proxmox-mirrors/qemu-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu-server synced 2025-05-02 13:14:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

firewall: add handling for new nft firewall

Browse Source 
When the nftables firewall is enabled, we do not need to create
firewall bridges.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
 [ TL: use a more meaningful variable name and add a comment ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Stefan Hanreich 2024-04-19 11:42:34 +02:00 committed by Thomas Lamprecht
parent 4c042b2802
commit 29728dbf83
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
vm-network-scripts/pve-bridge
View File

@ -6,6 +6,7 @@ use warnings;
use PVE::QemuServer;
use PVE::Tools qw(run_command);
use PVE::Network;
use PVE::Firewall;
my $have_sdn;
eval {
@ -44,13 +45,16 @@ die "unable to get network config '$netid'\n"
my $net = PVE::QemuServer::parse_net($netconf);
die "unable to parse network config '$netid'\n" if !$net;
# The nftable-based implementation from the newer proxmox-firewall does not requires FW bridges
my $create_firewall_bridges = $net->{firewall} && !PVE::Firewall::is_nftables();
if ($have_sdn) {
PVE::Network::SDN::Vnets::add_dhcp_mapping($net->{bridge}, $net->{macaddr}, $vmid, $conf->{name});
PVE::Network::SDN::Zones::tap_create($iface, $net->{bridge});
PVE::Network::SDN::Zones::tap_plug($iface, $net->{bridge}, $net->{tag}, $net->{firewall}, $net->{trunks}, $net->{rate});
PVE::Network::SDN::Zones::tap_plug($iface, $net->{bridge}, $net->{tag}, $create_firewall_bridges, $net->{trunks}, $net->{rate});
} else {
PVE::Network::tap_create($iface, $net->{bridge});
PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, $net->{firewall}, $net->{trunks}, $net->{rate});
PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, $create_firewall_bridges, $net->{trunks}, $net->{rate});
}
exit 0;