From 46a2ac1f32537b92e309965580494d05d2a54fe5 Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 22 Apr 2014 08:17:00 +0200
Subject: [PATCH] update update_nf_conntrack_max &&
 nf_conntrack_tcp_timeout_established after modules load

/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
and
/proc/sys/net/nf_conntrack_max

are empty by default, because conntrack module is not loaded, until we have apply iptables rules

So, we just need to update them after iptables commit (which load the conntrack modules)

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 src/PVE/Firewall.pm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 0c83e2f..dcd6639 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2863,10 +2863,6 @@ sub apply_ruleset {
 
     enable_bridge_firewall();
 
-    update_nf_conntrack_max($hostfw_conf);
-
-    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
-
     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
 	get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 
@@ -2905,6 +2901,11 @@ sub apply_ruleset {
     }
 
     die "unable to apply firewall changes\n" if $errors;
+
+    update_nf_conntrack_max($hostfw_conf);
+
+    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
+
 }
 
 sub update_nf_conntrack_max {
-- 
2.39.2