[pve-devel] applied: [PATCH firewall] only add VM chains if VM firewall is enabled

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Aug 7 10:58:33 CEST 2019 

applied as additional safeguard, even though all 4 calls to this are now 
only happening if the config is enabled, see

[PATCH firewall] fix: Check if VM firewall enabled before generating NICs tap rules

cherry-picked to stable-5 as well, since the pve-manager change that 
triggered this was in April.

On August 6, 2019 10:25 am, Mira Limbeck wrote:
> Before if a NIC had the firewall enabled and the MAC filter was active,
> a rule was added to the tap device even if the VM firewall was not
> enabled. This led to nested machines not being able to reach outside.
> 
> Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
> not reach each other because of the MAC filter.
> 
> Now we check if the VM firewall is enabled and only add the MAC and
> IP filters then.
> 
> Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 0e15090..45c5712 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2363,10 +2363,10 @@ sub generate_tap_rules_direction {
>      my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
>  	if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
>  
> -    # create chain with mac and ip filter
> -    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
> -
>      if ($options->{enable}) {
> +	# create chain with mac and ip filter
> +	ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
> +
>  	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion, $vmid);
>  
>  	ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>

More information about the pve-devel mailing list