[pve-devel] [mew model rework 4/7] add PVEFW-VENET-IN && PVEFW-VENET-OUT chains
Dietmar Maurer
dietmar at proxmox.com
Mon May 12 10:16:59 CEST 2014
Base on patch from Alredandre + cleanups (s/vnet/venet/)
Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
src/PVE/Firewall.pm | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 835b26a..5cb17c7 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1575,7 +1575,7 @@ sub generate_venet_rules_direction {
# plug into FORWARD, INPUT and OUTPUT chain
if ($direction eq 'OUT') {
- ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", {
+ ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", {
action => $chain,
source => $ip,
iface_in => 'venet0'});
@@ -1585,7 +1585,7 @@ sub generate_venet_rules_direction {
source => $ip,
iface_in => 'venet0'});
} else {
- ruleset_generate_rule($ruleset, "PVEFW-FORWARD", {
+ ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", {
action => $chain,
dest => $ip,
iface_out => 'venet0'});
@@ -2575,12 +2575,18 @@ sub compile {
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+ ruleset_create_chain($ruleset, "PVEFW-VENET-OUT");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j PVEFW-VENET-OUT");
+
ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN");
ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
+ ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o venet0 -j PVEFW-VENET-IN");
+
my $hostfw_options = $hostfw_conf->{options} || {};
# fixme: what log level should we use here?
--
1.7.10.4
More information about the pve-devel
mailing list