From cc10e5d75c877c83451ff9a4168617deb3981f5f Mon Sep 17 00:00:00 2001
From: Alexandre Derumier <aderumier@odiso.com>
Date: Tue, 25 Mar 2014 05:15:27 +0100
Subject: [PATCH] add optimize flag

this flag enble optimizations on rules processing

host.fw
-------
optimize:1

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 example/host.fw     | 3 +++
 src/PVE/Firewall.pm | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/example/host.fw b/example/host.fw
index 663d2d7..4d86107 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -26,6 +26,9 @@ nosmurfs: 0
 # filter illegal combinations of TCP flags
 tcpflags: 1
 
+# rules processing speed optimizations 
+optimize : 1
+
 [RULES]
 
 IN  SSH(ACCEPT) net0
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d62fb11..794a9ac 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1430,7 +1430,7 @@ sub parse_hostfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@@ -1884,6 +1884,11 @@ sub compile {
 	}
     }
 
+    if($hostfw_options->{optimize}){
+	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
+    }
+
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
-- 
2.39.2