summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
b47ecc8)
this flag enble optimizations on rules processing
host.fw
-------
optimize:1
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
# filter illegal combinations of TCP flags
tcpflags: 1
# filter illegal combinations of TCP flags
tcpflags: 1
+# rules processing speed optimizations
+optimize : 1
+
[RULES]
IN SSH(ACCEPT) net0
[RULES]
IN SSH(ACCEPT) net0
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
- if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) {
+ if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
+ if($hostfw_options->{optimize}){
+ ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+ ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
+ }
+
# fixme: what log level should we use here?
my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
# fixme: what log level should we use here?
my $loglevel = get_option_log_level($hostfw_options, "log_level_out");