fixme : I have this error "unable to update chain vmbrX". But if I remove this check, the rules applying fine.
Signed-off-by: Alexandre Derumier <[email protected]> --- PVE/Firewall.pm | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index da8b4a2..45c2b20 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -627,33 +627,27 @@ sub ruleset_insertrule { sub generate_bridge_chains { my ($ruleset, $bridge) = @_; - if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){ - ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN"); - } - - if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){ - ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT"); - } - if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){ ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN"); } - if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { - ruleset_create_chain($ruleset, "$bridge-IN"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN"); - ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT"); + if (!ruleset_chain_exist($ruleset, "$bridge")) { + ruleset_create_chain($ruleset, "$bridge"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -m physdev --physdev-is-bridged -j $bridge"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing } if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) { ruleset_create_chain($ruleset, "$bridge-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing - ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT"); + ruleset_addrule($ruleset, "$bridge", "-m physdev --physdev-is-bridged --physdev-is-in -j $bridge-OUT"); + } + + if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { + ruleset_create_chain($ruleset, "$bridge-IN"); + ruleset_addrule($ruleset, "$bridge", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN"); } } -- 1.7.10.4 _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
