[pve-devel] [PATCH] ebtables : always filter if macfilter or layer2_protocols are enabled

Tue Jul 15 12:09:15 CEST 2014

even if firewall=0

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a58f815..7ac4b5b 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3211,7 +3211,8 @@ sub compile_ebtables_filter {
     #for ipv4 and ipv6, check macaddress in iptables, so we use conntrack 'ESTABLISHED', to speedup rules
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-p IPv4 -j ACCEPT");
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-p IPv6 -j ACCEPT");
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o fwln+ -j PVEFW-FWBR-OUT");
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i tap+ -j PVEFW-FWBR-OUT");
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i veth+ -j PVEFW-FWBR-OUT");
 
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
@@ -3223,7 +3224,6 @@ sub compile_ebtables_filter {
 	    foreach my $netid (keys %$conf) {
 		next if $netid !~ m/^net(\d+)$/;
 		my $net = PVE::QemuServer::parse_net($conf->{$netid});
-		next if !$net->{firewall};
 		my $iface = "tap${vmid}i$1";
 		my $macaddr = $net->{macaddr};
 
@@ -3247,7 +3247,7 @@ sub compile_ebtables_filter {
 		foreach my $netid (keys %$netif) {
 		    my $d = $netif->{$netid};
 		    my $bridge = $d->{bridge};
-		    next if !$bridge || $bridge !~ m/^vmbr\d+(v(\d+))?f$/; # firewall enabled ?
+		    next if !$bridge;
 		    my $macaddr = $d->{mac};
 		    my $iface = $d->{host_ifname};
 
@@ -3268,22 +3268,26 @@ sub generate_tap_layer2filter {
     my $tapchain = $iface."-OUT";
     $macaddr = lc($macaddr);
 
+    my $filter_enabled = undef;
+
     ruleset_create_chain($ruleset, $tapchain);
     if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
+	    $filter_enabled = 1;
 	    my $target = (defined($options->{layer2filter_protocols})) ? "CONTINUE" : "ACCEPT";
 	    ruleset_addrule($ruleset, $tapchain, "-s $macaddr -j $target");
     }
 
     if (defined($options->{layer2filter_protocols})){
+	$filter_enabled = 1;
 	foreach my $proto (split(/,/, $options->{layer2filter_protocols})) {
 	    ruleset_addrule($ruleset, $tapchain, "-p $proto -j ACCEPT");
 	}
     }
 
-    ruleset_addrule($ruleset, $tapchain, "-j DROP");
-		
-    ruleset_addrule($ruleset, "PVEFW-FWBR-OUT","-i $iface -j $tapchain");
-
+    if($filter_enabled){
+	ruleset_addrule($ruleset, $tapchain, "-j DROP");
+	ruleset_addrule($ruleset, "PVEFW-FWBR-OUT","-i $iface -j $tapchain");
+    }
 }
 
 sub get_ruleset_status {
-- 
1.7.10.4


