[pve-devel] [PATCH] add ips feature v3

[Dietmar Maurer]

> this create a new chain PVEFW-Accept

You use this chain unconditionally, so we slow down things when the IPS is not active.
(because of an additional jump to PVEFW-Accept).

Besides, I cannot see that this patch replaces  all ACCEPT actions, for example:

---------------
sub ruleset_generate_vm_rules {
...

	    if ($direction eq 'OUT') {
		...
	    } else {
		ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" });
	    }

}
----------------

So that generates normal ACCEPT?