X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=7a68642c42cf2ce66c82f2efec382aae01911a9d;hp=0e59a09444ff6ab8ead2db41f2c8f3387ca3f3bc;hb=72f63fde6e68abfa9b1b4e35d63f4788086d2c1c;hpb=6d2ab0175d9603e3ea8eb2a236a4e520d41703ca

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0e59a09..7a68642 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -947,9 +947,9 @@ sub generate_tap_rules_direction {
     my $policy;
 
     if ($direction eq 'OUT') {
-	$policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+	$policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
     } else {
-	$policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+	$policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     }
 
     my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
@@ -991,7 +991,7 @@ sub enable_host_firewall {
     }
 
     # implement input policy
-    my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+    my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     # host outbound firewall
@@ -1016,7 +1016,7 @@ sub enable_host_firewall {
     }
 
     # implement output policy
-    $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+    $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
     ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
 
     ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
@@ -1212,7 +1212,7 @@ sub parse_vmfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
     } else {
@@ -1236,9 +1236,12 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
 	$opt = lc($1);
 	$value = $2 ? lc($3) : '';
-    } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+    } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
+    } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
+	$opt = lc($1);
+	$value = int($2);
     } else {
 	chomp $line;
 	die "can't parse option '$line'\n"
@@ -1567,7 +1570,7 @@ sub compile {
 	}
     }
 
-    return $ruleset;
+    return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
 }
 
 sub get_ruleset_status {
@@ -1718,13 +1721,39 @@ sub apply_ruleset {
     die "unable to apply firewall changes\n" if $errors;
 }
 
+sub update_nf_conntrack_max {
+    my ($hostfw_conf) = @_;
+
+    my $max = 65536; # reasonable default
+
+    my $options = $hostfw_conf->{options} || {};
+
+    if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) {
+	$max = $options->{nf_conntrack_max};
+	$max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192
+    }
+
+    my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max";
+    my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize";
+
+    my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max);
+
+    if ($current != $max) {
+	my $hashsize = int($max/4);
+	PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize);
+	PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max);
+    }
+}
+
 sub update {
     my ($start, $verbose) = @_;
 
     my $code = sub {
 	my $status = read_pvefw_status();
 
-	my $ruleset = PVE::Firewall::compile();
+	my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
+
+	update_nf_conntrack_max($hostfw_conf);
 
 	if ($start || $status eq 'active') {