> this create a new chain PVEFW-Accept
You use this chain unconditionally, so we slow down things when the IPS is not
active.
(because of an additional jump to PVEFW-Accept).
Besides, I cannot see that this patch replaces all ACCEPT actions, for example:
---------------
sub ruleset_generate_vm_rules {
...
if ($direction eq 'OUT') {
...
} else {
ruleset_generate_rule($ruleset, $chain, $rule, { REJECT =>
"PVEFW-reject" });
}
}
----------------
So that generates normal ACCEPT?
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
