Improving logging makes sense, the current state might be confuse for some (given that drop-rules simply generate a `-j DROP` iptables rules and therefore don't get logged). This seems to be a good first step, although I'd be much happier if iptables would allow setting the log-prefix and performing the log action separately, then we could simply introduce a log-drop chain instead. I'm assuming your intention is to be able to duplicate the matching part of a rule so that you can first add it with `-j NFLOG` and afterwards its `-j DROP` action (or whatever action was requested). In this case, also note that with groups the actions may not be executed immediately and instead set a mark and return out of the current chain.
With that in mind, I have no objections to this patch (or a version of it, see the inline comments below). But first things first: please read https://pve.proxmox.com/wiki/Developer_Documentation for details about patches and CLA (which is required for us to apply external patches). Also, the spaces in your patch have been replaced by non-breaking-space characters, causing git-am to fail on it. You should check your mailer settings to avoid this. More comments inline. On Thu, Sep 14, 2017 at 07:08:54PM +0200, Tom Weber wrote: > making ruleset generation aware of a match and action > part in iptable rules. > code will generate the same iptables as before! (except for > a few additional spaces between match and action). Note that these spaces are currently not accepted by the testcases and requires: - $rule =~ s/^-A $chain // || die "got strange rule: $rule"; + $rule =~ s/^-A $chain +// || die "got strange rule: $rule"; in FirewallSimulator.pm's rule_match() Please use `make check` in the future to check your changes ;-) > --- > src/PVE/Firewall.pm | 168 > +++++++++++++++++++++++++++++++--------------------- > 1 file changed, 99 insertions(+), 69 deletions(-) > > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm > index cc81325..61f07e0 100644 > --- a/src/PVE/Firewall.pm > +++ b/src/PVE/Firewall.pm > @@ -1648,8 +1648,6 @@ sub enable_bridge_firewall { > $bridge_firewall_enabled = 1; > } > > -my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n"; > - Removes an unrelated unused variable. Such cleanups are preferred as separate patches. > sub iptables_restore_cmdlist { > my ($cmdlist) = @_; > > @@ -1778,7 +1776,7 @@ sub ipset_get_chains { > return $res; > } > > -sub ruleset_generate_cmdstr { > +sub ruleset_generate_match { > my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, > $fw_conf) = @_; > > return if defined($rule->{enable}) && !$rule->{enable}; > @@ -1909,6 +1907,14 @@ sub ruleset_generate_cmdstr { > > push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; > > + return scalar(@cmd) ? join(' ', @cmd) : undef; > +} > + > +sub ruleset_generate_action { > + my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, > $fw_conf) = @_; > + > + my @cmd = (); > + > if (my $action = $rule->{action}) { > $action = $actions->{$action} if defined($actions->{$action}); > $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; > @@ -1918,6 +1924,17 @@ sub ruleset_generate_cmdstr { > return scalar(@cmd) ? join(' ', @cmd) : undef; > } > > +sub ruleset_generate_cmdstr { > + my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, > $fw_conf) = @_; > + my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, > $actions, $goto, $cluster_conf, $fw_conf); > + my $action = ruleset_generate_action($ruleset, $chain, $ipversion, > $rule, $actions, $goto, $cluster_conf, $fw_conf); > + > + return undef if !(defined($match) or defined($action)); > + my $ret = defined($match) ? $match : ""; > + $ret = "$ret $action" if defined($action); > + return $ret; > +} > + > sub ruleset_generate_rule { > my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, > $fw_conf) = @_; > > @@ -1931,15 +1948,19 @@ sub ruleset_generate_rule { > > # update all or nothing > > - my @cmds = (); > + my @mstrs = (); > + my @astrs = (); > foreach my $tmp (@$rules) { > - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, > $tmp, $actions, $goto, $cluster_conf, $fw_conf)) { > - push @cmds, $cmdstr; > + my $m = ruleset_generate_match($ruleset, $chain, $ipversion, $tmp, > $actions, $goto, $cluster_conf, $fw_conf); > + my $a = ruleset_generate_action($ruleset, $chain, $ipversion, $tmp, > $actions, $goto, $cluster_conf, $fw_conf); > + if (defined $m or defined $a) { > + push @mstrs, defined($m) ? $m : ""; > + push @astrs, defined($a) ? $a : ""; While this is all part of a small chunk of code, I'd prefer a single array containing pairs of [$match, $action] as elements, rather than worrying about future changes possibly bringing @mstrs and @astrs out of sync. > } > } > > - foreach my $cmdstr (@cmds) { > - ruleset_addrule($ruleset, $chain, $cmdstr); > + for my $i (0 .. $#mstrs) { > + ruleset_addrule($ruleset, $chain, $mstrs[$i], $astrs[$i]); > } > } > > @@ -1948,8 +1969,10 @@ sub ruleset_generate_rule_insert { > > die "implement me" if $rule->{macro}; # not implemented, because not > needed so far > > - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, > $rule, $actions, $goto)) { > - ruleset_insertrule($ruleset, $chain, $cmdstr); > + my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, > $actions, $goto); > + my $action = ruleset_generate_action($ruleset, $chain, $ipversion, > $rule, $actions, $goto); > + if (defined $match && defined $action) { > + ruleset_insertrule($ruleset, $chain, $match, $action); > } > } > > @@ -1970,7 +1993,7 @@ sub ruleset_chain_exist { > return $ruleset->{$chain} ? 