[pve-devel] [PATCH 2/3] add optimize flag

Mon, 24 Mar 2014 21:16:29 -0700 

this flag enble optimizations on rules processing

host.fw
-------
optimize:1

Signed-off-by: Alexandre Derumier <[email protected]>
---
 example/host.fw     |    3 +++
 src/PVE/Firewall.pm |    7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/example/host.fw b/example/host.fw
index 663d2d7..4d86107 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -26,6 +26,9 @@ nosmurfs: 0
 # filter illegal combinations of TCP flags
 tcpflags: 1
 
+# rules processing speed optimizations 
+optimize : 1
+
 [RULES]
 
 IN  SSH(ACCEPT) net0
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d62fb11..794a9ac 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1430,7 +1430,7 @@ sub parse_hostfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ 
m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route):\s*(0|1)\s*$/i) {
+    if ($line =~ 
m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
        $opt = lc($1);
        $value = int($2);
     } elsif ($line =~ 
m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i)
 {
@@ -1884,6 +1884,11 @@ sub compile {
        }
     }
 
+    if($hostfw_options->{optimize}){
+       ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT");
+       ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate 
INVALID -j DROP");
+    }
+
     # fixme: what log level should we use here?
     my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
 
-- 
1.7.10.4

_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to