code cleanup: use ruleset_generate_rule to generate dhcp rules

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 31c2f6e9285bcd82d8282aff0ea91436373de6b6..862e893561a860d9a799cac4be7f7fba1ffdfad7 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -765,7 +765,7 @@ sub iptables_rule_exist {
 sub ruleset_generate_cmdstr {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
-    return if $rule->{disable};
+    return if defined($rule->{enable}) && !$rule->{enable};
 
     my @cmd = ();
 
@@ -837,6 +837,7 @@ sub ruleset_generate_rule {
        ruleset_addrule($ruleset, $chain, $cmdstr);
     }
 }
+
 sub ruleset_generate_rule_insert {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
@@ -970,9 +971,11 @@ sub ruleset_create_vm_chain {
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
        if ($direction eq 'OUT') {
-           ruleset_addrule($ruleset, $chain, "-p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-MARK");
+           ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK', 
+                                                     proto => 'udp', sport => 68, dport => 67 });
        } else {
-           ruleset_addrule($ruleset, $chain, "-p udp -m udp --sport 67 --dport 68 -j ACCEPT");
+           ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT', 
+                                                     proto => 'udp', sport => 67, dport => 68 });
        }
     }
 
@@ -998,7 +1001,7 @@ sub ruleset_generate_vm_rules {
 
     foreach my $rule (@$rules) {
        next if $rule->{iface} && $rule->{iface} ne $netid;
-       next if $rule->{disable};
+       next if !$rule->{enable};
        if ($rule->{type} eq 'group') {
            my $group_chain = "GROUP-$rule->{action}-$direction"; 
            if(!ruleset_chain_exist($ruleset, $group_chain)){
@@ -1125,6 +1128,14 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+       ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+    }
+
+    if ($options->{tcpflags}) {
+       ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+    }
+
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
@@ -1220,7 +1231,9 @@ sub parse_fw_rule {
     my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
 
     # we can disable a rule when prefixed with '|'
-    my $disable = 1 if  $line =~ s/^\|//;
+    my $enable = 1;
+
+    $enable = 0 if $line =~ s/^\|//;
 
     my @data = split(/\s+/, $line);
     my $expected_elements = $need_iface ? 8 : 7;
@@ -1287,7 +1300,7 @@ sub parse_fw_rule {
 
     my $param = {
        type => $type,
-       disable => $disable,
+       enable => $enable,
        comment => $comment,
        action => $action,
        iface => $iface,