[pve-devel] [PATCH 5/8] move nosmurf, tcpflags, established outside tap chain.

Wed Apr 30 10:56:34 CEST 2014

They are common to all interfaces,so we can check them early for faster performance

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 805ed7b..ddc7baa 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1434,10 +1434,6 @@ sub ruleset_create_vm_chain {
     ruleset_create_chain($ruleset, $chain);
     my $accept = generate_nfqueue($options);
 
-    if (!(defined($host_options->{nosmurfs}) && $host_options->{nosmurfs} == 0)) {
-	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
-    }
-
     if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
 	if ($direction eq 'OUT') {
 	    ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT',
@@ -1448,17 +1444,6 @@ sub ruleset_create_vm_chain {
 	}
     }
 
-    if ($host_options->{tcpflags}) {
-	ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags");
-    }
-
-    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
-    if ($direction eq 'OUT') {
-	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
-    } else {
-	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
-    }
-
     if ($direction eq 'OUT') {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
 	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
@@ -2605,12 +2590,9 @@ sub compile {
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
-    if($hostfw_options->{optimize}){
-
-	my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
-	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
-    }
+    my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
+    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
 
     if ($cluster_conf->{ipset}->{blacklist}){
 	ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
@@ -2619,6 +2601,14 @@ sub compile {
 
     if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-IN")) {
         ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
+
+	if (!(defined($hostfw_options->{nosmurfs}) && $hostfw_options->{nosmurfs} == 0)) {
+	    ruleset_addrule($ruleset, "PVEFW-FWBR-IN", "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs");
+	}
+	if ($hostfw_options->{tcpflags}) {
+	    ruleset_addrule($ruleset, "PVEFW-FWBR-IN", "-p tcp -j PVEFW-tcpflags");
+	}
+
         ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-out tap+ -j PVEFW-FWBR-IN");
     }
 
-- 
1.7.10.4


