From cc8dc02f01b03b4199aa19c5878dbbe9d484acd8 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 21 May 2014 09:17:14 +0200
Subject: [PATCH] allow igmp traffic

---
 src/PVE/Firewall.pm          | 4 ++++
 src/PVE/FirewallSimulator.pm | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index eda3e55..79e0622 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1690,6 +1690,8 @@ sub enable_host_firewall {
     # we use RETURN because we need to check also tap rules
     my $accept_action = 'RETURN';
 
+    ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
+
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	$rule->{iface_in} = $rule->{iface} if $rule->{iface};
@@ -1735,6 +1737,8 @@ sub enable_host_firewall {
     # we use RETURN because we may want to check other thigs later
     $accept_action = 'RETURN';
 
+    ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
+
     # add host rules first, so that cluster wide rules can be overwritten
     foreach my $rule (@$rules, @$cluster_rules) {
 	$rule->{iface_out} = $rule->{iface} if $rule->{iface};
diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
index 22ddee4..ba3b161 100644
--- a/src/PVE/FirewallSimulator.pm
+++ b/src/PVE/FirewallSimulator.pm
@@ -111,7 +111,7 @@ sub rule_match {
 	    next;
 	}
 
-	if ($rule =~ s/^-p (tcp|udp)\s*//) {
+	if ($rule =~ s/^-p (tcp|udp|igmp|icmp)\s*//) {
 	    die "missing proto" if !$pkg->{proto};
 	    return undef if $pkg->{proto} ne $1; # no match
 	    next;
-- 
2.39.2