[pve-devel] [PATCH] optimize bridge chains

Alexandre Derumier aderumier at odiso.com
Fri Feb 21 12:03:45 CET 2014


fixme : I have this error "unable to update chain vmbrX".

But if I remove this check, the rules applying fine.

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 PVE/Firewall.pm |   30 ++++++++++++------------------
 1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index da8b4a2..45c2b20 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -627,33 +627,27 @@ sub ruleset_insertrule {
 sub generate_bridge_chains {
     my ($ruleset, $bridge) = @_;
 
-    if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){
-	ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN");
-    }
-
-    if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){
-	ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT");
-    }
-
     if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
 	ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
     }
 
-    if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
-	ruleset_create_chain($ruleset, "$bridge-IN");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP");  # disable interbridge routing
-	ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
-	ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
+    if (!ruleset_chain_exist($ruleset, "$bridge")) {
+	ruleset_create_chain($ruleset, "$bridge");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP");  # disable interbridge routing
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
     }
 
     if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
 	ruleset_create_chain($ruleset, "$bridge-OUT");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
-	ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
+	ruleset_addrule($ruleset, "$bridge", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+    }
+
+    if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
+	ruleset_create_chain($ruleset, "$bridge-IN");
+	ruleset_addrule($ruleset, "$bridge", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
     }
 }
 
-- 
1.7.10.4




More information about the pve-devel mailing list