[pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2
Dietmar Maurer
dietmar at proxmox.com
Tue May 13 07:25:31 CEST 2014
I don't understand the problem. Why does this produce different output that original code?
> -----Original Message-----
> From: pve-devel [mailto:pve-devel-bounces at pve.proxmox.com] On Behalf
> Of Alexandre Derumier
> Sent: Montag, 12. Mai 2014 15:19
> To: pve-devel at pve.proxmox.com
> Subject: [pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2
>
> or it never match it
>
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
> ---
> src/PVE/Firewall.pm | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index
> 4cefc41..41494c6 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2550,8 +2550,7 @@ sub compile {
> # fixme: what log level should we use here?
> my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
>
> - my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" :
> "ACCEPT";
> - ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept);
> + ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD",
> + "ACCEPT");
>
> if ($cluster_conf->{ipset}->{blacklist}){
> ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel,
> "-m set --match-set PVEFW-blacklist src"); @@ -2633,6 +2632,10 @@ sub
> compile {
> }
> }
>
> + if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
> + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --
> ctstate RELATED,ESTABLISHED -j PVEFW-IPS");
> + }
> +
> return ($ruleset, $ipset_ruleset);
> }
>
> --
> 1.7.10.4
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list