update update_nf_conntrack_max && nf_conntrack_tcp_timeout_established after modules...

/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
and
/proc/sys/net/nf_conntrack_max

are empty by default, because conntrack module is not loaded, until we have apply iptables rules

So, we just need to update them after iptables commit (which load the conntrack modules)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0c83e2fccf1848889ea844c9cf95327b7b1a9ccc..dcd6639e0e4742f7ab7706a036e79594533fab50 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2863,10 +2863,6 @@ sub apply_ruleset {
 
     enable_bridge_firewall();
 
-    update_nf_conntrack_max($hostfw_conf);
-
-    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
-
     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
        get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 
@@ -2905,6 +2901,11 @@ sub apply_ruleset {
     }
 
     die "unable to apply firewall changes\n" if $errors;
+
+    update_nf_conntrack_max($hostfw_conf);
+
+    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
+
 }
 
 sub update_nf_conntrack_max {