use enable instead of disable

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a929b54ac755b1d0c356c46282867a7c7d2dc3af..646d1a9953b5aca7edf5c51460a99201c1418462 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -765,7 +765,7 @@ sub iptables_rule_exist {
 sub ruleset_generate_cmdstr {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
-    return if $rule->{disable};
+    return if !$rule->{enable};
 
     my @cmd = ();
 
@@ -998,7 +998,7 @@ sub ruleset_generate_vm_rules {
 
     foreach my $rule (@$rules) {
        next if $rule->{iface} && $rule->{iface} ne $netid;
-       next if $rule->{disable};
+       next if !$rule->{enable};
        if ($rule->{type} eq 'group') {
            my $group_chain = "GROUP-$rule->{action}-$direction"; 
            if(!ruleset_chain_exist($ruleset, $group_chain)){
@@ -1125,6 +1125,10 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+       ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+    }
+
     if ($options->{tcpflags}) {
        ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
     }
@@ -1224,7 +1228,9 @@ sub parse_fw_rule {
     my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
 
     # we can disable a rule when prefixed with '|'
-    my $disable = 1 if  $line =~ s/^\|//;
+    my $enable = 1;
+
+    $enable = 0 if $line =~ s/^\|//;
 
     my @data = split(/\s+/, $line);
     my $expected_elements = $need_iface ? 8 : 7;
@@ -1291,7 +1297,7 @@ sub parse_fw_rule {
 
     my $param = {
        type => $type,
-       disable => $disable,
+       enable => $enable,
        comment => $comment,
        action => $action,
        iface => $iface,