insert PVEFW-IPS after vm rules generation v2

or it never match it

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ce8d3fbfcc0cb40776a87a06e64e7958a4d817b0..31b9ad123cf1e47b89a1f8ff07bf52b7ae758464 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2576,8 +2576,7 @@ sub compile {
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 

-    my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
-    ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept);
+    ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", "ACCEPT");

 
     if ($cluster_conf->{ipset}->{blacklist}){
        ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
 
     if ($cluster_conf->{ipset}->{blacklist}){
        ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");


@@ -2659,6 +2658,10 @@ sub compile {
        }
     }
 
        }
     }
 

+    if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
+       ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS");
+    }
+

     return ($ruleset, $ipset_ruleset);
 }
 
     return ($ruleset, $ipset_ruleset);
 }