[pve-devel] [PATCH] firewall update : load cluster conf for host rules

Alexandre Derumier aderumier at odiso.com
Thu Dec 11 14:25:42 CET 2014


Currently we can't use ipsets defined in cluster in host rules

host.fw
----------
[OPTIONS]

log_level_in: debug
enable: 1
tcp_flags_log_level: debug
log_level_out: debug
tcpflags: 1
smurf_log_level: debug

[RULES]

IN ACCEPT -source +whitelist

in sub update {
my $hostfw_conf = load_hostfw_conf();
}

$VAR1 = {
          'options' => {
                         'enable' => 1,
                         'log_level_in' => 'debug',
                         'tcp_flags_log_level' => 'debug',
                         'log_level_out' => 'debug',
                         'tcpflags' => 1,
                         'smurf_log_level' => 'debug'
                       },
          'ipset' => {},
          'rules' => [
                       {
                         'source' => '+whitelist',
                         'enable' => 1,
                         'errors' => {
                                       'source' => 'no such ipset \'whitelist\''
                                     },
                         'action' => 'ACCEPT',
                         'type' => 'in'
                       }
                     ]
        };

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index abf591b..958927a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3560,7 +3560,7 @@ sub update {
 	    return;
 	}
 
-	my $hostfw_conf = load_hostfw_conf();
+	my $hostfw_conf = load_hostfw_conf($cluster_conf);
 
 	my ($ruleset, $ipset_ruleset, $rulesetv6) = compile($cluster_conf, $hostfw_conf);
 
-- 
1.7.10.4




More information about the pve-devel mailing list