make sure syncookies are enabled

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 3a4f2f41bc352ac7ead9227e44fb898a1e7374ec..140cbe6e109a2b337a4c96b070445ced51927263 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -627,6 +627,9 @@ sub enable_bridge_firewall {
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
 
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
 

+    # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
+

     $bridge_firewall_enabled = 1;
 }
 
     $bridge_firewall_enabled = 1;
 }