add optimization as last step

author Dietmar Maurer <dietmar@proxmox.com>

Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)

committer Dietmar Maurer <dietmar@proxmox.com>

Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)
author Dietmar Maurer <dietmar@proxmox.com>
Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)
committer Dietmar Maurer <dietmar@proxmox.com>
Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm

index ff50d048af9bfe220d08de4589ba5c2ba5c00fc1..d09cf8d4570d81b0328f620b9b6188fbf735a404 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1593,7 +1593,6 @@ sub compile {
      ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
  
      ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
  
      my $hostfw_options = {};
      my $hostfw_conf = {};
@@ -1667,6 +1666,9 @@ sub compile {
         }
      }
  
+    # fixme: this is an optimization? if so, we should also drop INVALID packages?
+    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+
      return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
  }
author	Dietmar Maurer <dietmar@proxmox.com>
	Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)