Add support for altnames by transparently mapping them with the
information from 'ip link' when generating the ruleset. The firewall
will now replace any altname in the ruleset with the actual, physical,
name from the interface. We handle it this way, because iptables
cannot match on the altnames on interfaces, only the 'real' name.
Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
src/PVE/Firewall.pm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 173ce98..e3d21f6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2861,6 +2861,8 @@ sub enable_host_firewall {
my $rules = $hostfw_conf->{rules};
my $cluster_rules = $cluster_conf->{rules};
+ my $interface_mapping = PVE::Network::altname_mapping();
+
# corosync preparation
my $corosync_rule = "-p udp --dport 5404:5405";
my $corosync_local_addresses = {};
@@ -2908,7 +2910,7 @@ sub enable_host_firewall {
next if !$rule->{enable} || $rule->{errors};
next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
- $rule->{iface_in} = $rule->{iface} if $rule->{iface};
+ $rule->{iface_in} = ($interface_mapping->{$rule->{iface}} //
$rule->{iface}) if $rule->{iface};
eval {
$rule->{logmsg} = "$rule->{action}: ";
@@ -2994,7 +2996,8 @@ sub enable_host_firewall {
next if !$rule->{enable} || $rule->{errors};
next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
- $rule->{iface_out} = $rule->{iface} if $rule->{iface};
+ $rule->{iface_out} = ($interface_mapping->{$rule->{iface}} //
$rule->{iface}) if $rule->{iface};
+
eval {
$rule->{logmsg} = "$rule->{action}: ";
if ($rule->{type} eq 'group') {
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