1 : undef; > } > > -sub ruleset_addrule { > +sub ruleset_addrule_old { The name suggests that you plan on removing this later on. If this is not the case, consider replacing _old with _full and making the new ruleset_addrule() a simple ruleset_addrule_full(..., "$match $action"); (saves duplicating the 'no such chain' check). > my ($ruleset, $chain, $rule) = @_; > > die "no such chain '$chain'\n" if !$ruleset->{$chain}; > @@ -1978,12 +2001,20 @@ sub ruleset_addrule { > push @{$ruleset->{$chain}}, "-A $chain $rule"; > } > > +sub ruleset_addrule { > + my ($ruleset, $chain, $match, $action, $log) = @_; > + > + die "no such chain '$chain'\n" if !$ruleset->{$chain}; > + > + push @{$ruleset->{$chain}}, "-A $chain $match $action"; > +} > + > sub ruleset_insertrule { > - my ($ruleset, $chain, $rule) = @_; > + my ($ruleset, $chain, $match, $action, $log) = @_; > > die "no such chain '$chain'\n" if !$ruleset->{$chain}; > > - unshift @{$ruleset->{$chain}}, "-A $chain $rule"; > + unshift @{$ruleset->{$chain}}, "-A $chain $match $action"; > } > > sub get_log_rule_base { > @@ -2000,15 +2031,14 @@ sub get_log_rule_base { > } > > sub ruleset_addlog { > - my ($ruleset, $chain, $vmid, $msg, $loglevel, $rule) = @_; > + my ($ruleset, $chain, $vmid, $msg, $loglevel, $match) = @_; > > return if !defined($loglevel); > > - my $logrule = get_log_rule_base($chain, $vmid, $msg, $loglevel); > - > - $logrule = "$rule $logrule" if defined($rule); > + my $logaction = get_log_rule_base($chain, $vmid, $msg, $loglevel); > > - ruleset_addrule($ruleset, $chain, $logrule); > + $match = "" if !defined $match; > + ruleset_addrule($ruleset, $chain, $match, $logaction); > } > > sub ruleset_add_chain_policy { > @@ -2021,17 +2051,17 @@ sub ruleset_add_chain_policy { > > } elsif ($policy eq 'DROP') { > > - ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); > + ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop"); > > ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); > > - ruleset_addrule($ruleset, $chain, "-j DROP"); > + ruleset_addrule($ruleset, $chain, "", "-j DROP"); > } elsif ($policy eq 'REJECT') { > - ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); > + ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject"); > > ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); > > - ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); > + ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject"); > } else { > # should not happen > die "internal error: unknown policy '$policy'"; > @@ -2042,19 +2072,19 @@ sub ruleset_chain_add_ndp { > my ($ruleset, $chain, $ipversion, $options, $direction, $accept) = @_; > return if $ipversion != 6 || (defined($options->{ndp}) && > !$options->{ndp}); > > - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > router-solicitation $accept"); > + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > router-solicitation", $accept); > if ($direction ne 'OUT' || $options->{radv}) { > - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > router-advertisement $accept"); > + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > router-advertisement", $accept); > } > - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > neighbor-solicitation $accept"); > - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > neighbor-advertisement $accept"); > + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > neighbor-solicitation", $accept); > + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > neighbor-advertisement", $accept); > } > > sub ruleset_chain_add_conn_filters { > my ($ruleset, $chain, $accept) = @_; > > - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j > DROP"); > - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate > RELATED,ESTABLISHED -j $accept"); > + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j > DROP"); > + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate > RELATED,ESTABLISHED", "-j $accept"); > } > > sub ruleset_chain_add_input_filters { > @@ -2064,20 +2094,20 @@ sub ruleset_chain_add_input_filters { > if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) { > ruleset_create_chain($ruleset, "PVEFW-blacklist"); > ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) > if $loglevel; > - ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP"); > + ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP"); > } > my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion); > - ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} > src -j PVEFW-blacklist"); > + ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} > src", "-j PVEFW-blacklist"); > } > > if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { > if ($ipversion == 4) { > - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate > INVALID,NEW -j PVEFW-smurfs"); > + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate > INVALID,NEW", "-j PVEFW-smurfs"); > } > } > > if ($options->{tcpflags}) { > - ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); > + ruleset_addrule($ruleset, $chain, "-p tcp", "-j PVEFW-tcpflags"); > } > } > > @@ -2114,15 +2144,15 @@ sub ruleset_create_vm_chain { > > if ($direction eq 'OUT') { > if (defined($macaddr) && !