[pve-devel] [PATCH] ebtables : accept in tapchain, if firewall=1, but macfilter=0 && layer2protocol=undef

Alexandre Derumier aderumier at odiso.com
Tue Jul 15 13:55:04 CEST 2014


Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a58f815..b9419c1 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3268,22 +3268,26 @@ sub generate_tap_layer2filter {
     my $tapchain = $iface."-OUT";
     $macaddr = lc($macaddr);
 
+    my $filter_enabled = undef;
+
     ruleset_create_chain($ruleset, $tapchain);
     if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
+	    $filter_enabled = 1;
 	    my $target = (defined($options->{layer2filter_protocols})) ? "CONTINUE" : "ACCEPT";
 	    ruleset_addrule($ruleset, $tapchain, "-s $macaddr -j $target");
     }
 
     if (defined($options->{layer2filter_protocols})){
+	$filter_enabled = 1;
 	foreach my $proto (split(/,/, $options->{layer2filter_protocols})) {
 	    ruleset_addrule($ruleset, $tapchain, "-p $proto -j ACCEPT");
 	}
     }
 
-    ruleset_addrule($ruleset, $tapchain, "-j DROP");
-		
-    ruleset_addrule($ruleset, "PVEFW-FWBR-OUT","-i $iface -j $tapchain");
+    my $target = $filter_enabled ? "DROP" : "ACCEPT";
 
+    ruleset_addrule($ruleset, $tapchain, "-j $target");
+    ruleset_addrule($ruleset, "PVEFW-FWBR-OUT","-i $iface -j $tapchain");
 }
 
 sub get_ruleset_status {
-- 
1.7.10.4



More information about the pve-devel mailing list