X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=51eaac6e01cab03a64fe1aac1afd2b0898d68d6c;hp=e0e7a67da806e9fc88023874882bf3ec03f4bc00;hb=5b1df9a0feb51097265cdd2baf5dffbd890d2a81;hpb=12cc9946363b9667f6bb2625f88090e205b47de3

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e0e7a67..51eaac6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -823,11 +823,6 @@ sub ruleset_insertrule {
 sub generate_bridge_chains {
     my ($ruleset, $bridge) = @_;
 
-    if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
-	ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-    }
-
     if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
 	ruleset_create_chain($ruleset, "$bridge-FW");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-bridged -j $bridge-FW");
@@ -1517,7 +1512,9 @@ sub compile {
 
     ruleset_create_chain($ruleset, "PVEFW-INPUT");
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
+
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
     my $hostfw_options = {};
     my $hostfw_conf;