(defined($options->{macfilter}) && > $options->{macfilter} == 0)) { > - ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr > -j DROP"); > + ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr", > "-j DROP"); > } > if ($ipversion == 6 && !$options->{radv}) { > - ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type > router-advertisement -j DROP'); > + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type > router-advertisement", "-j DROP"); > } > if ($ipfilter_ipset) { > - ruleset_addrule($ruleset, $chain, "-m set ! --match-set > $ipfilter_ipset src -j DROP"); > + ruleset_addrule($ruleset, $chain, "-m set ! --match-set > $ipfilter_ipset src", "-j DROP"); > } > - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark > $FWACCEPTMARK_OFF"); # clear mark > + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark > $FWACCEPTMARK_OFF"); # clear mark > } > > my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-MARK' : > "-j $accept"; > @@ -2139,14 +2169,14 @@ sub ruleset_add_group_rule { > } > > if ($direction eq 'OUT' && $rule->{iface_out}) { > - ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out} -j > $group_chain"); > + ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out}", "-j > $group_chain"); > } elsif ($direction eq 'IN' && $rule->{iface_in}) { > - ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in} -j > $group_chain"); > + ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in}", "-j > $group_chain"); > } else { > - ruleset_addrule($ruleset, $chain, "-j $group_chain"); > + ruleset_addrule($ruleset, $chain, "", "-j $group_chain"); > } > > - ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON -j > $action"); > + ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON", "-j > $action"); > } > > sub ruleset_generate_vm_rules { > @@ -2211,7 +2241,7 @@ sub ruleset_generate_vm_ipsrules { > ruleset_create_chain($ruleset, "PVEFW-IPS"); > } > > - ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out > $iface --physdev-is-bridged -j $nfqueue"); > + ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out > $iface --physdev-is-bridged", "-j $nfqueue"); > } > } > > @@ -2259,10 +2289,10 @@ sub generate_tap_rules_direction { > # plug the tap chain to bridge chain > if ($direction eq 'IN') { > ruleset_addrule($ruleset, "PVEFW-FWBR-IN", > - "-m physdev --physdev-is-bridged --physdev-out $iface > -j $tapchain"); > + "-m physdev --physdev-is-bridged --physdev-out $iface", > "-j $tapchain"); > } else { > ruleset_addrule($ruleset, "PVEFW-FWBR-OUT", > - "-m physdev --physdev-is-bridged --physdev-in $iface -j > $tapchain"); > + "-m physdev --physdev-is-bridged --physdev-in $iface", > "-j $tapchain"); > } > } > > @@ -2280,7 +2310,7 @@ sub enable_host_firewall { > > my $loglevel = get_option_log_level($options, "log_level_in"); > > - ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); > + ruleset_addrule($ruleset, $chain, "-i lo", "-j ACCEPT"); > > ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); > ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'IN', '-j > RETURN'); > @@ -2289,7 +2319,7 @@ sub enable_host_firewall { > # we use RETURN because we need to check also tap rules > my $accept_action = 'RETURN'; > > - ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # > important for multicast > + ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # > important for multicast > > # add host rules first, so that cluster wide rules can be overwritten > foreach my $rule (@$rules, @$cluster_rules) { > @@ -2314,19 +2344,19 @@ sub enable_host_firewall { > # allow standard traffic for management ipset (includes cluster network) > my $mngmnt_ipset_chain = compute_ipset_chain_name(0, "management", > $ipversion); > my $mngmntsrc = "-m set --match-set ${mngmnt_ipset_chain} src"; > - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j > $accept_action"); # PVE API > - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 > -j $accept_action"); # PVE VNC Console > - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j > $accept_action"); # SPICE Proxy > - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j > $accept_action"); # SSH > + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006", "-j > $accept_action"); # PVE API > + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999", > "-j $accept_action"); # PVE VNC Console > + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j > $accept_action"); # SPICE Proxy > + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j > $accept_action"); # SSH > > my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr}; > my $localnet_ver = > $cluster_conf->{aliases}->{local_network}->{ipversion}; > > # corosync > if ($localnet && ($ipversion == $localnet_ver)) { > - my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; > - ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet > $corosync_rule"); > - ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type > MULTICAST $corosync_rule"); > + my $corosync_rule = "-p udp --dport 5404:5405"; > + ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet > $corosync_rule", "-j $accept_action"); > + ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type > MULTICAST $corosync_rule", "-j $accept_action"); > } > > # implement input policy > @@ -2339,7 +2369,7 @@ sub enable_host_firewall { > > $loglevel = get_option_log_level($options, "log_level_out"); > > - ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT"); > + ruleset_addrule($ruleset, $chain, "-o lo", "-j ACCEPT"); > > ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); > > @@ -2347,7 +2377,7 @@ sub enable_host_firewall { > $accept_action = 'RETURN'; > ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'OUT', "-j > $accept_action"); > > - ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # > important for multicast > + ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # > important for multicast > > # add host rules first, so that cluster wide rules can be overwritten > foreach my $rule (@$rules, @$cluster_rules) { > @@ -2370,22 +2400,22 @@ sub enable_host_firewall { > > # allow standard traffic on cluster network > if ($localnet && ($ipversion == $localnet_ver)) { > - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006 -j > $accept_action"); # PVE API > - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22 -j > $accept_action"); # SSH > - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport > 5900:5999 -j $accept_action"); # PVE VNC Console > - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128 -j > $accept_action"); # SPICE Proxy > + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", > "-j $accept_action"); # PVE API > + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j > $accept_action"); # SSH > + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport > 5900:5999", "-j $accept_action"); # PVE VNC Console > + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", > "-j $accept_action"); # SPICE Proxy > > - my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; > - ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule"); > - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST > $corosync_rule"); > + my $corosync_rule = "-p udp --dport 5404:5405"; > + ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule", "-j > $accept_action"); > + ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST > $corosync_rule", "-j $accept_action"); > } > > # implement output policy > $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything > by default > ruleset_add_chain_policy($ruleset, $chain, $ipversion, 0, $policy, > $loglevel, $accept_action); > > - ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); > - ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); > + ruleset_addrule($ruleset, "PVEFW-OUTPUT", "", "-j PVEFW-HOST-OUT"); > + ruleset_addrule($ruleset, "PVEFW-INPUT", "", "-j PVEFW-HOST-IN"); > } > > sub generate_group_rules { > @@ -2401,7 +2431,7 @@ sub generate_group_rules { > my $chain = "GROUP-${group}-IN"; > > ruleset_create_chain($ruleset, $chain); > - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark > $FWACCEPTMARK_OFF"); # clear mark > + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark > $FWACCEPTMARK_OFF"); # clear mark > > foreach my $rule (@$rules) { > next if $rule->{type} ne 'in'; > @@ -2414,7 +2444,7 @@ sub generate_group_rules { > $chain = "GROUP-${group}-OUT"; > > ruleset_create_chain($ruleset, $chain); > - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark > $FWACCEPTMARK_OFF"); # clear mark > + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark > $FWACCEPTMARK_OFF"); # clear mark > > foreach my $rule (@$rules) { > next if $rule->{type} ne 'out'; > @@ -3137,7 +3167,7 @@ sub generate_std_chains { > if (ref($rule)) { > ruleset_generate_rule($ruleset, $chain, $ipversion, $rule); > } else { > - ruleset_addrule($ruleset, $chain, $rule); > + ruleset_addrule_old($ruleset, $chain, $rule); > } > } > } > @@ -3380,10 +3410,10 @@ sub compile_iptables_filter { > ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); > ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $ipversion, > $hostfw_options, $cluster_conf, $loglevel); > > - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev > --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN"); > + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev > --physdev-is-bridged --physdev-in fwln+", "-j PVEFW-FWBR-IN"); > > ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT"); > - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev > --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT"); > + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev > --physdev-is-bridged --physdev-out fwln+", "-j PVEFW-FWBR-OUT"); > > generate_std_chains($ruleset, $hostfw_options, $ipversion); > > @@ -3442,7 +3472,7 @@ sub compile_iptables_filter { > } > > if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){ > - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate > RELATED,ESTABLISHED -j PVEFW-IPS"); > + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate > RELATED,ESTABLISHED", "-j PVEFW-IPS"); > } > > return $ruleset; _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
