use strict;
use Data::Dumper;
use Digest::SHA;
+use PVE::ProcFSTools;
use PVE::Tools;
use PVE::QemuServer;
use File::Basename;
return if $bridge_firewall_enabled; # only once
- system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
- system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
+ PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
+ PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
+
+ # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
+ PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
$bridge_firewall_enabled = 1;
}
}
}
-sub enablehostfw {
+sub enable_host_firewall {
my ($ruleset, $hostfw_conf, $groups_conf) = @_;
# fixme: allow security groups
my $hostfw_enable = $hostfw_conf &&
!(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
- enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
+ enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {