[pve-devel] [PATCH] optimize blacklist : create a PVEFW-blacklist chain
Alexandre Derumier
aderumier at odiso.com
Mon May 26 10:44:55 CEST 2014
currently we check the ipset blacklist twice (1 for log and 1 for drop)
It's better to check ipset once, and go to a PVEFW-blacklist chain
where we do the log, and then the drop
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
src/PVE/Firewall.pm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index deef1ae..4139bf1 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1521,8 +1521,12 @@ sub ruleset_chain_add_input_filters {
my ($ruleset, $chain, $options, $cluster_conf, $loglevel) = @_;
if ($cluster_conf->{ipset}->{blacklist}){
- ruleset_addlog($ruleset, $chain, 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
- ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j DROP");
+ if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
+ ruleset_create_chain($ruleset, "PVEFW-blacklist");
+ ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
+ ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
+ }
+ ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j PVEFW-blacklist");
}
if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
--
1.7.10.4
More information about the pve-devel
mailing list