[pve-devel] [PATCH] fix interface in rules for host-in and host-out
Dietmar Maurer
dietmar at proxmox.com
Thu May 15 07:36:55 CEST 2014
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index
> 803bebf..b85ad6d 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -1661,6 +1661,7 @@ sub enable_host_firewall {
> # add host rules first, so that cluster wide rules can be overwritten
> foreach my $rule (@$rules, @$cluster_rules) {
> next if $rule->{type} ne 'in';
> + $rule->{iface_in} = $rule->{iface} if $rule->{iface};
> ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT =>
> $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
> }
>
> @@ -1688,6 +1689,7 @@ sub enable_host_firewall {
> # add host rules first, so that cluster wide rules can be overwritten
> foreach my $rule (@$rules, @$cluster_rules) {
> next if $rule->{type} ne 'out';
> + $rule->{iface_out} = $rule->{iface} if $rule->{iface};
> ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT =>
> $accept_action, REJECT => "PVEFW-reject" }, undef, $cluster_conf);
> }
This patch introduce new bugs, for example I get:
'-A PVEFW-HOST-OUT -i sdfs -o sdfs -j group1',
Note: both '-i' and '-o' set
Besides, GROUPS do not work at all for hosts.fw (we simply skip group rules??).
Working on a fix now.
More information about the pve-devel
mailing list