-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN -A PVEFW-FORWARD -o vnet0 -j PVEFW-VENET-IN -A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags -A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs -A PVEFW-VENET-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT -A PVEFW-FORWARD -i vnet0 -j PVEFW-VENET-OUT -A PVEFW-VENET-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT Signed-off-by: Alexandre Derumier <aderum...@odiso.com> --- src/PVE/Firewall.pm | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 46afa25..1f4d9ce 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1557,7 +1557,8 @@ sub generate_venet_rules_direction { # plug into FORWARD, INPUT and OUTPUT chain if ($direction eq 'OUT') { - ruleset_generate_rule_insert($ruleset, "PVEFW-FORWARD", { + + ruleset_generate_rule_insert($ruleset, "PVEFW-VENET-OUT", { action => $chain, source => $ip, iface_in => 'venet0'}); @@ -1567,7 +1568,8 @@ sub generate_venet_rules_direction { source => $ip, iface_in => 'venet0'}); } else { - ruleset_generate_rule($ruleset, "PVEFW-FORWARD", { + + ruleset_generate_rule($ruleset, "PVEFW-VENET-IN", { action => $chain, dest => $ip, iface_out => 'venet0'}); @@ -2548,6 +2550,11 @@ sub compile { ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT"); } + if (!ruleset_chain_exist($ruleset, "PVEFW-VENET-OUT")) { + ruleset_create_chain($ruleset, "PVEFW-VENET-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vnet0 -j PVEFW-VENET-OUT"); + } + if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-IN")) { ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); @@ -2562,6 +2569,20 @@ sub compile { ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-in link+ -j PVEFW-FWBR-IN"); } + if (!ruleset_chain_exist($ruleset, "PVEFW-VENET-IN")) { + ruleset_create_chain($ruleset, "PVEFW-VENET-IN"); + + if (!(defined($hostfw_options->{nosmurfs}) && $hostfw_options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, "PVEFW-VENET-IN", "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if ($hostfw_options->{tcpflags}) { + ruleset_addrule($ruleset, "PVEFW-VENET-IN", "-p tcp -j PVEFW-tcpflags"); + } + + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vnet0 -j PVEFW-VENET-IN"); + } + generate_std_chains($ruleset, $hostfw_options); my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0)); -- 1.7.10.4 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel