[pve-devel] applied: [PATCH firewall] only add VM chains if VM firewall is enabled

Wed, 07 Aug 2019 01:58:57 -0700 

applied as additional safeguard, even though all 4 calls to this are now 
only happening if the config is enabled, see

[PATCH firewall] fix: Check if VM firewall enabled before generating NICs tap 
rules

cherry-picked to stable-5 as well, since the pve-manager change that 
triggered this was in April.

On August 6, 2019 10:25 am, Mira Limbeck wrote:
> Before if a NIC had the firewall enabled and the MAC filter was active,
> a rule was added to the tap device even if the VM firewall was not
> enabled. This led to nested machines not being able to reach outside.
> 
> Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
> not reach each other because of the MAC filter.
> 
> Now we check if the VM firewall is enabled and only add the MAC and
> IP filters then.
> 
> Signed-off-by: Mira Limbeck <m.limb...@proxmox.com>
> ---
>  src/PVE/Firewall.pm | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 0e15090..45c5712 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2363,10 +2363,10 @@ sub generate_tap_rules_direction {
>      my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, 
> $ipversion)
>       if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
>  
> -    # create chain with mac and ip filter
> -    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, 
> $macaddr, $ipfilter_ipset, $direction);
> -
>      if ($options->{enable}) {
> +     # create chain with mac and ip filter
> +     ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, 
> $macaddr, $ipfilter_ipset, $direction);
> +
>       ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, 
> $tapchain, $netid, $direction, $options, $ipversion, $vmid);
>  
>       ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 

_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to