[pve-devel] [PATCH 2/3] add optimize flag
Alexandre Derumier
aderumier at odiso.com
Tue Mar 25 05:15:27 CET 2014
this flag enble optimizations on rules processing
host.fw
-------
optimize:1
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
example/host.fw | 3 +++
src/PVE/Firewall.pm | 7 ++++++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/example/host.fw b/example/host.fw
index 663d2d7..4d86107 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -26,6 +26,9 @@ nosmurfs: 0
# filter illegal combinations of TCP flags
tcpflags: 1
+# rules processing speed optimizations
+optimize : 1
+
[RULES]
IN SSH(ACCEPT) net0
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d62fb11..794a9ac 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1430,7 +1430,7 @@ sub parse_hostfw_option {
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
- if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) {
+ if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@@ -1884,6 +1884,11 @@ sub compile {
}
}
+ if($hostfw_options->{optimize}){
+ ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
+ ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
+ }
+
# fixme: what log level should we use here?
my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
--
1.7.10.4
More information about the pve-devel
mailing list