]> git.proxmox.com Git - pve-firewall.git/commitdiff
projects / pve-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e0a38de)
optimize blacklist : create a PVEFW-blacklist chain
authorAlexandre Derumier <aderumier@odiso.com>
Mon, 26 May 2014 08:44:55 +0000 (10:44 +0200)
committerDietmar Maurer <dietmar@proxmox.com>
Tue, 27 May 2014 04:25:31 +0000 (06:25 +0200)
currently we check the ipset blacklist twice (1 for log and 1 for drop)

It's better to check ipset once, and go to a PVEFW-blacklist chain
where we do the log, and then the drop

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
src/PVE/Firewall.pm patch | blob | blame | history

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index aa7de7e2c1453fb759c15e653cd1f0e585f32d8e..df19a6c5c9d9c2139a5e0efaee1dac0bdaed3c6b 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1544,8 +1544,12 @@ sub ruleset_chain_add_input_filters {
     my ($ruleset, $chain, $options, $cluster_conf, $loglevel) = @_;
 
     if ($cluster_conf->{ipset}->{blacklist}){
-       ruleset_addlog($ruleset, $chain, 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
-       ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j DROP");
+       if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
+           ruleset_create_chain($ruleset, "PVEFW-blacklist");
+           ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
+           ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
+       }
+       ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j PVEFW-blacklist");
     }
 
     if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
Firewall test scripts