[pve-devel] [PATCH] add PVEFW-VENET-IN && PVEFW-VENET-OUT chains

[Alexandre Derumier]

-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
   -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
   -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
   -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
   -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN

-A PVEFW-FORWARD -o vnet0 -j PVEFW-VENET-IN
  -A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
  -A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  -A PVEFW-VENET-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT

-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
   -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
   -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT

-A PVEFW-FORWARD -i vnet0 -j PVEFW-VENET-OUT
  -A PVEFW-VENET-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 46afa25..1f4d9ce 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1557,7 +1557,8 @@ sub generate_venet_rules_direction {
 
     # plug into FORWARD, INPUT and OUTPUT chain
     if ($direction eq 'OUT') {
-	ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", {
+
+	ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", {
 	    action => $chain,
 	    source => $ip,
 	    iface_in => 'venet0'});
@@ -1567,7 +1568,8 @@ sub generate_venet_rules_direction {
 	    source => $ip,
 	    iface_in => 'venet0'});
     } else {
-	ruleset_generate_rule($ruleset, "PVEFW-FORWARD", {
+
+	ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", {
 	    action => $chain,
 	    dest => $ip,
 	    iface_out => 'venet0'});
@@ -2548,6 +2550,11 @@ sub compile {
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
     }
 
+    if (!ruleset_chain_exist($ruleset, "PVEFW-VENET-OUT")) {
+	ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vnet0 -j PVEFW-VENET-OUT");
+    }
+
     if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-IN")) {
 	ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
 
@@ -2562,6 +2569,20 @@ sub compile {
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-in link+ -j PVEFW-FWBR-IN");
     }
 
+    if (!ruleset_chain_exist($ruleset, "PVEFW-VENET-IN")) {
+	ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
+
+	if (!(defined($hostfw_options->{nosmurfs}) && $hostfw_options->{nosmurfs} == 0)) {
+	    ruleset_addrule($ruleset, "PVEFW-VENET-IN", "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+	}
+
+	if ($hostfw_options->{tcpflags}) {
+	    ruleset_addrule($ruleset, "PVEFW-VENET-IN", "-p tcp -j PVEFW-tcpflags");
+	}
+
+	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vnet0 -j PVEFW-VENET-IN");
+    }
+
     generate_std_chains($ruleset, $hostfw_options);
 
     my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
-- 
1.7.10.4