we skip ipv6 rules for iptables
we skip ipv4 rules for ip6tables
if rule ipversion is undef, we apply to both iptables and ip6tables
Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
---
src/PVE/Firewall.pm | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 6c8ae7b..962e85b 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1664,12 +1664,12 @@ sub ruleset_create_vm_chain {
}
sub ruleset_add_group_rule {
- my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action) = @_;
+ my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action,
$ipversion) = @_;
my $group = $rule->{action};
my $group_chain = "GROUP-$group-$direction";
if(!ruleset_chain_exist($ruleset, $group_chain)){
- generate_group_rules($ruleset, $cluster_conf, $group);
+ generate_group_rules($ruleset, $cluster_conf, $group, $ipversion);
}
if ($direction eq 'OUT' && $rule->{iface_out}) {
@@ -1697,7 +1697,7 @@ sub ruleset_generate_vm_rules {
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule,
$direction,
- $direction eq 'OUT' ? 'RETURN' : $in_accept);
+ $direction eq 'OUT' ? 'RETURN' : $in_accept,
$ipversion);
} else {
next if $rule->{type} ne $lc_direction;
eval {
@@ -1843,7 +1843,7 @@ sub generate_tap_rules_direction {
}
sub enable_host_firewall {
- my ($ruleset, $hostfw_conf, $cluster_conf) = @_;
+ my ($ruleset, $hostfw_conf, $cluster_conf, $ipversion) = @_;
my $options = $hostfw_conf->{options};
my $cluster_options = $cluster_conf->{options};
@@ -1874,7 +1874,7 @@ sub enable_host_firewall {
eval {
if ($rule->{type} eq 'group') {
- ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule,
'IN', $accept_action);
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule,
'IN', $accept_action, $ipversion);
} elsif ($rule->{type} eq 'in') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT =>
$accept_action, REJECT => "PVEFW-reject" },
undef, $cluster_conf, $hostfw_conf);
@@ -1927,7 +1927,7 @@ sub enable_host_firewall {
$rule->{iface_out} = $rule->{iface} if $rule->{iface};
eval {
if ($rule->{type} eq 'group') {
- ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule,
'OUT', $accept_action);
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule,
'OUT', $accept_action, $ipversion);
} elsif ($rule->{type} eq 'out') {
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT =>
$accept_action, REJECT => "PVEFW-reject" },
undef, $cluster_conf, $hostfw_conf);
@@ -1958,7 +1958,7 @@ sub enable_host_firewall {
}
sub generate_group_rules {
- my ($ruleset, $cluster_conf, $group) = @_;
+ my ($ruleset, $cluster_conf, $group, $ipversion) = @_;
my $rules = $cluster_conf->{groups}->{$group};
@@ -1974,6 +1974,7 @@ sub generate_group_rules {
foreach my $rule (@$rules) {
next if $rule->{type} ne 'in';
+ next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT =>
"PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
}
@@ -1984,6 +1985,7 @@ sub generate_group_rules {
foreach my $rule (@$rules) {
next if $rule->{type} ne 'out';
+ next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
# we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
# check also other tap rules later
ruleset_generate_rule($ruleset, $chain, $rule,
@@ -2863,7 +2865,7 @@ sub compile_iptables_filter {
my $ipset_ruleset = {};
if ($hostfw_enable && $ipversion eq 4) {
- eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
+ eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf,
$ipversion); };
warn $@ if $@; # just to be sure - should not happen
}
--
1.7.10.4
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
