---
src/PVE/API2/Firewall/VM.pm | 3 ++-
src/PVE/Firewall.pm | 11 +++++++++--
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 192737a..4fdf3da 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -43,7 +43,8 @@ my $option_properties = {
"This is equivalent to adding an empty ipfilter-net<id> ipset " .
"for every interface. Such ipsets implicitly contain sane default " .
"restrictions such as restricting IPv6 link local addresses to " .
- "the one derived from the interface's MAC address.",
+ "the one derived from the interface's MAC address. For containers " .
+ "the configured IP addresses will be implicitly added.",
type => 'boolean',
optional => 1,
},
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 73ae6f7..7dbe13d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3357,7 +3357,8 @@ sub compile_ipsets {
# is no 'ipfilter-netX' ipset defiend gets an implicit empty default
# ipset.
# The reason is that ipfilter ipsets are always filled with standard
- # IPv6 link-local filters.
+ # IPv6 link-local filters, as well as the IP addresses configured
+ # for the container.
my $ipsets = $vmfw_conf->{ipset};
my $implicit_sets = {};
@@ -3373,10 +3374,16 @@ sub compile_ipsets {
my $macaddr = $net->{hwaddr};
my $linklocal = mac_to_linklocal($macaddr);
- $device_ips->{$netid} = [
+ my $set = $device_ips->{$netid} = [
{ cidr => $linklocal },
{ cidr => 'fe80::/10', nomatch => 1 }
];
+ if ($net->{ip} =~ m!^($IPV4RE)(?:/\d+)?$!) {
+ push @$set, { cidr => $1 };
+ }
+ if ($net->{ip6} =~ m!^($IPV6RE)(?:/\d+)?$!) {
+ push @$set, { cidr => $1 };
+ }
}
generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf,
$device_ips, $ipsets);
--
2.1.4
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
