[pve-devel] [PATCH firewall] fix: Check if VM firewall enabled before generating NICs tap rules

[Christian Ebner]

Only if the VM firewall is enabled, the tap rules for each of the NICs should be
generated, analogous to the current behaviour for CTs.

Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
---
 src/PVE/Firewall.pm | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 48e6300..91e21ed 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3572,17 +3572,19 @@ sub compile_iptables_filter {
 	    my $vmfw_conf = $vmfw_configs->{$vmid};
 	    return if !$vmfw_conf;
 
-	    foreach my $netid (sort keys %$conf) {
-		next if $netid !~ m/^net(\d+)$/;
-		my $net = PVE::QemuServer::parse_net($conf->{$netid});
-		next if !$net->{firewall};
-		my $iface = "tap${vmid}i$1";
-
-		my $macaddr = $net->{macaddr};
-		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'IN', $ipversion);
-		generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
-					     $vmfw_conf, $vmid, 'OUT', $ipversion);
+            if ($vmfw_conf->{options}->{enable}) {
+		foreach my $netid (sort keys %$conf) {
+		    next if $netid !~ m/^net(\d+)$/;
+		    my $net = PVE::QemuServer::parse_net($conf->{$netid});
+		    next if !$net->{firewall};
+		    my $iface = "tap${vmid}i$1";
+
+		    my $macaddr = $net->{macaddr};
+		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+						 $vmfw_conf, $vmid, 'IN', $ipversion);
+		    generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+						 $vmfw_conf, $vmid, 'OUT', $ipversion);
+		}
 	    }
 	};
 	warn $@ if $@; # just to be sure - should not happen
-- 
2.11.0