use chains from previous commit to reduce logging
authorDietmar Maurer <dietmar@proxmox.com>
Wed, 26 Feb 2014 12:00:43 +0000 (13:00 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Wed, 26 Feb 2014 12:00:43 +0000 (13:00 +0100)
PVE/Firewall.pm

index 081b350..ef9d136 100644 (file)
@@ -846,11 +846,13 @@ sub generate_tap_rules_direction {
            ruleset_addrule($ruleset, $tapchain, "-j ACCEPT");
        }
     } elsif ($policy eq 'DROP') {
+       ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop");
        ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
        ruleset_addrule($ruleset, $tapchain, "-j DROP");
     } elsif ($policy eq 'REJECT') {
+       ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject");
        ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level 4");
-       ruleset_addrule($ruleset, $tapchain, "-j REJECT");
+       ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject");
     } else {
        # should not happen
        die "internal error: unknown policy '$policy'";