implement option tcpflags for host firewall

But we only add the check for incoming packets, assuming that the
host itself never generates invalid tcp flags.

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 31c2f6e9285bcd82d8282aff0ea91436373de6b6..a929b54ac755b1d0c356c46282867a7c7d2dc3af 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1125,6 +1125,10 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if ($options->{tcpflags}) {
+       ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
+    }
+
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
     ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");