	ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
     }
 
@@ -1077,13 +1078,13 @@ sub parse_fw_option {
 
     my ($opt, $value);
 
-    if ($line =~ m/^enable:\s*(0|1)\s*$/i) {
-	$opt = 'enable';
-	$value = int($1);
+    if ($line =~ m/^(enable|macfilter):\s*(0|1)\s*$/i) {
+	$opt = lc($1);
+	$value = int($2);
     } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
-     } else {
+    } else {
 	chomp $line;
 	die "can't parse option '$line'\n"
     }
-- 
2.39.2