[pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2

Alexandre Derumier aderumier at odiso.com
Mon May 12 15:19:16 CEST 2014


or it never match it

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4cefc41..41494c6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2550,8 +2550,7 @@ sub compile {
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
-    my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
-    ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept);
+    ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", "ACCEPT");
 
     if ($cluster_conf->{ipset}->{blacklist}){
 	ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
@@ -2633,6 +2632,10 @@ sub compile {
 	}
     }
 
+    if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
+	ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS");
+    }
+
     return ($ruleset, $ipset_ruleset);
 }
 
-- 
1.7.10.4




More information about the pve-devel mailing list