fix comment

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 3a4f2f41bc352ac7ead9227e44fb898a1e7374ec..87bd7995f3bc4e53797ae74ab5402f835aa1628f 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -627,6 +627,9 @@ sub enable_bridge_firewall {
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
 
+    # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
+
     $bridge_firewall_enabled = 1;
 }
 
@@ -909,7 +912,7 @@ sub generate_tap_rules_direction {
     if ($direction eq 'OUT') {
        $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
     } else {
-       $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default
+       $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
     }
 
     if ($policy eq 'ACCEPT') {
@@ -950,7 +953,7 @@ sub generate_tap_rules_direction {
     }
 }
 
-sub enablehostfw {
+sub enable_host_firewall {
     my ($ruleset, $hostfw_conf, $groups_conf) = @_;
 
     # fixme: allow security groups
@@ -1525,7 +1528,7 @@ sub compile {
     my $hostfw_enable = $hostfw_conf && 
        !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
 
-    enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
+    enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
 
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
@@ -1553,11 +1556,6 @@ sub compile {
        }
     }
 
-    if ($hostfw_enable) {
-       # allow traffic from lo (ourself)
-       ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT");
-    }
-
     return $ruleset;
 }