add optimize flag

this flag enble optimizations on rules processing

host.fw
-------
optimize:1

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

diff --git a/example/host.fw b/example/host.fw
index 663d2d7f05b5d0506cfaa449a3036fd5b078b565..4d861078d8c6f8b2f6ddb69a668d7cae08a5226b 100644 (file)
--- a/example/host.fw
+++ b/example/host.fw
@@ -26,6 +26,9 @@ nosmurfs: 0
 # filter illegal combinations of TCP flags
 tcpflags: 1
 
+# rules processing speed optimizations 
+optimize : 1
+
 [RULES]
 
 IN  SSH(ACCEPT) net0

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d62fb113a329d809ccc39bb377a2d03f7bb11114..794a9acc0bc1aff27a4d80cb9f239afe931c2f13 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1430,7 +1430,7 @@ sub parse_hostfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@@ -1884,6 +1884,11 @@ sub compile {
        }
     }
 
+    if($hostfw_options->{optimize}){
+       ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+       ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
+    }
+
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");