X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=862e893561a860d9a799cac4be7f7fba1ffdfad7;hp=31c2f6e9285bcd82d8282aff0ea91436373de6b6;hb=0f168d7b2f4381e9d706ee694e08b138aa542130;hpb=ac7648e09693cfd493d4fb8e5fea3b4214f8d519

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 31c2f6e..862e893 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -765,7 +765,7 @@ sub iptables_rule_exist {
 sub ruleset_generate_cmdstr {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
-    return if $rule->{disable};
+    return if defined($rule->{enable}) && !$rule->{enable};
 
     my @cmd = ();
 
@@ -837,6 +837,7 @@ sub ruleset_generate_rule {
 	ruleset_addrule($ruleset, $chain, $cmdstr);
     }
 }
+
 sub ruleset_generate_rule_insert {
     my ($ruleset, $chain, $rule, $actions, $goto) = @_;
 
@@ -970,9 +971,11 @@ sub ruleset_create_vm_chain {
 
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
 	if ($direction eq 'OUT') {
-	    ruleset_addrule($ruleset, $chain, "-p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-MARK");
+	    ruleset_generate_rule($ruleset, $chain, { action => 'PVEFW-SET-ACCEPT-MARK', 
+						      proto => 'udp', sport => 68, dport => 67 });
 	} else {
-	    ruleset_addrule($ruleset, $chain, "-p udp -m udp --sport 67 --dport 68 -j ACCEPT");
+	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT', 
+						      proto => 'udp', sport => 67, dport => 68 });
 	}
     }
 
@@ -998,7 +1001,7 @@ sub ruleset_generate_vm_rules {
 
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
-	next if $rule->{disable};
+	next if !$rule->{enable};
 	if ($rule->{type} eq 'group') {
 	    my $group_chain = "GROUP-$rule->{action}-$direction"; 
 	    if(!ruleset_chain_exist($ruleset, $group_chain)){
@@ -1125,6 +1128,14 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+    }
+
+    if ($options->{tcpflags}) {
+	ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+    }
+
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
@@ -1220,7 +1231,9 @@ sub parse_fw_rule {
     my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
 
     # we can disable a rule when prefixed with '|'
-    my $disable = 1 if  $line =~ s/^\|//;
+    my $enable = 1;
+
+    $enable = 0 if $line =~ s/^\|//;
 
     my @data = split(/\s+/, $line);
     my $expected_elements = $need_iface ? 8 : 7;
@@ -1287,7 +1300,7 @@ sub parse_fw_rule {
 
     my $param = {
 	type => $type,
-	disable => $disable,
+	enable => $enable,
 	comment => $comment,
 	action => $action,
 	iface => $iface,