+sub compile_iptables_raw {
+ my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $corosync_conf, $ipversion) = @_;
+
+ my $ruleset = {};
+
+ my $hostfw_options = $hostfw_conf->{options} || {};
+ my $protection_synflood = $hostfw_options->{protection_synflood} || 0;
+
+ if($protection_synflood) {
+
+ my $protection_synflood_rate = $hostfw_options->{protection_synflood_rate} ? $hostfw_options->{protection_synflood_rate} : 200;
+ my $protection_synflood_burst = $hostfw_options->{protection_synflood_burst} ? $hostfw_options->{protection_synflood_burst} : 1000;
+ my $protection_synflood_limit = $hostfw_options->{protection_synflood_limit} ? $hostfw_options->{protection_synflood_limit} : 3000;
+ my $protection_synflood_expire = $hostfw_options->{nf_conntrack_tcp_timeout_syn_recv} ? $hostfw_options->{nf_conntrack_tcp_timeout_syn_recv} : 60;
+ $protection_synflood_expire = $protection_synflood_expire * 1000;
+ my $protection_synflood_mask = $ipversion == 4 ? 32 : 64;
+
+ ruleset_create_chain($ruleset, "PVEFW-PREROUTING");
+ ruleset_addrule($ruleset, "PVEFW-PREROUTING", "-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-above $protection_synflood_rate/sec --hashlimit-burst $protection_synflood_burst --hashlimit-mode srcip --hashlimit-name syn --hashlimit-htable-size 2097152 --hashlimit-srcmask $protection_synflood_mask --hashlimit-htable-expire $protection_synflood_expire", "-j DROP");
+ }
+
+ return $ruleset;
+}
+