From edb75ba9dfab214380fd9eb31f9baaead5049e5e Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 6 Mar 2014 08:02:45 +0100
Subject: [PATCH] only update nf_conntrack_max if firewall is started

---
 src/PVE/Firewall.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1d88891..003dde6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1831,10 +1831,12 @@ sub get_rulset_cmdlist {
 }
 
 sub apply_ruleset {
-    my ($ruleset, $verbose) = @_;
+    my ($ruleset, $hostfw_conf, $verbose) = @_;
 
     enable_bridge_firewall();
 
+    update_nf_conntrack_max($hostfw_conf);
+
     my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
 
     print $cmdlist if $verbose;
@@ -1888,13 +1890,11 @@ sub update {
 
 	my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
 
-	update_nf_conntrack_max($hostfw_conf);
-
 	if ($start || $status eq 'active') {
 
 	    save_pvefw_status('active')	if ($status ne 'active');
 
-	    PVE::Firewall::apply_ruleset($ruleset, $verbose);
+	    apply_ruleset($ruleset, $hostfw_conf, $verbose);
 	} else {
 	    print "Firewall not active (status = $status)\n" if $verbose;
 	}
-- 
2.39.2