implement nosmurfs option for hiost firewall

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1946381cb88faa39b64727cea68da3e89be9e127..6d715c20f6348fd7fe745b1cff1f27824e34b0a8 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -969,7 +969,11 @@ sub ruleset_create_vm_chain {
     }
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
-       ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j ACCEPT");
+       if ($direction eq 'OUT') {
+           ruleset_addrule($ruleset, $chain, "-p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-MARK");
+       } else {
+           ruleset_addrule($ruleset, $chain, "-p udp -m udp --sport 67 --dport 68 -j ACCEPT");
+       }
     }
 
     if ($options->{tcpflags}) {
@@ -1121,6 +1125,14 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+       ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+    }
+
+    if ($options->{tcpflags}) {
+       ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+    }
+
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
@@ -1171,8 +1183,7 @@ sub enable_host_firewall {
 
 sub generate_group_rules {
     my ($ruleset, $groups_conf, $group) = @_;
-
-    die "no such security group '$group'\n" if !$groups_conf->{$group};
+    die "no such security group '$group'\n" if !$groups_conf->{rules}->{$group};
 
     my $rules = $groups_conf->{rules}->{$group};