]> git.proxmox.com Git - pve-firewall.git/blobdiff - src/PVE/Firewall.pm
projects / pve-firewall.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add optimization as last step
[pve-firewall.git] / src / PVE / Firewall.pm
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ff50d048af9bfe220d08de4589ba5c2ba5c00fc1..d09cf8d4570d81b0328f620b9b6188fbf735a404 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1593,7 +1593,6 @@ sub compile {
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
     my $hostfw_options = {};
     my $hostfw_conf = {};
@@ -1667,6 +1666,9 @@ sub compile {
        }
     }
 
+    # fixme: this is an optimization? if so, we should also drop INVALID packages?
+    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+
     return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
 }
 
Firewall test scripts