From fa9c4a6f5fe43d9cefc118edce279451261b24f2 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Tue, 25 Feb 2014 11:54:38 +0100 Subject: [PATCH 1/1] implement 'enable' option And pass whole VM firewall config to generate_tap_rules_direction. That way we have acces to {options} section. --- PVE/Firewall.pm | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index e6de3fd..d36dae9 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -657,7 +657,10 @@ sub generate_bridge_chains { } sub generate_tap_rules_direction { - my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_; + my ($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_; + + my $rules = $vmfw_conf->{lc($direction)}; + my $options = $vmfw_conf->{options}; my $tapchain = "$iface-$direction"; @@ -1128,10 +1131,9 @@ sub compile { # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; - - next if !$rules->{$vmid}; - my $options = $rules->{$vmid}->{options}; - next if defined($options->{enable}) && ($options->{enable} == 0); + my $vmfw_conf = $rules->{$vmid}; + next if !$vmfw_conf; + next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0); foreach my $netid (keys %$conf) { next if $netid !~ m/^net(\d+)$/; @@ -1148,8 +1150,8 @@ sub compile { generate_bridge_chains($ruleset, $bridge); my $macaddr = $net->{macaddr}; - generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN'); - generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'IN'); + generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $vmfw_conf, $bridge, 'OUT'); } } -- 2.39.2