[pve-devel] [PATCH firewall] set sysctls on every apply
Stoiko Ivanov
s.ivanov at proxmox.com
Wed May 26 16:51:59 CEST 2021
setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
tested quickly on a test-installation of mine
src/PVE/Firewall.pm | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 50be187..fc5c077 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1818,11 +1818,9 @@ sub rules_audit_permissions {
}
# core functions
-my $bridge_firewall_enabled = 0;
sub enable_bridge_firewall {
- return if $bridge_firewall_enabled; # only once
PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
@@ -1830,7 +1828,6 @@ sub enable_bridge_firewall {
# make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
- $bridge_firewall_enabled = 1;
}
sub iptables_restore_cmdlist {
--
2.20.1
More information about the pve-devel
mailing list