From d8f2505e9f075f6314a852ccf1d249415e596c8a Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 26 Feb 2014 12:40:53 +0100
Subject: [PATCH] add a way to define some default chains

---
 PVE/Firewall.pm | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index b4e262b..54f9c97 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -348,6 +348,12 @@ my $pve_fw_macros = {
 my $pve_fw_parsed_macros;
 my $pve_fw_preferred_macro_names = {};
 
+my $pve_std_chains = {
+    'PVEFW-SET-ACCEPT-MARK' => [
+	"-j MARK --set-mark 1",
+    ],
+};
+
 # iptables -p icmp -h
 my $icmp_type_names = {
     any => 1,
@@ -1186,6 +1192,21 @@ sub read_vm_firewall_rules {
     return $rules;
 }
 
+sub generate_std_chains {
+    my ($ruleset) = @_;
+
+    foreach my $chain (keys %$pve_std_chains) {
+	ruleset_create_chain($ruleset, $chain);
+	foreach my $rule (@{$pve_std_chains->{$chain}}) {
+	    if (ref($rule)) {
+		ruleset_generate_rule($ruleset, $chain, $rule);
+	    } else {
+		ruleset_addrule($ruleset, $chain, $rule);
+	    }
+	}
+    }
+}
+
 sub compile {
     my $vmdata = read_local_vm_config();
     my $rules = read_vm_firewall_rules($vmdata);
@@ -1204,8 +1225,7 @@ sub compile {
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
 
-    ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK");
-    ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
+    generate_std_chains($ruleset);
 
     my $enable_hostfw = 0;
     $filename = "/etc/pve/local/host.fw";
-- 
2.39.2