my $policy;
if ($direction eq 'OUT') {
- $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+ $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
} else {
- $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+ $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
}
my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
}
# implement input policy
- my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+ my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
# host outbound firewall
}
# implement output policy
- $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+ $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
} elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
$opt = lc($1);
$value = $2 ? lc($3) : '';
- } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+ } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
$opt = lc($1);
$value = uc($3);
} else {
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
$opt = lc($1);
$value = $2 ? lc($3) : '';
- } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+ } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
$opt = lc($1);
$value = uc($3);
+ } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
+ $opt = lc($1);
+ $value = int($2);
} else {
chomp $line;
die "can't parse option '$line'\n"
}
}
- return $ruleset;
+ return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
}
sub get_ruleset_status {
die "unable to apply firewall changes\n" if $errors;
}
+sub update_nf_conntrack_max {
+ my ($hostfw_conf) = @_;
+
+ my $max = 65536; # reasonable default
+
+ my $options = $hostfw_conf->{options} || {};
+
+ if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) {
+ $max = $options->{nf_conntrack_max};
+ $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192
+ }
+
+ my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max";
+ my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize";
+
+ my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max);
+
+ if ($current != $max) {
+ my $hashsize = int($max/4);
+ PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize);
+ PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max);
+ }
+}
+
sub update {
my ($start, $verbose) = @_;
my $code = sub {
my $status = read_pvefw_status();
- my $ruleset = PVE::Firewall::compile();
+ my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
+
+ update_nf_conntrack_max($hostfw_conf);
if ($start || $status eq 'active') {