sub ruleset_generate_cmdstr {
my ($ruleset, $chain, $rule, $actions, $goto) = @_;
- return if $rule->{disable};
+ return if !$rule->{enable};
my @cmd = ();
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
- next if $rule->{disable};
+ next if !$rule->{enable};
if ($rule->{type} eq 'group') {
my $group_chain = "GROUP-$rule->{action}-$direction";
if(!ruleset_chain_exist($ruleset, $group_chain)){
my $loglevel = get_option_log_level($options, "log_level_in");
+ if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+ }
+
if ($options->{tcpflags}) {
ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
}
my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
# we can disable a rule when prefixed with '|'
- my $disable = 1 if $line =~ s/^\|//;
+ my $enable = 1;
+
+ $enable = 0 if $line =~ s/^\|//;
my @data = split(/\s+/, $line);
my $expected_elements = $need_iface ? 8 : 7;
my $param = {
type => $type,
- disable => $disable,
+ enable => $enable,
comment => $comment,
action => $action,
iface => $iface,