[pve-devel] [PATCH pve-firewall 1/3] global -m conntrack --ctstate INVALID : PVEFW-reject instead DROP

Alexandre Derumier aderumier at odiso.com
Fri Feb 15 10:48:01 CET 2019


---
 src/PVE/Firewall.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 2125d3b..61d5599 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2137,7 +2137,7 @@ sub ruleset_chain_add_conn_filters {
     my ($ruleset, $chain, $allow_invalid, $accept) = @_;
 
     if (!$allow_invalid) {
-	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
+	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j PVEFW-reject");
     }
     ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept");
 }
-- 
2.11.0



More information about the pve-devel mailing list