[pve-devel] [PATCH pve-firewall 1/3] global -m conntrack --ctstate INVALID : PVEFW-reject instead DROP
Alexandre Derumier
aderumier at odiso.com
Fri Feb 15 10:48:01 CET 2019
---
src/PVE/Firewall.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 2125d3b..61d5599 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2137,7 +2137,7 @@ sub ruleset_chain_add_conn_filters {
my ($ruleset, $chain, $allow_invalid, $accept) = @_;
if (!$allow_invalid) {
- ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
+ ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j PVEFW-reject");
}
ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept");
}
--
2.11.0
More information about the pve-devel
mailing list