From 98aa911ec4c4c420ddf107f97ffc26bd312d1dd5 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 5 Mar 2014 11:49:52 +0100
Subject: [PATCH] add optimization as last step

---
 src/PVE/Firewall.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ff50d04..d09cf8d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1593,7 +1593,6 @@ sub compile {
     ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
 
     ruleset_create_chain($ruleset, "PVEFW-FORWARD");
-    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
 
     my $hostfw_options = {};
     my $hostfw_conf = {};
@@ -1667,6 +1666,9 @@ sub compile {
 	}
     }
 
+    # fixme: this is an optimization? if so, we should also drop INVALID packages?
+    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+
     return wantarray ? ($ruleset, $hostfw_conf) : $ruleset;
 }
 
-- 
2.39.2