[pve-devel] [PATCH] add ips feature

Mon Mar 17 07:10:20 CET 2014

>      # fixme: this is an optimization? if so, we should also drop INVALID
> packages?
> -    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT");
> -
> +    if(!$ips_enable){
> +	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --
> ctstate RELATED,ESTABLISHED -j ACCEPT");
> +    }

What happens here if ips is enabled? Don't we need to jump to NFQUEUE?