[PVE-User] ipfilter functionality
Mark Schouten
mark at tuxis.nl
Fri Apr 13 10:13:02 CEST 2018
On Fri, 2018-04-13 at 10:08 +0200, Mark Schouten wrote:
> It's not really MAC filtering I'm looking for. But wouldn't this be
> fixed if the connection inbound would be filtered as well as
> outbound?
> So add the ipfilter-rules to $interface-IN as well?
Like so:
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8f545e7..1bf0725 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2202,6 +2202,12 @@ sub ruleset_create_vm_chain {
}
ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark
$FWACCEPTMARK_OFF"); # clear mark
}
+ if ($direction eq 'IN') {
+ if ($ipfilter_ipset) {
+ ruleset_addrule($ruleset, $chain, "-m set ! --match-set
$ipfilter_ipset dst", "-j DROP");
+ }
+ }
+
my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-
MARK' : "-j $accept";
ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options,
$direction, $accept_action);
--
Kerio Operator in de Cloud? https://www.kerioindecloud.nl/
Mark Schouten | Tuxis Internet Engineering
KvK: 61527076 | http://www.tuxis.nl/
T: 0318 200208 | info at tuxis.nl
More information about the pve-user
mailing list