From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 22 Apr 2014 07:02:04 +0000 (+0200)
Subject: ruleset_generate_vm_rule: avoid multiple calls to generate_nfqueue()
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=6b8ca015bec1fec9476c3b5236379d8507a7d5fd;hp=73089769fe5c88dc64e47153ab447d4af4197ffb

ruleset_generate_vm_rule: avoid multiple calls to generate_nfqueue()
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7f3e5ac..01de542 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1505,6 +1505,8 @@ sub ruleset_generate_vm_rules {
 
     my $lc_direction = lc($direction);
 
+    my $in_accept = generate_nfqueue($options);
+
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
 	next if !$rule->{enable};
@@ -1527,8 +1529,7 @@ sub ruleset_generate_vm_rules {
 		ruleset_generate_rule($ruleset, $chain, $rule,
 				      { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
 	    } else {
-		my $accept = generate_nfqueue($options);
-		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $in_accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
 	    }
 	}
     }