Only if the VM firewall is enabled, the tap rules for each of the NICs should be
generated, analogous to the current behaviour for CTs.
Signed-off-by: Christian Ebner <c.eb...@proxmox.com>
---
src/PVE/Firewall.pm | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 48e6300..91e21ed 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3572,17 +3572,19 @@ sub compile_iptables_filter {
my $vmfw_conf = $vmfw_configs->{$vmid};
return if !$vmfw_conf;
- foreach my $netid (sort keys %$conf) {
- next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
- next if !$net->{firewall};
- my $iface = "tap${vmid}i$1";
-
- my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface,
$netid, $macaddr,
- $vmfw_conf, $vmid, 'IN',
$ipversion);
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface,
$netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT',
$ipversion);
+ if ($vmfw_conf->{options}->{enable}) {
+ foreach my $netid (sort keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net->{firewall};
+ my $iface = "tap${vmid}i$1";
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $cluster_conf,
$iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'IN',
$ipversion);
+ generate_tap_rules_direction($ruleset, $cluster_conf,
$iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'OUT',
$ipversion);
+ }
}
};
warn $@ if $@; # just to be sure - should not happen
--
2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
