From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 20 Mar 2014 06:53:59 +0000 (+0100)
Subject: implement nosmurfs option for hiost firewall
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=4ac863a6076f6d6d83efe940c4e52c75b450771b

implement nosmurfs option for hiost firewall
---

diff --git a/example/100.fw b/example/100.fw
index 94f178d..a917931 100644
--- a/example/100.fw
+++ b/example/100.fw
@@ -19,8 +19,8 @@ log_level_in: info
 # disable log for outgoing connections
 log_level_out: nolog
 
-# filter SMURFS
-nosmurfs: 1
+# disable SMURFS filter
+nosmurfs: 0
 
 # filter illegal combinations of TCP flags
 tcpflags: 1
diff --git a/example/host.fw b/example/host.fw
index e38b2a5..663d2d7 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -20,6 +20,9 @@ nf_conntrack_max: 196608
 # you need to enable that explicitly
 allow_bridge_route: 1
 
+# disable SMURFS filter
+nosmurfs: 0
+
 # filter illegal combinations of TCP flags
 tcpflags: 1
 
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index a929b54..6d715c2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1125,6 +1125,10 @@ sub enable_host_firewall {
 
     my $loglevel = get_option_log_level($options, "log_level_in");
 
+    if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+    }
+
     if ($options->{tcpflags}) {
 	ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
     }