X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=bb151faaeb560c780db9f5f283ff6cf5a17c5db2;hp=5e73d2b64f75b18627189944c4ea62ce87735b22;hb=d18c1e2b2cd5c7fc1c20e5835f8881412765c583;hpb=41524a582adfae94f2ed7ea4c0d099c1940854a5

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5e73d2b..bb151fa 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4,6 +4,7 @@ use warnings;
 use strict;
 use Data::Dumper;
 use Digest::SHA;
+use PVE::ProcFSTools;
 use PVE::Tools;
 use PVE::QemuServer;
 use File::Basename;
@@ -623,8 +624,11 @@ sub enable_bridge_firewall {
 
     return if $bridge_firewall_enabled; # only once
 
-    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
-    system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
+
+    # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
 
     $bridge_firewall_enabled = 1;
 }
@@ -949,7 +953,7 @@ sub generate_tap_rules_direction {
     }
 }
 
-sub enablehostfw {
+sub enable_host_firewall {
     my ($ruleset, $hostfw_conf, $groups_conf) = @_;
 
     # fixme: allow security groups
@@ -1524,7 +1528,7 @@ sub compile {
     my $hostfw_enable = $hostfw_conf && 
 	!(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
 
-    enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
+    enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
 
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {