From 6b8ca015bec1fec9476c3b5236379d8507a7d5fd Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 22 Apr 2014 09:02:04 +0200
Subject: [PATCH 1/1] ruleset_generate_vm_rule: avoid multiple calls to
 generate_nfqueue()

---
 src/PVE/Firewall.pm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7f3e5ac..01de542 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1505,6 +1505,8 @@ sub ruleset_generate_vm_rules {
 
     my $lc_direction = lc($direction);
 
+    my $in_accept = generate_nfqueue($options);
+
     foreach my $rule (@$rules) {
 	next if $rule->{iface} && $rule->{iface} ne $netid;
 	next if !$rule->{enable};
@@ -1527,8 +1529,7 @@ sub ruleset_generate_vm_rules {
 		ruleset_generate_rule($ruleset, $chain, $rule,
 				      { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }, undef, $cluster_conf);
 	    } else {
-		my $accept = generate_nfqueue($options);
-		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
+		ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $in_accept , REJECT => "PVEFW-reject" }, undef, $cluster_conf);
 	    }
 	}
     }
-- 
2.39.2