[pve-devel] [PATCH] optimize bridge chains
Alexandre Derumier
aderumier at odiso.com
Fri Feb 21 12:03:45 CET 2014
fixme : I have this error "unable to update chain vmbrX".
But if I remove this check, the rules applying fine.
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
PVE/Firewall.pm | 30 ++++++++++++------------------
1 file changed, 12 insertions(+), 18 deletions(-)
diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index da8b4a2..45c2b20 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -627,33 +627,27 @@ sub ruleset_insertrule {
sub generate_bridge_chains {
my ($ruleset, $bridge) = @_;
- if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){
- ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN");
- }
-
- if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){
- ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT");
- }
-
if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
}
- if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
- ruleset_create_chain($ruleset, "$bridge-IN");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
- ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
+ if (!ruleset_chain_exist($ruleset, "$bridge")) {
+ ruleset_create_chain($ruleset, "$bridge");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
}
if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
ruleset_create_chain($ruleset, "$bridge-OUT");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
+ ruleset_addrule($ruleset, "$bridge", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT");
+ }
+
+ if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
+ ruleset_create_chain($ruleset, "$bridge-IN");
+ ruleset_addrule($ruleset, "$bridge", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
}
}
--
1.7.10.4
More information about the pve-devel
mailing list